bitmap sets don't support 'counter' flag, so we can only check 'match' vs 'no match', but we can't tell which set element has matched. Static test, counter validation via dumps. Signed-off-by: Florian Westphal --- .../dumps/set_match_nomatch_bitmap.json-nft | 113 ++++++++++++++++++ .../dumps/set_match_nomatch_bitmap.nft | 23 ++++ .../packetpath/set_match_nomatch_bitmap | 29 +++++ 3 files changed, 165 insertions(+) create mode 100644 tests/shell/testcases/packetpath/dumps/set_match_nomatch_bitmap.json-nft create mode 100644 tests/shell/testcases/packetpath/dumps/set_match_nomatch_bitmap.nft create mode 100755 tests/shell/testcases/packetpath/set_match_nomatch_bitmap diff --git a/tests/shell/testcases/packetpath/dumps/set_match_nomatch_bitmap.json-nft b/tests/shell/testcases/packetpath/dumps/set_match_nomatch_bitmap.json-nft new file mode 100644 index 000000000000..ea470053755d --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/set_match_nomatch_bitmap.json-nft @@ -0,0 +1,113 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "test", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "test", + "name": "c", + "handle": 0, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "counter": { + "family": "ip", + "name": "match", + "table": "test", + "handle": 0, + "packets": 8, + "bytes": 672 + } + }, + { + "counter": { + "family": "ip", + "name": "nomatch", + "table": "test", + "handle": 0, + "packets": 6, + "bytes": 504 + } + }, + { + "set": { + "family": "ip", + "name": "s", + "table": "test", + "type": { + "typeof": { + "payload": { + "protocol": "ip", + "field": "dscp" + } + } + }, + "handle": 0, + "elem": [ + "lephb", + 2, + 4, + 7 + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "c", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "dscp" + } + }, + "right": "@s" + } + }, + { + "counter": "match" + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "test", + "chain": "c", + "handle": 0, + "expr": [ + { + "counter": "nomatch" + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/packetpath/dumps/set_match_nomatch_bitmap.nft b/tests/shell/testcases/packetpath/dumps/set_match_nomatch_bitmap.nft new file mode 100644 index 000000000000..561686e914e2 --- /dev/null +++ b/tests/shell/testcases/packetpath/dumps/set_match_nomatch_bitmap.nft @@ -0,0 +1,23 @@ +table ip test { + counter match { + packets 8 bytes 672 + } + + counter nomatch { + packets 6 bytes 504 + } + + set s { + typeof ip dscp + elements = { lephb, + 0x02, + 0x04, + 0x07 } + } + + chain c { + type filter hook output priority filter; policy accept; + ip dscp @s counter name "match" accept + counter name "nomatch" + } +} diff --git a/tests/shell/testcases/packetpath/set_match_nomatch_bitmap b/tests/shell/testcases/packetpath/set_match_nomatch_bitmap new file mode 100755 index 000000000000..c26eb45dbd94 --- /dev/null +++ b/tests/shell/testcases/packetpath/set_match_nomatch_bitmap @@ -0,0 +1,29 @@ +#!/bin/bash + +set -e + +$NFT -f - <