selftests: nft_flowtable.sh: check ingress/egress chain too

	exit $ksft_skip

fi

ip netns exec $ns2 nft -f - <<EOF

table inet filter {

   counter ip4dscp0 { }

   counter ip4dscp3 { }

   chain input {

      type filter hook input priority 0; policy accept;

      meta l4proto tcp goto {

	      ip dscp cs3 counter name ip4dscp3 accept

	      ip dscp 0 counter name ip4dscp0 accept

      }

   }

}

EOF

if [ $? -ne 0 ]; then

	echo "SKIP: Could not load nft ruleset"

	exit $ksft_skip

fi

# test basic connectivity

if ! ip netns exec $ns1 ping -c 1 -q 10.0.2.99 > /dev/null; then

  echo "ERROR: $ns1 cannot reach ns2" 1>&2

	fi

}

check_dscp()

{

	local what=$1

	local ok=1

	local counter=$(ip netns exec $ns2 nft reset counter inet filter ip4dscp3 | grep packets)

	local pc4=${counter%*bytes*}

	local pc4=${pc4#*packets}

	local counter=$(ip netns exec $ns2 nft reset counter inet filter ip4dscp0 | grep packets)

	local pc4z=${counter%*bytes*}

	local pc4z=${pc4z#*packets}

	case "$what" in

	"dscp_none")

		if [ $pc4 -gt 0 ] || [ $pc4z -eq 0 ]; then

			echo "FAIL: dscp counters do not match, expected dscp3 == 0, dscp0 > 0, but got $pc4,$pc4z" 1>&2

			ret=1

			ok=0

		fi

		;;

	"dscp_fwd")

		if [ $pc4 -eq 0 ] || [ $pc4z -eq 0 ]; then

			echo "FAIL: dscp counters do not match, expected dscp3 and dscp0 > 0 but got $pc4,$pc4z" 1>&2

			ret=1

			ok=0

		fi

		;;

	"dscp_ingress")

		if [ $pc4 -eq 0 ] || [ $pc4z -gt 0 ]; then

			echo "FAIL: dscp counters do not match, expected dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2

			ret=1

			ok=0

		fi

		;;

	"dscp_egress")

		if [ $pc4 -eq 0 ] || [ $pc4z -gt 0 ]; then

			echo "FAIL: dscp counters do not match, expected dscp3 > 0, dscp0 == 0 but got $pc4,$pc4z" 1>&2

			ret=1

			ok=0

		fi

		;;

	*)

		echo "FAIL: Unknown DSCP check" 1>&2

		ret=1

		ok=0

	esac

	if [ $ok -eq 1 ] ;then

		echo "PASS: $what: dscp packet counters match"

	fi

}

check_transfer()

{

	in=$1

	return $?

}

test_tcp_forwarding_set_dscp()

{

	check_dscp "dscp_none"

ip netns exec $nsr1 nft -f - <<EOF

table netdev dscpmangle {

   chain setdscp0 {

      type filter hook ingress device "veth0" priority 0; policy accept

	ip dscp set cs3

  }

}

EOF

if [ $? -eq 0 ]; then

	test_tcp_forwarding_ip "$1" "$2"  10.0.2.99 12345

	check_dscp "dscp_ingress"

	ip netns exec $nsr1 nft delete table netdev dscpmangle

else

	echo "SKIP: Could not load netdev:ingress for veth0"

fi

ip netns exec $nsr1 nft -f - <<EOF

table netdev dscpmangle {

   chain setdscp0 {

      type filter hook egress device "veth1" priority 0; policy accept

      ip dscp set cs3

  }

}

EOF

if [ $? -eq 0 ]; then

	test_tcp_forwarding_ip "$1" "$2"  10.0.2.99 12345

	check_dscp "dscp_egress"

	ip netns exec $nsr1 nft flush table netdev dscpmangle

else

	echo "SKIP: Could not load netdev:egress for veth1"

fi

	# partial.  If flowtable really works, then both dscp-is-0 and dscp-is-cs3

	# counters should have seen packets (before and after ft offload kicks in).

	ip netns exec $nsr1 nft -a insert rule inet filter forward ip dscp set cs3

	test_tcp_forwarding_ip "$1" "$2"  10.0.2.99 12345

	check_dscp "dscp_fwd"

}

test_tcp_forwarding_nat()

{

	local lret

}

EOF

if ! test_tcp_forwarding_set_dscp $ns1 $ns2 0 ""; then

	echo "FAIL: flow offload for ns1/ns2 with dscp update" 1>&2

	exit 0

fi

if ! test_tcp_forwarding_nat $ns1 $ns2 0 ""; then

	echo "FAIL: flow offload for ns1/ns2 with NAT" 1>&2

	ip netns exec $nsr1 nft list ruleset