1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
From: Eric Garver <eric@garver.life>
Date: Wed, 8 Oct 2025 21:17:53 +0200
Subject: work around nftables CLI output change in rpfilter tests
Last-Update: 2025-06-30
Applied-upstream: commit:cc1c78b7343dc5f198f76c31c3e6f4934ab0b183
Since nftables commit f4b646032acf ("fib: allow to check if route exists
in maps") the fib match now displays using the "check" keyword.
Normalize older nftables versions to the new output and update all the
tests.
---
src/tests/features/rpfilter.at | 8 ++++----
src/tests/functions.at | 3 +++
src/tests/regression/gh258.at | 2 +-
3 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/src/tests/features/rpfilter.at b/src/tests/features/rpfilter.at
index a0771ff..d0b4b22 100644
--- a/src/tests/features/rpfilter.at
+++ b/src/tests/features/rpfilter.at
@@ -9,7 +9,7 @@ NFT_LIST_RULES([inet], [filter_PREROUTING], 0, [dnl
table inet firewalld {
chain filter_PREROUTING {
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
- meta nfproto ipv6 fib saddr . mark . iif oif missing drop
+ meta nfproto ipv6 fib saddr . mark . iif check missing drop
}
}
])
@@ -35,7 +35,7 @@ NFT_LIST_RULES([inet], [filter_PREROUTING], 0, [dnl
table inet firewalld {
chain filter_PREROUTING {
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
- meta nfproto ipv6 fib saddr . mark oif missing drop
+ meta nfproto ipv6 fib saddr . mark check missing drop
}
}
])
@@ -65,7 +65,7 @@ FWD_RELOAD()
NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
table inet firewalld {
chain filter_FORWARD {
- meta nfproto ipv6 fib saddr . mark . iif oif missing drop
+ meta nfproto ipv6 fib saddr . mark . iif check missing drop
ct state established,related accept
ct status dnat accept
iifname "lo" accept
@@ -101,7 +101,7 @@ FWD_RELOAD()
NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
table inet firewalld {
chain filter_FORWARD {
- meta nfproto ipv6 fib saddr . mark oif missing drop
+ meta nfproto ipv6 fib saddr . mark check missing drop
ct state established,related accept
ct status dnat accept
iifname "lo" accept
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 3f487f5..07d8482 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -478,6 +478,9 @@ m4_define([NFT_LIST_RULES_NORMALIZE], [dnl
dnl newer nft replace ICMP reject aliases with code values
dnl nftables commit 5fecd2a6ef61 ("src: disentangle ICMP code types")
-e ['s/\(icmp\|icmpv6\|icmpx\) code no-route/\1 code 0/g'] dnl
+ dnl nftables commit f4b646032acf ("fib: allow to check if route exists in maps")
+ dnl changed the fib output. Now uses "check" keyword.
+ -e ['s/oif missing/check missing/g'] dnl
])
m4_define([NFT_LIST_RULES_ALWAYS], [
diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at
index 72e352a..a6ee2cd 100644
--- a/src/tests/regression/gh258.at
+++ b/src/tests/regression/gh258.at
@@ -114,7 +114,7 @@ IF_HOST_SUPPORTS_NFT_FIB([
table inet firewalld {
chain filter_PREROUTING {
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
- meta nfproto ipv6 fib saddr . mark . iif oif missing drop
+ meta nfproto ipv6 fib saddr . mark . iif check missing drop
}
}
])
|
