[PATCH nft 1/8] tests: shell: connlimit tests requires set expression support

[PATCH nft 1/8] tests: shell: connlimit tests requires set expression support

[Pablo Neira Ayuso]

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/shell/testcases/sets/0062set_connlimit_0 | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/shell/testcases/sets/0062set_connlimit_0 b/tests/shell/testcases/sets/0062set_connlimit_0
index dab1da061795..48aa6fce5c31 100755
--- a/tests/shell/testcases/sets/0062set_connlimit_0
+++ b/tests/shell/testcases/sets/0062set_connlimit_0
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_expr)
+
 set -e
 
 RULESET="table ip x {
-- 
2.30.2

[PATCH nft 2/8] tests: shell: skip stateful object updates if unsupported

[Pablo Neira Ayuso]

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 .../shell/features/stateful_object_update.sh  | 21 +++++++++++++++++++
 .../optionals/update_object_handles_0         |  2 ++
 2 files changed, 23 insertions(+)
 create mode 100755 tests/shell/features/stateful_object_update.sh

diff --git a/tests/shell/features/stateful_object_update.sh b/tests/shell/features/stateful_object_update.sh
new file mode 100755
index 000000000000..62fbf7e38563
--- /dev/null
+++ b/tests/shell/features/stateful_object_update.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# d62d0ba97b58 ("netfilter: nf_tables: Introduce stateful object update operation")
+# v5.4-rc1~131^2~59^2~2
+
+set -e
+$NFT add table test-ip
+$NFT add quota test-ip traffic-quota 25 mbytes
+$NFT add quota test-ip traffic-quota 50 mbytes
+
+EXPECTED="table ip test-ip {
+	quota traffic-quota {
+		50 mbytes
+	}
+}"
+
+GET="$($NFT list ruleset)"
+if [ "$EXPECTED" != "$GET" ] ; then
+	diff -u <(echo "$EXPECTED") <(echo "$GET")
+	exit 1
+fi
diff --git a/tests/shell/testcases/optionals/update_object_handles_0 b/tests/shell/testcases/optionals/update_object_handles_0
index 8b12b8c57cd8..ccd96779d9b3 100755
--- a/tests/shell/testcases/optionals/update_object_handles_0
+++ b/tests/shell/testcases/optionals/update_object_handles_0
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_stateful_object_update)
+
 set -e
 $NFT add table test-ip
 $NFT add counter test-ip traffic-counter
-- 
2.30.2

[PATCH nft 3/8] tests: shell: detach synproxy test

[Pablo Neira Ayuso]

Old kernels do not support synproxy, split existing tests with stateful objects.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 .../shell/testcases/sets/0024named_objects_0  | 15 ----------
 tests/shell/testcases/sets/0024synproxy_0     | 29 +++++++++++++++++++
 .../sets/dumps/0024named_objects_0.nft        | 18 ------------
 .../testcases/sets/dumps/0024synproxy_0.nft   | 23 +++++++++++++++
 4 files changed, 52 insertions(+), 33 deletions(-)
 create mode 100755 tests/shell/testcases/sets/0024synproxy_0
 create mode 100644 tests/shell/testcases/sets/dumps/0024synproxy_0.nft

diff --git a/tests/shell/testcases/sets/0024named_objects_0 b/tests/shell/testcases/sets/0024named_objects_0
index 6d21e3884da9..21200c3cca3c 100755
--- a/tests/shell/testcases/sets/0024named_objects_0
+++ b/tests/shell/testcases/sets/0024named_objects_0
@@ -18,15 +18,6 @@ table inet x {
 	quota user124 {
 		over 2000 bytes
 	}
-	synproxy https-synproxy {
-		mss 1460
-		wscale 7
-		timestamp sack-perm
-	}
-	synproxy other-synproxy {
-		mss 1460
-		wscale 5
-	}
 	set y {
 		type ipv4_addr
 	}
@@ -34,15 +25,9 @@ table inet x {
 		type ipv4_addr : quota
 		elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124"}
 	}
-	map test2 {
-		type ipv4_addr : synproxy
-		flags interval
-		elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
-	}
 	chain y {
 		type filter hook input priority 0; policy accept;
 		counter name ip saddr map { 192.168.2.2 : "user123", 1.1.1.1 : "user123", 2.2.2.2 : "user123"}
-		synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
 		quota name ip saddr map @test drop
 	}
 }"
diff --git a/tests/shell/testcases/sets/0024synproxy_0 b/tests/shell/testcases/sets/0024synproxy_0
new file mode 100755
index 000000000000..ccaed0325d44
--- /dev/null
+++ b/tests/shell/testcases/sets/0024synproxy_0
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# * creating valid named objects
+# * referencing them from a valid rule
+
+RULESET="
+table inet x {
+	synproxy https-synproxy {
+		mss 1460
+		wscale 7
+		timestamp sack-perm
+	}
+	synproxy other-synproxy {
+		mss 1460
+		wscale 5
+	}
+	map test2 {
+		type ipv4_addr : synproxy
+		flags interval
+		elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
+	}
+	chain y {
+		type filter hook input priority 0; policy accept;
+		synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
+	}
+}"
+
+set -e
+$NFT -f - <<< "$RULESET"
diff --git a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft b/tests/shell/testcases/sets/dumps/0024named_objects_0.nft
index 52d1bf64b686..2ffa4f2ff757 100644
--- a/tests/shell/testcases/sets/dumps/0024named_objects_0.nft
+++ b/tests/shell/testcases/sets/dumps/0024named_objects_0.nft
@@ -15,17 +15,6 @@ table inet x {
 		over 2000 bytes
 	}
 
