tests/shell: skip map query if kernel lacks support

On recent kernels one can perform a lookup in a map without a destination
register (i.e., treat the map like a set -- pure existence check).

Add a feature probe and work around the missing feature in
typeof_maps_add_delete: do the test with a simplified ruleset,

Indicate skipped even though a reduced test was run (earlier errors
cause a failure) to not trigger dump validation error.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Thomas Haller <thaller@redhat.com>

diff --git a/tests/shell/features/map_lookup.nft b/tests/shell/features/map_lookup.nft
new file mode 100644 (file)
index 0000000..06c4c9d
--- /dev/null
+++ b/tests/shell/features/map_lookup.nft
@@ -0,0 +1,11 @@
+# a4878eeae390 ("netfilter: nf_tables: relax set/map validation checks")
+# v6.5-rc1~163^2~256^2~8
+table ip t {
+        map m {
+                typeof ip daddr : meta mark
+        }
+
+        chain c {
+                ip saddr @m
+        }
+}

diff --git a/tests/shell/testcases/maps/typeof_maps_add_delete b/tests/shell/testcases/maps/typeof_maps_add_delete
index 341de538e90e50cd51f4005e9a26776724a1d3c6..5e2f8ecc473f8f28d33cf6a90615c3451cdaae43 100755 (executable)
--- a/tests/shell/testcases/maps/typeof_maps_add_delete
+++ b/tests/shell/testcases/maps/typeof_maps_add_delete
@@ -1,6 +1,15 @@
 #!/bin/bash
 
-EXPECTED='table ip dynset {
+CONDMATCH="ip saddr @dynmark"
+NCONDMATCH="ip saddr != @dynmark"
+
+# use reduced feature set
+if [ "$NFT_TEST_HAVE_map_lookup" = n ] ; then
+       CONDMATCH=""
+       NCONDMATCH=""
+fi
+
+EXPECTED="table ip dynset {
        map dynmark {
                typeof ip daddr : meta mark
                counter
@@ -9,20 +18,20 @@ EXPECTED='table ip dynset {
        }
 
        chain test_ping {
-               ip saddr @dynmark counter comment "should not increment"
-               ip saddr != @dynmark add @dynmark { ip saddr : 0x1 } counter
-               ip saddr @dynmark counter comment "should increment"
-               ip saddr @dynmark delete @dynmark { ip saddr : 0x1 }
-               ip saddr @dynmark counter comment "delete should be instant but might fail under memory pressure"
+               $CONDMATCH counter comment \"should not increment\"
+               $NCONDMATCH add @dynmark { ip saddr : 0x1 } counter
+               $CONDMATCH counter comment \"should increment\"
+               $CONDMATCH delete @dynmark { ip saddr : 0x1 }
+               $CONDMATCH counter comment \"delete should be instant but might fail under memory pressure\"
        }
 
        chain input {
                type filter hook input priority 0; policy accept;
 
-               add @dynmark { 10.2.3.4 timeout 1s : 0x2 } comment "also check timeout-gc"
+               add @dynmark { 10.2.3.4 timeout 1s : 0x2 } comment \"also check timeout-gc\"
                meta l4proto icmp ip daddr 127.0.0.42 jump test_ping
        }
-}'
+}"
 
 set -e
 $NFT -f - <<< $EXPECTED
@@ -31,5 +40,15 @@ $NFT list ruleset
 ip link set lo up
 ping -c 1 127.0.0.42
 
+$NFT get element ip dynset dynmark { 10.2.3.4 }
+
 # wait so that 10.2.3.4 times out.
 sleep 2
+
+set +e
+$NFT get element ip dynset dynmark { 10.2.3.4 } && exit 1
+
+if [ "$NFT_TEST_HAVE_map_lookup" = n ] ; then
+       echo "Only tested a subset due to NFT_TEST_HAVE_map_lookup=n. Skipped."
+       exit 77
+fi