tests: shell: add feature probe for sets with more than one element

Kernels < 5.11 can handle only one expression per element, e.g.
its possible to attach a counter per key, or a rate limiter,
or a quota, but not two at the same time.

Add a probe file and skip the relevant tests if the feature is absent.

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/tests/shell/features/set_with_two_expressions.nft b/tests/shell/features/set_with_two_expressions.nft
new file mode 100644 (file)
index 0000000..97632a7
--- /dev/null
+++ b/tests/shell/features/set_with_two_expressions.nft
@@ -0,0 +1,9 @@
+# 48b0ae046ee9 ("netfilter: nftables: netlink support for several set element expressions")
+# v5.11-rc1~169^2~25^2
+table x {
+        set y {
+                type ipv4_addr
+                size 65535
+                counter quota 500 bytes
+        }
+}

diff --git a/tests/shell/testcases/nft-f/0025empty_dynset_0 b/tests/shell/testcases/nft-f/0025empty_dynset_0
index b66c802f8536963aa808cd3d7963300a7a07632f..fbdb57931ed09f371afa0fa5e40be61c7434afdc 100755 (executable)
--- a/tests/shell/testcases/nft-f/0025empty_dynset_0
+++ b/tests/shell/testcases/nft-f/0025empty_dynset_0
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+set -e
+
 RULESET="table ip foo {
                set inflows {
                 type ipv4_addr . inet_service . ifname . ipv4_addr . inet_service
@@ -20,3 +22,9 @@ RULESET="table ip foo {
 }"
 
 $NFT -f - <<< "$RULESET"
+
+# inflows_ratelimit will be dumped without 'limit rate .. counter' on old kernels.
+if [ "$NFT_TEST_HAVE_set_with_two_expressions" = n ]; then
+       echo "Partial test due to NFT_TEST_HAVE_set_with_two_expressions=n."
+       exit 77
+fi

diff --git a/tests/shell/testcases/sets/0059set_update_multistmt_0 b/tests/shell/testcases/sets/0059set_update_multistmt_0
index 107bfb87093223d9dbda0829fb571f9b76d1feab..2aeba2c5d227949ad44783e61845a605c55861d1 100755 (executable)
--- a/tests/shell/testcases/sets/0059set_update_multistmt_0
+++ b/tests/shell/testcases/sets/0059set_update_multistmt_0
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions)
+
 RULESET="table x {
        set y {
                type ipv4_addr

diff --git a/tests/shell/testcases/sets/0060set_multistmt_0 b/tests/shell/testcases/sets/0060set_multistmt_0
index 6bd147c3540c9e34b39258f67f1edbf93106072a..8e17444e9ec5a3a3a3973d06d65fb1921b02ff42 100755 (executable)
--- a/tests/shell/testcases/sets/0060set_multistmt_0
+++ b/tests/shell/testcases/sets/0060set_multistmt_0
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions)
+
 RULESET="table x {
        set y {
                type ipv4_addr

diff --git a/tests/shell/testcases/sets/0060set_multistmt_1 b/tests/shell/testcases/sets/0060set_multistmt_1
index 1652668a2fec560867ae6db4131cf08b3954da1f..04ef047caa52d003ffa7c391cd6b4bb3e9fb742e 100755 (executable)
--- a/tests/shell/testcases/sets/0060set_multistmt_1
+++ b/tests/shell/testcases/sets/0060set_multistmt_1
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# NFT_TEST_REQUIRES(NFT_TEST_HAVE_set_with_two_expressions)
+
 RULESET="table x {
        set y {
                type ipv4_addr