[PATCH 0/3] nftables: add feature probes for sctp and multistmt set support

[PATCH 0/3] nftables: add feature probes for sctp and multistmt set support

[Florian Westphal]

On some kernels tests can fail because a required feature is absent.
This can happen depending on kernel .config or because a required
feature was added in a later kernel release.

Patch 1 adds a missing check for catchall to the vmap timeout test so we
no longer try to add '*' keys.

Patch 2 adds a feature probe for multi-statement support in sets.
Add REQUIRES condition to all tests that do involve multistmt.
One of the test cases can be run partially, we only need to skip the
dump validation.

Patch 3 adds feature probing for sctp chunk matching in nft_exthdr
and the needed conditionals to the test.

Florian Westphal (3):
  tests: shell: skip adding catchall elements if unuspported
  tests: shell: add feature probe for sets with more than one element
  tests: shell: add feature probe for sctp chunk matching

 tests/shell/features/sctp_chunks.nft          |  7 +++++
 .../features/set_with_two_expressions.nft     |  9 +++++++
 tests/shell/testcases/maps/vmap_timeout       |  8 ++++--
 .../shell/testcases/nft-f/0025empty_dynset_0  |  8 ++++++
 .../testcases/sets/0059set_update_multistmt_0 |  2 ++
 .../shell/testcases/sets/0060set_multistmt_0  |  2 ++
 .../shell/testcases/sets/0060set_multistmt_1  |  2 ++
 tests/shell/testcases/sets/typeof_sets_0      | 26 ++++++++++++-------
 8 files changed, 52 insertions(+), 12 deletions(-)
 create mode 100644 tests/shell/features/sctp_chunks.nft
 create mode 100644 tests/shell/features/set_with_two_expressions.nft

-- 
2.41.0

[PATCH 1/3] tests: shell: skip adding catchall elements if unuspported

[Florian Westphal]

The test fails on kernels without catchall support, so elide this
small part.

No need to skip the test in this case, the dump file validates that
the added elements are no longer there after the timeout.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 tests/shell/testcases/maps/vmap_timeout | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/tests/shell/testcases/maps/vmap_timeout b/tests/shell/testcases/maps/vmap_timeout
index 43d031979cb3..0cd965f76d0e 100755
--- a/tests/shell/testcases/maps/vmap_timeout
+++ b/tests/shell/testcases/maps/vmap_timeout
@@ -42,8 +42,12 @@ for i in $(seq 1 100) ; do
 	$NFT add element inet filter portaddrmap "$batched_addr"
 done
 
-$NFT add element inet filter portaddrmap { "* timeout 2s : drop" }
-$NFT add element inet filter portmap { "* timeout 3s : drop" }
+if [ "$NFT_TEST_HAVE_catchall_element" = n ] ; then
+	echo "Partial test due to NFT_TEST_HAVE_catchall_element=n."
+else
+	$NFT add element inet filter portaddrmap { "* timeout 2s : drop" }
+	$NFT add element inet filter portmap { "* timeout 3s : drop" }
+fi
 
 # wait for elements to time out
 sleep 5
-- 
2.41.0

[PATCH 2/3] tests: shell: add feature probe for sets with more than one element

[Florian Westphal]

Kernels < 5.11 can handle only one expression per element, e.g.
its possible to attach a counter per key, or a rate limiter,
or a quota, but not two at the same time.

Add a probe file and skip the relevant tests if the feature is absent.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 tests/shell/features/set_with_two_expressions.nft     | 9 +++++++++
 tests/shell/testcases/nft-f/0025empty_dynset_0        | 8 ++++++++
 tests/shell/testcases/sets/0059set_update_multistmt_0 | 2 ++
 tests/shell/testcases/sets/0060set_multistmt_0        | 2 ++
 tests/shell/testcases/sets/0060set_multistmt_1        | 2 ++
 5 files changed, 23 insertions(+)
 create mode 100644 tests/shell/features/set_with_two_expressions.nft

diff --git a/tests/shell/features/set_with_two_expressions.nft b/tests/shell/features/set_with_two_expressions.nft
new file mode 100644
index 000000000000..97632a7af6d3
--- /dev/null
+++ b/tests/shell/features/set_with_two_expressions.nft
@@ -0,0 +1,9 @@
+# 48b0ae046ee9 ("netfilter: nftables: netlink support for several set element expressions")
+# v5.11-rc1~169^2~25^2
+table x {
+        set y {
+                type ipv4_addr
+                size 65535
+                counter quota 500 bytes
+        }
+}
diff --git a/tests/shell/testcases/nft-f/0025empty_dynset_0 b/tests/shell/testcases/nft-f/0025empty_dynset_0
index b66c802f8536..fbdb57931ed0 100755
--- a/tests/shell/testcases/nft-f/0025empty_dynset_0
+++ b/tests/shell/testcases/nft-f/0025empty_dynset_0
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+set -e
+
 RULESET="table ip foo {
 	        set inflows {
                 type ipv4_addr . inet_service . ifname . ipv4_addr . inet_service
@@ -20,3 +22,9 @@ RULESET="table ip foo {
 }"
 
