selftests: nft_nat: Simplify port shadow notrack test

The second rule in prerouting chain was probably a leftover: The router listens on veth0, so not tracking connections via that interface is sufficient. Likewise, the rule in output chain can be limited to that interface as well. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
mariux64 · Nov 8, 2021 · 85c0c8b · 85c0c8b
1 parent e1f8bc0
commit 85c0c8b
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/tools/testing/selftests/netfilter/nft_nat.sh b/tools/testing/selftests/netfilter/nft_nat.sh
@@ -818,11 +818,10 @@ table $family raw {
 	chain prerouting {
 		type filter hook prerouting priority -300; policy accept;
 		meta iif veth0 udp dport 1405 notrack
-		udp dport 1405 notrack
 	}
 	chain output {
 		type filter hook output priority -300; policy accept;
-		udp sport 1405 notrack
+		meta oif veth0 udp sport 1405 notrack
 	}
 }
 EOF