-	synproxy https-synproxy {
-		mss 1460
-		wscale 7
-		timestamp sack-perm
-	}
-
-	synproxy other-synproxy {
-		mss 1460
-		wscale 5
-	}
-
 	set y {
 		type ipv4_addr
 	}
@@ -35,16 +24,9 @@ table inet x {
 		elements = { 192.168.2.2 : "user124", 192.168.2.3 : "user124" }
 	}
 
-	map test2 {
-		type ipv4_addr : synproxy
-		flags interval
-		elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
-	}
-
 	chain y {
 		type filter hook input priority filter; policy accept;
 		counter name ip saddr map { 1.1.1.1 : "user123", 2.2.2.2 : "user123", 192.168.2.2 : "user123" }
-		synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
 		quota name ip saddr map @test drop
 	}
 }
diff --git a/tests/shell/testcases/sets/dumps/0024synproxy_0.nft b/tests/shell/testcases/sets/dumps/0024synproxy_0.nft
new file mode 100644
index 000000000000..e0ee86db2217
--- /dev/null
+++ b/tests/shell/testcases/sets/dumps/0024synproxy_0.nft
@@ -0,0 +1,23 @@
+table inet x {
+	synproxy https-synproxy {
+		mss 1460
+		wscale 7
+		timestamp sack-perm
+	}
+
+	synproxy other-synproxy {
+		mss 1460
+		wscale 5
+	}
+
+	map test2 {
+		type ipv4_addr : synproxy
+		flags interval
+		elements = { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
+	}
+
+	chain y {
+		type filter hook input priority filter; policy accept;
+		synproxy name ip saddr map { 192.168.1.0/24 : "https-synproxy", 192.168.2.0/24 : "other-synproxy" }
+	}
+}
-- 
2.30.2

[PATCH nft 4/8] tests: shell: skip synproxy test if kernel does not support it

[Pablo Neira Ayuso]

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/shell/features/synproxy.nft         | 9 +++++++++
 tests/shell/testcases/sets/0024synproxy_0 | 2 ++
 2 files changed, 11 insertions(+)
 create mode 100644 tests/shell/features/synproxy.nft

diff --git a/tests/shell/features/synproxy.nft b/tests/shell/features/synproxy.nft
new file mode 100644
index 000000000000..bea4f9205b3d
--- /dev/null
+++ b/tests/shell/features/synproxy.nft
@@ -0,0 +1,9 @@
+# v5.3-rc1~140^2~44^2~10
+# ad49d86e07a4 ("netfilter: nf_tables: Add synproxy support")
+table inet x {
+       synproxy https-synproxy {
+               mss 1460
+               wscale 7
+               timestamp sack-perm
+       }
+}
diff --git a/tests/shell/testcases/sets/0024synproxy_0 b/tests/shell/testcases/sets/0024synproxy_0
index ccaed0325d44..0c7da5729b0d 100755
--- a/tests/shell/testcases/sets/0024synproxy_0
+++ b/tests/shell/testcases/sets/0024synproxy_0
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_synproxy)
+
 # * creating valid named objects
 # * referencing them from a valid rule
 
-- 
2.30.2

[PATCH nft 5/8] tests: shell: skip nat inet if kernel does not support it

[Pablo Neira Ayuso]

