The test was technically incorrect: Instead of detecting whether
interface hooks are name-based or not, it actually tested whether
netdev-family chains are removed along with their last hook.
Since the latter behaviour is established in kernel commit
fc0133428e7a
("netfilter: nf_tables: Tolerate chains with no remaining hooks") and
thus independent from the name-based hooks change, treating both as the
same kernel feature is not acceptable.
Fix this by detecting whether a netdev-family chain may be added despite
specifying a non-existent interface to hook into. Keep the old check
around with a better name, although unused for now.
Reported-by: Florian Westphal <fw@strlen.de>
Fixes: f27e5abd81f29 ("tests: shell: Adjust to ifname-based hooks")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
--- /dev/null
+#!/bin/bash
+
+# check if netdev chains survive without a single device
+
+unshare -n bash -c "ip link add d0 type dummy; \
+ $NFT \"table netdev t { \
+ chain c { \
+ type filter hook ingress priority 0; devices = { d0 }; \
+ }; \
+ }\"; \
+ ip link del d0; \
+ $NFT list chain netdev t c"
#!/bin/bash
-# check if netdev chains survive without a single device
+# check if adding a netdev-family chain hooking into a non-existent device is
+# accepted or not
-unshare -n bash -c "ip link add d0 type dummy; \
- $NFT \"table netdev t { \
- chain c { \
- type filter hook ingress priority 0; devices = { d0 }; \
- }; \
- }\"; \
- ip link del d0; \
- $NFT list chain netdev t c"
+RULESET="table netdev t {
+ chain c {
+ type filter hook ingress priority 0
+ devices = { foobar123 }
+ }
+}"
+unshare -n $NFT -f - <<< "$RULESET"
projects / thirdparty / nftables.git / commitdiff
