From: Phil Sutter Date: Wed, 25 Jun 2025 16:53:36 +0000 (+0200) Subject: tests: shell: Fix ifname_based_hooks feature check X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=646acfaceb1f550c982c31ba6e60996b0bb012d7;p=thirdparty%2Fnftables.git tests: shell: Fix ifname_based_hooks feature check The test was technically incorrect: Instead of detecting whether interface hooks are name-based or not, it actually tested whether netdev-family chains are removed along with their last hook. Since the latter behaviour is established in kernel commit fc0133428e7a ("netfilter: nf_tables: Tolerate chains with no remaining hooks") and thus independent from the name-based hooks change, treating both as the same kernel feature is not acceptable. Fix this by detecting whether a netdev-family chain may be added despite specifying a non-existent interface to hook into. Keep the old check around with a better name, although unused for now. Reported-by: Florian Westphal Fixes: f27e5abd81f29 ("tests: shell: Adjust to ifname-based hooks") Signed-off-by: Phil Sutter Signed-off-by: Florian Westphal --- diff --git a/tests/shell/features/empty_netdev_chains.sh b/tests/shell/features/empty_netdev_chains.sh new file mode 100755 index 00000000..cada6956 --- /dev/null +++ b/tests/shell/features/empty_netdev_chains.sh @@ -0,0 +1,12 @@ +#!/bin/bash + +# check if netdev chains survive without a single device + +unshare -n bash -c "ip link add d0 type dummy; \ + $NFT \"table netdev t { \ + chain c { \ + type filter hook ingress priority 0; devices = { d0 }; \ + }; \ + }\"; \ + ip link del d0; \ + $NFT list chain netdev t c" diff --git a/tests/shell/features/ifname_based_hooks.sh b/tests/shell/features/ifname_based_hooks.sh index cada6956..1f6af531 100755 --- a/tests/shell/features/ifname_based_hooks.sh +++ b/tests/shell/features/ifname_based_hooks.sh @@ -1,12 +1,12 @@ #!/bin/bash -# check if netdev chains survive without a single device +# check if adding a netdev-family chain hooking into a non-existent device is +# accepted or not -unshare -n bash -c "ip link add d0 type dummy; \ - $NFT \"table netdev t { \ - chain c { \ - type filter hook ingress priority 0; devices = { d0 }; \ - }; \ - }\"; \ - ip link del d0; \ - $NFT list chain netdev t c" +RULESET="table netdev t { + chain c { + type filter hook ingress priority 0 + devices = { foobar123 } + } +}" +unshare -n $NFT -f - <<< "$RULESET"