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/shell/features/inet_nat.nft           | 7 +++++++
 tests/shell/testcases/maps/0010concat_map_0 | 2 ++
 2 files changed, 9 insertions(+)
 create mode 100644 tests/shell/features/inet_nat.nft

diff --git a/tests/shell/features/inet_nat.nft b/tests/shell/features/inet_nat.nft
new file mode 100644
index 000000000000..189ea1d0e280
--- /dev/null
+++ b/tests/shell/features/inet_nat.nft
@@ -0,0 +1,7 @@
+# v5.2-rc1~133^2~174^2~15
+# d164385ec572 ("netfilter: nat: add inet family nat support")
+table inet x {
+        chain y {
+                type nat hook prerouting priority dstnat;
+	}
+}
diff --git a/tests/shell/testcases/maps/0010concat_map_0 b/tests/shell/testcases/maps/0010concat_map_0
index 4848d97212fd..859bbfcf69e4 100755
--- a/tests/shell/testcases/maps/0010concat_map_0
+++ b/tests/shell/testcases/maps/0010concat_map_0
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_nat)
+
 set -e
 
 EXPECTED="table inet x {
-- 
2.30.2

[PATCH nft 6/8] tests: shell: split nat inet tests

[Pablo Neira Ayuso]

Detach nat inet from existing tests not to reduce test coverage.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 .../optimizations/dumps/merge_nat.nft         | 11 ----------
 .../optimizations/dumps/merge_nat_inet.nft    | 11 ++++++++++
 tests/shell/testcases/optimizations/merge_nat | 16 --------------
 .../testcases/optimizations/merge_nat_inet    | 21 +++++++++++++++++++
 4 files changed, 32 insertions(+), 27 deletions(-)
 create mode 100644 tests/shell/testcases/optimizations/dumps/merge_nat_inet.nft
 create mode 100755 tests/shell/testcases/optimizations/merge_nat_inet

diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat.nft b/tests/shell/testcases/optimizations/dumps/merge_nat.nft
index 61feb278d5e6..f6c119eca810 100644
--- a/tests/shell/testcases/optimizations/dumps/merge_nat.nft
+++ b/tests/shell/testcases/optimizations/dumps/merge_nat.nft
@@ -19,14 +19,3 @@ table ip test4 {
 		tcp dport 85 redirect
 	}
 }
-table inet nat {
-	chain prerouting {
-		oif "lo" accept
-		dnat ip to iifname . ip daddr . tcp dport map { "enp2s0" . 72.2.3.70 . 80 : 10.1.1.52 . 80, "enp2s0" . 72.2.3.66 . 53122 : 10.1.1.10 . 22, "enp2s0" . 72.2.3.66 . 443 : 10.1.1.52 . 443 }
-	}
-
-	chain postrouting {
-		oif "lo" accept
-		snat ip to ip daddr map { 72.2.3.66 : 10.2.2.2, 72.2.3.67 : 10.2.3.3 }
-	}
-}
diff --git a/tests/shell/testcases/optimizations/dumps/merge_nat_inet.nft b/tests/shell/testcases/optimizations/dumps/merge_nat_inet.nft
new file mode 100644
index 000000000000..a1a1135482b9
--- /dev/null
+++ b/tests/shell/testcases/optimizations/dumps/merge_nat_inet.nft
@@ -0,0 +1,11 @@
+table inet nat {
+	chain prerouting {
+		oif "lo" accept
+		dnat ip to iifname . ip daddr . tcp dport map { "enp2s0" . 72.2.3.70 . 80 : 10.1.1.52 . 80, "enp2s0" . 72.2.3.66 . 53122 : 10.1.1.10 . 22, "enp2s0" . 72.2.3.66 . 443 : 10.1.1.52 . 443 }
+	}
+
+	chain postrouting {
+		oif "lo" accept
+		snat ip to ip daddr map { 72.2.3.66 : 10.2.2.2, 72.2.3.67 : 10.2.3.3 }
+	}
+}
diff --git a/tests/shell/testcases/optimizations/merge_nat b/tests/shell/testcases/optimizations/merge_nat
index bfe978701b90..3ffcbd576691 100755
--- a/tests/shell/testcases/optimizations/merge_nat
+++ b/tests/shell/testcases/optimizations/merge_nat
@@ -36,19 +36,3 @@ RULESET="table ip test4 {
 }"
 
