new file mode 100644
@@ -0,0 +1,113 @@
+{
+ "nftables": [
+ {
+ "metainfo": {
+ "version": "VERSION",
+ "release_name": "RELEASE_NAME",
+ "json_schema_version": 1
+ }
+ },
+ {
+ "table": {
+ "family": "ip",
+ "name": "test",
+ "handle": 0
+ }
+ },
+ {
+ "chain": {
+ "family": "ip",
+ "table": "test",
+ "name": "c",
+ "handle": 0,
+ "type": "filter",
+ "hook": "output",
+ "prio": 0,
+ "policy": "accept"
+ }
+ },
+ {
+ "counter": {
+ "family": "ip",
+ "name": "match",
+ "table": "test",
+ "handle": 0,
+ "packets": 8,
+ "bytes": 672
+ }
+ },
+ {
+ "counter": {
+ "family": "ip",
+ "name": "nomatch",
+ "table": "test",
+ "handle": 0,
+ "packets": 6,
+ "bytes": 504
+ }
+ },
+ {
+ "set": {
+ "family": "ip",
+ "name": "s",
+ "table": "test",
+ "type": {
+ "typeof": {
+ "payload": {
+ "protocol": "ip",
+ "field": "dscp"
+ }
+ }
+ },
+ "handle": 0,
+ "elem": [
+ "lephb",
+ 2,
+ 4,
+ 7
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "test",
+ "chain": "c",
+ "handle": 0,
+ "expr": [
+ {
+ "match": {
+ "op": "==",
+ "left": {
+ "payload": {
+ "protocol": "ip",
+ "field": "dscp"
+ }
+ },
+ "right": "@s"
+ }
+ },
+ {
+ "counter": "match"
+ },
+ {
+ "accept": null
+ }
+ ]
+ }
+ },
+ {
+ "rule": {
+ "family": "ip",
+ "table": "test",
+ "chain": "c",
+ "handle": 0,
+ "expr": [
+ {
+ "counter": "nomatch"
+ }
+ ]
+ }
+ }
+ ]
+}
new file mode 100644
@@ -0,0 +1,23 @@
+table ip test {
+ counter match {
+ packets 8 bytes 672
+ }
+
+ counter nomatch {
+ packets 6 bytes 504
+ }
+
+ set s {
+ typeof ip dscp
+ elements = { lephb,
+ 0x02,
+ 0x04,
+ 0x07 }
+ }
+
+ chain c {
+ type filter hook output priority filter; policy accept;
+ ip dscp @s counter name "match" accept
+ counter name "nomatch"
+ }
+}
new file mode 100755
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+set -e
+
+$NFT -f - <<EOF
+table ip test {
+ counter match { }
+ counter nomatch { }
+ set s {
+ typeof ip dscp
+ }
+
+ chain c {
+ type filter hook output priority filter; policy accept;
+ ip dscp @s counter name match accept
+ counter name nomatch
+ }
+}
+EOF
+
+ip link set lo up
+
+$NFT add element ip test s { 0x1, 0x2, 0x4, 0x7 }
+
+for q in $(seq 1 7);do
+ ping -q -c 1 127.0.0.1 -Q 0x$q
+done
+
+# dump validation checks counters as well.
bitmap sets don't support 'counter' flag, so we can only check 'match' vs 'no match', but we can't tell which set element has matched. Static test, counter validation via dumps. Signed-off-by: Florian Westphal <fw@strlen.de> --- .../dumps/set_match_nomatch_bitmap.json-nft | 113 ++++++++++++++++++ .../dumps/set_match_nomatch_bitmap.nft | 23 ++++ .../packetpath/set_match_nomatch_bitmap | 29 +++++ 3 files changed, 165 insertions(+) create mode 100644 tests/shell/testcases/packetpath/dumps/set_match_nomatch_bitmap.json-nft create mode 100644 tests/shell/testcases/packetpath/dumps/set_match_nomatch_bitmap.nft create mode 100755 tests/shell/testcases/packetpath/set_match_nomatch_bitmap