 $NFT -f - <<< "$RULESET"
+
+# inflows_ratelimit will be dumped without 'limit rate .. counter' on old kernels.
+if [ "$NFT_TEST_HAVE_set_with_two_expressions" = n ]; then
+	echo "Partial test due to NFT_TEST_HAVE_set_with_two_expressions=n."
+	exit 77
+fi
diff --git a/tests/shell/testcases/sets/0059set_update_multistmt_0 b/tests/shell/testcases/sets/0059set_update_multistmt_0
index 107bfb870932..2aeba2c5d227 100755
--- a/tests/shell/testcases/sets/0059set_update_multistmt_0
+++ b/tests/shell/testcases/sets/0059set_update_multistmt_0
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions)
+
 RULESET="table x {
 	set y {
 		type ipv4_addr
diff --git a/tests/shell/testcases/sets/0060set_multistmt_0 b/tests/shell/testcases/sets/0060set_multistmt_0
index 6bd147c3540c..8e17444e9ec5 100755
--- a/tests/shell/testcases/sets/0060set_multistmt_0
+++ b/tests/shell/testcases/sets/0060set_multistmt_0
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions)
+
 RULESET="table x {
 	set y {
 		type ipv4_addr
diff --git a/tests/shell/testcases/sets/0060set_multistmt_1 b/tests/shell/testcases/sets/0060set_multistmt_1
index 1652668a2fec..04ef047caa52 100755
--- a/tests/shell/testcases/sets/0060set_multistmt_1
+++ b/tests/shell/testcases/sets/0060set_multistmt_1
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions)
+
 RULESET="table x {
 	set y {
 		type ipv4_addr
-- 
2.41.0

[PATCH 3/3] tests: shell: add feature probe for sctp chunk matching

[Florian Westphal]

Skip the relavant parts of the test if nft_exthdr lacks sctp support.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 tests/shell/features/sctp_chunks.nft     |  7 +++++++
 tests/shell/testcases/sets/typeof_sets_0 | 26 +++++++++++++++---------
 2 files changed, 23 insertions(+), 10 deletions(-)
 create mode 100644 tests/shell/features/sctp_chunks.nft

diff --git a/tests/shell/features/sctp_chunks.nft b/tests/shell/features/sctp_chunks.nft
new file mode 100644
index 000000000000..520afd64bd2e
--- /dev/null
+++ b/tests/shell/features/sctp_chunks.nft
@@ -0,0 +1,7 @@
+# 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
+# v5.14-rc1~119^2~373^2~15
+table ip t {
+	chain c {
+		sctp chunk init 0
+	}
+}
diff --git a/tests/shell/testcases/sets/typeof_sets_0 b/tests/shell/testcases/sets/typeof_sets_0
index c1c0f51f399c..35c572c1e537 100755
--- a/tests/shell/testcases/sets/typeof_sets_0
+++ b/tests/shell/testcases/sets/typeof_sets_0
@@ -23,6 +23,16 @@ INPUT_OSF_CHAIN="
 	}
 "
 
+INPUT_SCTP_CHAIN="
+	chain c7 {
+		sctp chunk init num-inbound-streams @s7 accept
+	}
+"
+
+if [ "$NFT_TEST_HAVE_sctp_chunks" = n ] ; then
+	INPUT_SCTP_CHAIN=
+fi
+
 if [ "$NFT_TEST_HAVE_osf" = n ] ; then
 	if [ "$((RANDOM % 2))" -eq 1 ] ; then
 		# Regardless of $NFT_TEST_HAVE_osf, we can define the set.
@@ -98,11 +108,7 @@ $INPUT_OSF_CHAIN
 	chain c6 {
 		tcp option maxseg size @s6 accept
 	}
-
-	chain c7 {
-		sctp chunk init num-inbound-streams @s7 accept
-	}
-
+$INPUT_SCTP_CHAIN
 	chain c8 {
 		ip version @s8 accept
 	}
@@ -187,11 +193,7 @@ $INPUT_OSF_CHAIN
 	chain c6 {
 		tcp option maxseg size @s6 accept
 	}
-
-	chain c7 {
-		sctp chunk init num-inbound-streams @s7 accept
-	}
-
+$INPUT_SCTP_CHAIN
 	chain c8 {
 		ip version @s8 accept
 	}
@@ -218,3 +220,7 @@ if [ "$NFT_TEST_HAVE_osf" = n ] ; then
 	echo "Partial test due to NFT_TEST_HAVE_osf=n. Skip"
 	exit 77
 fi
+if [ "$NFT_TEST_HAVE_sctp_chunks" = n ] ; then
+	echo "Partial test due to NFT_TEST_HAVE_sctp_chunks=n. Skip"
+	exit 77
+fi
-- 
2.41.0