From: Phil Sutter <phil@nwl.cc>
Date: Wed, 3 Nov 2021 18:53:43 +0000 (+0100)
Subject: selftests: nft_nat: Simplify port shadow notrack test
X-Git-Tag: howlett/maple/20220722_2~1734^2~56^2~6
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=85c0c8b342e89761554eed3f572ee55c0e5c6536;p=users%2Fjedix%2Flinux-maple.git

selftests: nft_nat: Simplify port shadow notrack test

The second rule in prerouting chain was probably a leftover: The router
listens on veth0, so not tracking connections via that interface is
sufficient. Likewise, the rule in output chain can be limited to that
interface as well.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/tools/testing/selftests/netfilter/nft_nat.sh b/tools/testing/selftests/netfilter/nft_nat.sh
index 905c033db74d..c62e4e26252c 100755
--- a/tools/testing/selftests/netfilter/nft_nat.sh
+++ b/tools/testing/selftests/netfilter/nft_nat.sh
@@ -818,11 +818,10 @@ table $family raw {
 	chain prerouting {
 		type filter hook prerouting priority -300; policy accept;
 		meta iif veth0 udp dport 1405 notrack
-		udp dport 1405 notrack
 	}
 	chain output {
 		type filter hook output priority -300; policy accept;
-		udp sport 1405 notrack
+		meta oif veth0 udp sport 1405 notrack
 	}
 }
 EOF