new file mode 100644
@@ -0,0 +1,53 @@
+From 7a6089a400a573b9a4fd92f29c00a6be7b8ef269 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 2 Nov 2023 16:02:14 +0100
+Subject: [PATCH] tests: shell: Fix sets/reset_command_0 for current kernels
+
+Since kernel commit 4c90bba60c26 ("netfilter: nf_tables: do not refresh
+timeout when resetting element"), element reset won't touch expiry
+anymore. Invert the one check to make sure it remains unaltered, drop
+the other testing behaviour for per-element timeouts.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+
+Upstream-Status: Backport
+[https://git.netfilter.org/nftables/commit/?id=7a6089a400a573b9a4fd92f29c00a6be7b8ef269]
+
+Signed-off-by: William Lyu <William.Lyu@windriver.com>
+---
+ tests/shell/testcases/sets/reset_command_0 | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/tests/shell/testcases/sets/reset_command_0 b/tests/shell/testcases/sets/reset_command_0
+index e663dac8..d38ddb3f 100755
+--- a/tests/shell/testcases/sets/reset_command_0
++++ b/tests/shell/testcases/sets/reset_command_0
+@@ -44,10 +44,10 @@ elem='element t s { 1.0.0.1 . udp . 53 }'
+ grep 'elements = ' | drop_seconds | uniq | wc -l) == 1 ]]
+ echo OK
+
+-echo -n "counters and expiry are reset: "
++echo -n "counters are reset, expiry left alone: "
+ NEW=$($NFT "get $elem")
+ grep -q 'counter packets 0 bytes 0' <<< "$NEW"
+-[[ $(expires_minutes <<< "$NEW") -gt 20 ]]
++[[ $(expires_minutes <<< "$NEW") -lt 20 ]]
+ echo OK
+
+ echo -n "get map elem matches reset map elem: "
+@@ -80,12 +80,6 @@ OUT=$($NFT reset map t m)
+ $DIFF -u <(echo "$EXP") <(echo "$OUT")
+ echo OK
+
+-echo -n "reset command respects per-element timeout: "
+-VAL=$($NFT get element t s '{ 2.0.0.2 . tcp . 22 }' | expires_minutes)
+-[[ $VAL -lt 15 ]] # custom timeout applies
+-[[ $VAL -gt 10 ]] # expires was reset
+-echo OK
+-
+ echo -n "remaining elements are reset: "
+ OUT=$($NFT list ruleset)
+ grep -q '2.0.0.2 . tcp . 22 counter packets 0 bytes 0' <<< "$OUT"
+--
+2.43.0
+
new file mode 100644
@@ -0,0 +1,46 @@
+From fff913c1eefbc84eb2d9c52038ef29fe881e9ee9 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 21 Nov 2023 21:16:38 +0100
+Subject: [PATCH] tests: shell: skip secmark tests if kernel does not support
+ it
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+Upstream-Status: Backport
+[https://git.netfilter.org/nftables/commit/?id=fff913c1eefbc84eb2d9c52038ef29fe881e9ee9]
+
+Signed-off-by: William Lyu <William.Lyu@windriver.com>
+---
+ tests/shell/features/secmark.nft | 7 +++++++
+ tests/shell/testcases/json/0005secmark_objref_0 | 1 +
+ 2 files changed, 8 insertions(+)
+ create mode 100644 tests/shell/features/secmark.nft
+
+diff --git a/tests/shell/features/secmark.nft b/tests/shell/features/secmark.nft
+new file mode 100644
+index 00000000..ccbb572f
+--- /dev/null
++++ b/tests/shell/features/secmark.nft
+@@ -0,0 +1,7 @@
++# fb961945457f ("netfilter: nf_tables: add SECMARK support")
++# v4.20-rc1~14^2~125^2~5
++table inet x {
++ secmark ssh_server {
++ "system_u:object_r:ssh_server_packet_t:s0"
++ }
++}
+diff --git a/tests/shell/testcases/json/0005secmark_objref_0 b/tests/shell/testcases/json/0005secmark_objref_0
+index 992d1b00..5c44f093 100755
+--- a/tests/shell/testcases/json/0005secmark_objref_0
++++ b/tests/shell/testcases/json/0005secmark_objref_0
+@@ -1,6 +1,7 @@
+ #!/bin/bash
+
+ # NFT_TEST_REQUIRES(NFT_TEST_HAVE_json)
++# NFT_TEST_REQUIRES(NFT_TEST_HAVE_secmark)
+
+ set -e
+
+--
+2.43.0
+
@@ -12,6 +12,8 @@ DEPENDS = "libmnl libnftnl bison-native \
${@bb.utils.contains('PACKAGECONFIG', 'mini-gmp', '', 'gmp', d)}"
SRC_URI = "http://www.netfilter.org/projects/nftables/files/${BP}.tar.xz \
+ file://0001-tests-shell-Fix-sets-reset_command_0-for-current-ker.patch \
+ file://0001-tests-shell-skip-secmark-tests-if-kernel-does-not-su.patch \
file://run-ptest \
"
SRC_URI[sha256sum] = "a3c304cd9ba061239ee0474f9afb938a9bb99d89b960246f66f0c3a0a85e14cd"