 $NFT -o -f - <<< $RULESET
-
-RULESET="table inet nat {
-	chain prerouting {
-		oif lo accept
-		iifname enp2s0 ip daddr 72.2.3.66 tcp dport 53122 dnat to 10.1.1.10:22
-		iifname enp2s0 ip daddr 72.2.3.66 tcp dport 443 dnat to 10.1.1.52:443
-		iifname enp2s0 ip daddr 72.2.3.70 tcp dport 80 dnat to 10.1.1.52:80
-	}
-	chain postrouting {
-		oif lo accept
-		ip daddr 72.2.3.66 snat to 10.2.2.2
-		ip daddr 72.2.3.67 snat to 10.2.3.3
-	}
-}"
-
-$NFT -o -f - <<< $RULESET
diff --git a/tests/shell/testcases/optimizations/merge_nat_inet b/tests/shell/testcases/optimizations/merge_nat_inet
new file mode 100755
index 000000000000..ff1916d3f897
--- /dev/null
+++ b/tests/shell/testcases/optimizations/merge_nat_inet
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_inet_nat)
+
+set -e
+
+RULESET="table inet nat {
+	chain prerouting {
+		oif lo accept
+		iifname enp2s0 ip daddr 72.2.3.66 tcp dport 53122 dnat to 10.1.1.10:22
+		iifname enp2s0 ip daddr 72.2.3.66 tcp dport 443 dnat to 10.1.1.52:443
+		iifname enp2s0 ip daddr 72.2.3.70 tcp dport 80 dnat to 10.1.1.52:80
+	}
+	chain postrouting {
+		oif lo accept
+		ip daddr 72.2.3.66 snat to 10.2.2.2
+		ip daddr 72.2.3.67 snat to 10.2.3.3
+	}
+}"
+
+$NFT -o -f - <<< $RULESET
-- 
2.30.2

[PATCH nft 7/8] tests: shell: skip secmark tests if kernel does not support it

[Pablo Neira Ayuso]

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/shell/features/secmark.nft                | 7 +++++++
 tests/shell/testcases/json/0005secmark_objref_0 | 1 +
 2 files changed, 8 insertions(+)
 create mode 100644 tests/shell/features/secmark.nft

diff --git a/tests/shell/features/secmark.nft b/tests/shell/features/secmark.nft
new file mode 100644
index 000000000000..ccbb572f2756
--- /dev/null
+++ b/tests/shell/features/secmark.nft
@@ -0,0 +1,7 @@
+# fb961945457f ("netfilter: nf_tables: add SECMARK support")
+# v4.20-rc1~14^2~125^2~5
+table inet x {
+	secmark ssh_server {
+		"system_u:object_r:ssh_server_packet_t:s0"
+	}
+}
diff --git a/tests/shell/testcases/json/0005secmark_objref_0 b/tests/shell/testcases/json/0005secmark_objref_0
index 992d1b000d86..5c44f09337be 100755
--- a/tests/shell/testcases/json/0005secmark_objref_0
+++ b/tests/shell/testcases/json/0005secmark_objref_0
@@ -1,6 +1,7 @@
 #!/bin/bash
 
 # NFT_TEST_REQUIRES(NFT_TEST_HAVE_json)
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_secmark)
 
 set -e
 
-- 
2.30.2

[PATCH nft 8/8] tests: shell: skip if kernel does not allow to restore set element expiration

[Pablo Neira Ayuso]

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tests/shell/features/setelem_expiration.sh     | 18 ++++++++++++++++++
 .../sets/0036add_set_element_expiration_0      |  2 ++
 2 files changed, 20 insertions(+)
 create mode 100755 tests/shell/features/setelem_expiration.sh

diff --git a/tests/shell/features/setelem_expiration.sh b/tests/shell/features/setelem_expiration.sh
new file mode 100755
index 000000000000..deb06cfb2f06
--- /dev/null
+++ b/tests/shell/features/setelem_expiration.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# v5.3-rc1~140^2~153^2~8
+# 79ebb5bb4e38 ("netfilter: nf_tables: enable set expiration time for set elements")
+
+EXPECTED="table ip x {
+	set y {
+		type ipv4_addr
+		flags dynamic,timeout;
+		elements = { 1.1.1.1 expires 30s }
+	}
+}"
+
+$NFT -f - <<< $EXPECTED
+
+$NFT list ruleset | grep "expires"
+[ $? -ne 1 ] && exit 1
+exit 0
diff --git a/tests/shell/testcases/sets/0036add_set_element_expiration_0 b/tests/shell/testcases/sets/0036add_set_element_expiration_0
index 0fd016e9f857..d961ffd4cdcd 100755
--- a/tests/shell/testcases/sets/0036add_set_element_expiration_0
+++ b/tests/shell/testcases/sets/0036add_set_element_expiration_0
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_setelem_expiration)
+
 set -e
 
 drop_seconds() {
-- 
2.30.2