selftests: nft_nat: Simplify port shadow notrack test

The second rule in prerouting chain was probably a leftover: The router listens on veth0, so not tracking connections via that interface is sufficient. Likewise, the rule in output chain can be limited to that interface as well. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2021-11-03 19:53:43 +01:00 · 2021-11-03 19:53:43 +01:00 · 85c0c8b342
commit 85c0c8b342
parent e1f8bc06e4
1 changed files with 1 additions and 2 deletions
--- a/tools/testing/selftests/netfilter/nft_nat.sh
+++ b/tools/testing/selftests/netfilter/nft_nat.sh
@ -818,11 +818,10 @@ table $family raw {
 	chain prerouting {
 		type filter hook prerouting priority -300; policy accept;
 		meta iif veth0 udp dport 1405 notrack
-		udp dport 1405 notrack
 	}
 	chain output {
 		type filter hook output priority -300; policy accept;
-		udp sport 1405 notrack
+		meta oif veth0 udp sport 1405 notrack
 	}
 }
 EOF