From: Florian Westphal <fw@strlen.de>
Date: Wed, 15 Apr 2026 20:36:22 +0000 (+0200)
Subject: tests: shell: add test case for on-demand-gc without commit callback
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;ds=inline;p=thirdparty%2Fnftables.git

tests: shell: add test case for on-demand-gc without commit callback

Script based off reproducer from Marko Jevtic:
Check rbtree with expired element that gets reaped during the insertion
itself (ondemand gc).

Signed-off-by: Florian Westphal <fw@strlen.de>
---

diff --git a/tests/shell/testcases/maps/dumps/vmap_timeout_2.json-nft b/tests/shell/testcases/maps/dumps/vmap_timeout_2.json-nft
new file mode 100644
index 00000000..ffb768d3
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/vmap_timeout_2.json-nft
@@ -0,0 +1,40 @@
+{
+  "nftables": [
+    {
+      "metainfo": {
+        "version": "VERSION",
+        "release_name": "RELEASE_NAME",
+        "json_schema_version": 1
+      }
+    },
+    {
+      "table": {
+        "family": "ip6",
+        "name": "t",
+        "handle": 0
+      }
+    },
+    {
+      "map": {
+        "family": "ip6",
+        "name": "imap",
+        "table": "t",
+        "type": "ipv6_addr",
+        "handle": 0,
+        "map": "verdict",
+        "flags": [
+          "interval",
+          "timeout"
+        ],
+        "elem": [
+          [
+            "2000::dead",
+            {
+              "accept": null
+            }
+          ]
+        ]
+      }
+    }
+  ]
+}
diff --git a/tests/shell/testcases/maps/dumps/vmap_timeout_2.nft b/tests/shell/testcases/maps/dumps/vmap_timeout_2.nft
new file mode 100644
index 00000000..9bfe9d72
--- /dev/null
+++ b/tests/shell/testcases/maps/dumps/vmap_timeout_2.nft
@@ -0,0 +1,7 @@
+table ip6 t {
+	map imap {
+		type ipv6_addr : verdict
+		flags interval,timeout
+		elements = { 2000::dead : accept }
+	}
+}
diff --git a/tests/shell/testcases/maps/vmap_timeout_2 b/tests/shell/testcases/maps/vmap_timeout_2
new file mode 100755
index 00000000..5d49113e
--- /dev/null
+++ b/tests/shell/testcases/maps/vmap_timeout_2
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+# Check rbtree timeout chain deletion before and after expiry when we do not have a commit phase.
+# Case 1: abort path (--check)
+# Case 2: identical re-insert (no transaction at all)
+
+die() {
+	echo "$@"
+	$NFT list ruleset
+	exit 1
+}
+
+# Create table with chain and interval verdict map
+$NFT -f - <<'EOF'
+table ip6 t {
+    chain c { }
+    map imap { type ipv6_addr : verdict; flags interval, timeout;
+    elements = { 2000::dead : accept }
+    }
+}
+EOF
+[ $? -ne 0 ] && die "initial ruleset"
+
+# Add element referencing chain (2s timeout)
+$NFT add element ip6 t imap '{ 2001:db8::100-2001:db8::1ff timeout 2s : jump c }' || die "add elem"
+
+# Verify chain is in use (MUST fail with "Device or resource busy")
+$NFT delete chain ip6 t c && die "del chain worked"
+
+# Wait for element to expire
+sleep 3
+
+# overlapping insert (triggers inline GC) + no commit
+$NFT --check "add element ip6 t imap { 2001:db8::150-2001:db8::1ff timeout 30s : jump c }" || die "expected to pass"
+
+# Chain can now be deleted.
+$NFT delete chain ip6 t c || die "chain delete failed"
+$NFT add chain ip6 t c || die "chain add failed"
+
+# Add element referencing c chain (2s timeout)
+$NFT add element ip6 t imap '{ 2001:db8::100-2001:db8::1ff timeout 2s : jump c }' || die "re-add elem"
+
+$NFT delete chain ip6 t c && die "del chain worked"
+sleep 3
+
+# identical insert (no transaction will be recorded!)
+$NFT "add element ip6 t imap { 2000::dead : accept }" || die "could not re-add existing elem"
+
+# Chain can now be deleted.
+$NFT delete chain ip6 t c || die "del chain fails"
+
+exit 0