From b2075eb46f1798ba897ca443ea14872b17267d69 Mon Sep 17 00:00:00 2001

From: Eric Garver <eric@garver.life>

Date: Mon, 13 Sep 2021 14:54:42 -0400

Subject: [PATCH 39/50] test(icmp): don't log blocked if ICMP inversion

Coverage: #696

Coverage: rhbz1945833

(cherry picked from commit b7d9a74731f9c5a1a6faf0f2959adcc315d2ca16)

(cherry picked from commit d45c614967cec6a608c93c1e8531089d7b1150bb)

---

 src/tests/regression/gh696.at      | 102 +++++++++++++++++++++++++++++

 src/tests/regression/regression.at |   1 +

 2 files changed, 103 insertions(+)

 create mode 100644 src/tests/regression/gh696.at

diff --git a/src/tests/regression/gh696.at b/src/tests/regression/gh696.at

new file mode 100644

index 000000000000..19b8d485a0a5

--- /dev/null

+++ b/src/tests/regression/gh696.at

@@ -0,0 +1,102 @@

+FWD_START_TEST([icmp-block-inversion no log blocked])

+AT_KEYWORDS(icmp gh696 rhbz1945833)

+

+FWD_CHECK([--permanent --zone public --remove-icmp-block-inversion], 0, [ignore], [ignore])

+FWD_CHECK([--permanent --zone public --add-icmp-block echo-request], 0, [ignore])

+FWD_RELOAD()

+

+NFT_LIST_RULES([inet], [filter_IN_public_deny], 0, [dnl

+    table inet firewalld {

+        chain filter_IN_public_deny {

+            icmp type echo-request reject with icmpx type admin-prohibited

+            icmpv6 type echo-request reject with icmpx type admin-prohibited

+        }

+    }

+])

+

+IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl

+    REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 reject-with icmp-host-prohibited

+])

+IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl

+    REJECT icmpv6 ::/0 ::/0 ipv6-icmptype 128 reject-with icmp6-adm-prohibited

+])

+

+dnl since inversion is disabled we should get logs when the ICMP is blocked.

+FWD_CHECK([--set-log-denied all], 0, [ignore])

+

+NFT_LIST_RULES([inet], [filter_IN_public_deny], 0, [dnl

+    table inet firewalld {

+        chain filter_IN_public_deny {

+            icmp type echo-request log prefix ""filter_zone_public_HOST_ICMP_BLOCK: ""

+            icmp type echo-request reject with icmpx type admin-prohibited

+            icmpv6 type echo-request log prefix ""filter_zone_public_HOST_ICMP_BLOCK: ""

+            icmpv6 type echo-request reject with icmpx type admin-prohibited

+        }

+    }

+])

+

+IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl

+    LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 LOG flags 0 level 4 prefix "zone_public_HOST_ICMP_BLOCK: "

+    REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 reject-with icmp-host-prohibited

+])

+IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl

+    LOG icmpv6 ::/0 ::/0 ipv6-icmptype 128 LOG flags 0 level 4 prefix "zone_public_HOST_ICMP_BLOCK: "

+    REJECT icmpv6 ::/0 ::/0 ipv6-icmptype 128 reject-with icmp6-adm-prohibited

+])

+

+dnl ########################################

+dnl ########################################

+dnl Same as above, but with icmp block inversion.

+dnl ########################################

+dnl ########################################

+

+FWD_CHECK([--permanent --zone public --add-icmp-block-inversion], 0, [ignore])

+FWD_CHECK([--set-log-denied off], 0, [ignore])

+

+NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl

+    table inet firewalld {

+        chain filter_IN_public_allow {

+            tcp dport 22 ct state new,untracked accept

+            ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept

+            icmp type echo-request accept

+            icmpv6 type echo-request accept

+        }

+    }

+])

+

+IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl

+    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED

+    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8

+])

+IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl

+    ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED

+    ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED

+    ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128

+])

+

+dnl since inversion is enabled, it should be the same whether set-log-denied is

+dnl enabled or not.

+FWD_CHECK([--set-log-denied all], 0, [ignore])

+

+NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl

+    table inet firewalld {

+        chain filter_IN_public_allow {

+            tcp dport 22 ct state new,untracked accept

+            ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept

+            icmp type echo-request accept

+            icmpv6 type echo-request accept

+        }

+    }

+])

+

+IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl

+    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED

+    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8

+])

+IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl

+    ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED

+    ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED

+    ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128

+])

+

+FWD_END_TEST([-d '/WARNING: NOT_ENABLED: icmp-block-inversion/d'])

diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at

index aadd948a459f..ba41a56b29b5 100644

--- a/src/tests/regression/regression.at

+++ b/src/tests/regression/regression.at

@@ -42,3 +42,4 @@ m4_include([regression/ipset_netmask_allowed.at])

 m4_include([regression/rhbz1940928.at])

 m4_include([regression/rhbz1936896.at])

 m4_include([regression/rhbz1914935.at])

+m4_include([regression/gh696.at])

-- 

2.27.0