test(rpfilter): workaround nftables CLI output change

erig0 · erig0 · commit cc1c78b7343d · 2025-07-01T08:28:09.000-04:00
Since nftables commit f4b646032acf ("fib: allow to check if route exists
in maps") the fib match now displays using the "check" keyword.
Normalize older nftables versions to the new output and update all the
tests.
diff --git a/src/tests/features/rpfilter.at b/src/tests/features/rpfilter.at
@@ -9,7 +9,7 @@ NFT_LIST_RULES([inet], [filter_PREROUTING], 0, [dnl
     table inet firewalld {
         chain filter_PREROUTING {
             icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
-            meta nfproto ipv6 fib saddr . mark . iif oif missing drop
+            meta nfproto ipv6 fib saddr . mark . iif check missing drop
         }
     }
 ])
@@ -35,7 +35,7 @@ NFT_LIST_RULES([inet], [filter_PREROUTING], 0, [dnl
     table inet firewalld {
         chain filter_PREROUTING {
             icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
-            meta nfproto ipv6 fib saddr . mark oif missing drop
+            meta nfproto ipv6 fib saddr . mark check missing drop
         }
     }
 ])
@@ -65,7 +65,7 @@ FWD_RELOAD()
 NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
     table inet firewalld {
         chain filter_FORWARD {
-            meta nfproto ipv6 fib saddr . mark . iif oif missing drop
+            meta nfproto ipv6 fib saddr . mark . iif check missing drop
             ct state established,related accept
             ct status dnat accept
             iifname "lo" accept
@@ -101,7 +101,7 @@ FWD_RELOAD()
 NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
     table inet firewalld {
         chain filter_FORWARD {
-            meta nfproto ipv6 fib saddr . mark oif missing drop
+            meta nfproto ipv6 fib saddr . mark check missing drop
             ct state established,related accept
             ct status dnat accept
             iifname "lo" accept
diff --git a/src/tests/functions.at b/src/tests/functions.at
@@ -478,6 +478,9 @@ m4_define([NFT_LIST_RULES_NORMALIZE], [dnl
         dnl newer nft replace ICMP reject aliases with code values
         dnl nftables commit 5fecd2a6ef61 ("src: disentangle ICMP code types")
         -e ['s/\(icmp\|icmpv6\|icmpx\) code no-route/\1 code 0/g'] dnl
+        dnl nftables commit f4b646032acf ("fib: allow to check if route exists in maps")
+        dnl changed the fib output. Now uses "check" keyword.
+        -e ['s/oif missing/check missing/g'] dnl
 ])
 
 m4_define([NFT_LIST_RULES_ALWAYS], [
diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at
@@ -114,7 +114,7 @@ IF_HOST_SUPPORTS_NFT_FIB([
         table inet firewalld {
             chain filter_PREROUTING {
                 icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
-                meta nfproto ipv6 fib saddr . mark . iif oif missing drop
+                meta nfproto ipv6 fib saddr . mark . iif check missing drop
             }
         }
     ])

Original file line number	Diff line number	Diff line change
`@@ -114,7 +114,7 @@ IF_HOST_SUPPORTS_NFT_FIB([`
`114`	`114`	`table inet firewalld {`
`115`	`115`	`chain filter_PREROUTING {`
`116`	`116`	`icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept`
`117`		`- meta nfproto ipv6 fib saddr . mark . iif oif missing drop`
	`117`	`+ meta nfproto ipv6 fib saddr . mark . iif check missing drop`
`118`	`118`	`}`
`119`	`119`	`}`
`120`	`120`	`])`