m4_if(nftables, FIREWALL_BACKEND, [

FWD_START_TEST([nftables helper objects])

AT_KEYWORDS(helper gh453)

CHECK_NFT_CT_HELPER

FWD_CHECK([-q --set-automatic-helpers=no])

FWD_CHECK([-q --add-service=ftp])

NS_CHECK([nft list ruleset | TRIM_WHITESPACE |grep -A3 "ct helper helper-ftp-tcp"], 0, [m4_strip([dnl

    ct helper helper-ftp-tcp {

    type "ftp" protocol tcp

    l3proto inet

    }

])])

NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl

    table inet firewalld {

    chain filter_IN_public_allow {

    tcp dport 22 ct state new,untracked accept

    ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept

    tcp dport 9090 ct state new,untracked accept

    tcp dport 21 ct helper set "helper-ftp-tcp"

    tcp dport 21 ct state new,untracked accept

    }

    }

])

FWD_CHECK([-q --add-service=sip])

NS_CHECK([nft list ruleset | TRIM_WHITESPACE |grep -A3 "ct helper helper-sip-tcp"], 0, [m4_strip([dnl

    ct helper helper-sip-tcp {

    type "sip" protocol tcp

    l3proto inet

    }

])])

NS_CHECK([nft list ruleset | TRIM_WHITESPACE |grep -A3 "ct helper helper-sip-udp"], 0, [m4_strip([dnl

    ct helper helper-sip-udp {

    type "sip" protocol udp

    l3proto inet

    }

])])

NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl

    table inet firewalld {

    chain filter_IN_public_allow {

    tcp dport 22 ct state new,untracked accept

    ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept

    tcp dport 9090 ct state new,untracked accept

    tcp dport 21 ct helper set "helper-ftp-tcp"

    tcp dport 21 ct state new,untracked accept

    tcp dport 5060 ct helper set "helper-sip-tcp"

    udp dport 5060 ct helper set "helper-sip-udp"

    tcp dport 5060 ct state new,untracked accept

    udp dport 5060 ct state new,untracked accept

    }

    }

])

FWD_END_TEST

])