|
 |
e9ad3f |
From 8adac165dc93d28802c645a3626a3bcf29503ace Mon Sep 17 00:00:00 2001
|
|
|
e9ad3f |
From: Eric Garver <eric@garver.life>
|
|
|
e9ad3f |
Date: Mon, 15 Feb 2021 11:29:07 -0500
|
|
|
e9ad3f |
Subject: [PATCH 21/22] test(ipset): verify ipset netmask allowed for hash:ip
|
|
|
e9ad3f |
|
|
|
e9ad3f |
(cherry picked from commit b7718f0dfa9ce7247911ef49c62e3ef2e4208343)
|
|
|
e9ad3f |
(cherry picked from commit 1fd50036a51b6147f9e77d61d7e63c8a8e564756)
|
|
|
e9ad3f |
---
|
|
|
e9ad3f |
src/tests/regression/ipset_netmask_allowed.at | 23 +++++++++++++++++++
|
|
|
e9ad3f |
src/tests/regression/regression.at | 1 +
|
|
|
e9ad3f |
2 files changed, 24 insertions(+)
|
|
|
e9ad3f |
create mode 100644 src/tests/regression/ipset_netmask_allowed.at
|
|
|
e9ad3f |
|
|
|
e9ad3f |
diff --git a/src/tests/regression/ipset_netmask_allowed.at b/src/tests/regression/ipset_netmask_allowed.at
|
|
|
e9ad3f |
new file mode 100644
|
|
|
e9ad3f |
index 000000000000..b5165d94b220
|
|
|
e9ad3f |
--- /dev/null
|
|
|
e9ad3f |
+++ b/src/tests/regression/ipset_netmask_allowed.at
|
|
|
e9ad3f |
@@ -0,0 +1,23 @@
|
|
|
e9ad3f |
+FWD_START_TEST([ipset netmask allowed type hash:ip])
|
|
|
e9ad3f |
+AT_KEYWORDS(ipset reload)
|
|
|
e9ad3f |
+
|
|
|
e9ad3f |
+FWD_CHECK([--permanent --new-ipset foobar --type hash:ip], 0, [ignore])
|
|
|
e9ad3f |
+FWD_RELOAD
|
|
|
e9ad3f |
+
|
|
|
e9ad3f |
+dnl ipset allows specifying a mask for hash:ip, but it will translate it into
|
|
|
e9ad3f |
+dnl an add for the whole range. i.e. 1.2.3.4/24 --> 1.2.3.[0.255] (256
|
|
|
e9ad3f |
+dnl entries).
|
|
|
e9ad3f |
+dnl
|
|
|
e9ad3f |
+dnl In nftables, we allow this by using actual intervals.
|
|
|
e9ad3f |
+FWD_CHECK([--permanent --ipset foobar --add-entry 1.2.3.0/24], 0, [ignore])
|
|
|
e9ad3f |
+FWD_CHECK([ --ipset foobar --add-entry 1.2.3.0/24], 0, [ignore])
|
|
|
e9ad3f |
+
|
|
|
e9ad3f |
+dnl check the edge case
|
|
|
e9ad3f |
+FWD_CHECK([--permanent --ipset foobar --add-entry 4.3.2.1/32], 0, [ignore])
|
|
|
e9ad3f |
+FWD_CHECK([ --ipset foobar --add-entry 4.3.2.1/32], 0, [ignore])
|
|
|
e9ad3f |
+
|
|
|
e9ad3f |
+dnl overlaps should be denied by ipset
|
|
|
e9ad3f |
+FWD_CHECK([ --ipset foobar --add-entry 1.2.3.0/22], 13, [ignore], [ignore])
|
|
|
e9ad3f |
+FWD_CHECK([ --ipset foobar --add-entry 1.2.3.0/30], 13, [ignore], [ignore])
|
|
|
e9ad3f |
+
|
|
|
e9ad3f |
+FWD_END_TEST([-e '/ERROR: COMMAND_FAILED:/d'])
|
|
|
e9ad3f |
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
|
|
|
e9ad3f |
index a90fc37d51c6..a49bb3b756e7 100644
|
|
|
e9ad3f |
--- a/src/tests/regression/regression.at
|
|
|
e9ad3f |
+++ b/src/tests/regression/regression.at
|
|
|
e9ad3f |
@@ -38,3 +38,4 @@ m4_include([regression/rhbz1855140.at])
|
|
|
e9ad3f |
m4_include([regression/rhbz1871298.at])
|
|
|
e9ad3f |
m4_include([regression/rhbz1596304.at])
|
|
|
e9ad3f |
m4_include([regression/gh703.at])
|
|
|
e9ad3f |
+m4_include([regression/ipset_netmask_allowed.at])
|
|
|
e9ad3f |
--
|
|
|
e9ad3f |
2.27.0
|
|
|
e9ad3f |
|