From 0921f0adac5fb1e880b506a31cb2ac37b6409a43 Mon Sep 17 00:00:00 2001

From: Eric Garver <eric@garver.life>

Date: Mon, 13 May 2019 14:00:21 -0400

Subject: [PATCH 49/73] fix: tests: guard occurrences of IPv6

Since we can run without IPv6 support we need to skip test areas that

explicitly use IPv6.

(cherry picked from commit bcb33e448abbf3a2a3a8721c257ad48bfc18dd9d)

(cherry picked from commit 9344ff8c7ce3e55a2296ca3d565b51d9a52065c4)

---

 src/tests/firewall-cmd.at           | 30 +++++++++++++++++++++++++----

 src/tests/regression/gh335.at       |  6 ++++++

 src/tests/regression/rhbz1594657.at |  2 ++

 3 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at

index bcbfe9639ef1..a3844151aeb3 100644

--- a/src/tests/firewall-cmd.at

+++ b/src/tests/firewall-cmd.at

@@ -199,8 +199,10 @@ sources: $1

     check_zone_source([1.2.3.4])

     check_zone_source([192.168.1.0/24])

+    IF_IPV6_SUPPORTED([

     check_zone_source([3ffe:501:ffff::/64])

     check_zone_source([dead:beef::babe])

+    ])

     m4_undefine([check_zone_source])

@@ -292,10 +294,12 @@ FWD_START_TEST([user services])

     FWD_CHECK([--permanent --service=foobar --set-destination=ipv4:foo], 105, ignore, ignore) dnl bad address

     FWD_CHECK([--permanent --service=foobar --set-destination=ipv4:1.2.3.4], 0, ignore)

     FWD_CHECK([--permanent --service=foobar --remove-destination=ipv4], 0, ignore)

+    IF_IPV6_SUPPORTED([

     FWD_CHECK([--permanent --service=foobar --set-destination=ipv6:fd00:dead:beef:ff0::/64], 0, ignore)

     FWD_CHECK([--permanent --service=foobar --query-destination=ipv6:fd00:dead:beef:ff0::/64], 0, ignore)

     FWD_CHECK([--permanent --service=foobar --remove-destination=ipv6], 0, ignore)

     FWD_CHECK([--permanent --service=foobar --query-destination=ipv6:fd00:dead:beef:ff0::/64], 1, ignore)

+    ])

     FWD_CHECK([--permanent --zone=public --add-service=foobar], 0, ignore)

     FWD_CHECK([--permanent --zone=public --list-services | grep foobar], 0, ignore)

@@ -447,10 +451,12 @@ FWD_START_TEST([forward ports])

     FWD_CHECK([--query-forward-port port=66:proto=sctp:toport=66:toaddr=7.7.7.7 --zone=public], 0, ignore)

     FWD_CHECK([--remove-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7], 0, ignore)

     FWD_CHECK([--query-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7], 1, ignore)

+    IF_IPV6_SUPPORTED([

     FWD_CHECK([--add-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 0, ignore)

     FWD_CHECK([--query-forward-port port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0:: --zone=public], 0, ignore)

     FWD_CHECK([--remove-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 0, ignore)

     FWD_CHECK([--query-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 1, ignore)

+    ])

     FWD_CHECK([--add-forward-port=port=88:proto=udp:toport=99 --add-forward-port port=100:proto=tcp:toport=200], 0, ignore)

     FWD_CHECK([--query-forward-port=port=100:proto=tcp:toport=200], 0, ignore)

     FWD_CHECK([--query-forward-port=port=88:proto=udp:toport=99 --zone=public], 0, ignore)

@@ -473,10 +479,12 @@ FWD_START_TEST([forward ports])

     FWD_CHECK([--permanent --query-forward-port port=66:proto=sctp:toport=66:toaddr=7.7.7.7 --zone=public], 0, ignore)

     FWD_CHECK([--permanent --remove-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7], 0, ignore)

     FWD_CHECK([--permanent --query-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7], 1, ignore)

+    IF_IPV6_SUPPORTED([

     FWD_CHECK([--permanent --add-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 0, ignore)

     FWD_CHECK([--permanent --query-forward-port port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0:: --zone=public], 0, ignore)

     FWD_CHECK([--permanent --remove-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 0, ignore)

     FWD_CHECK([--permanent --query-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 1, ignore)

+    ])

     FWD_CHECK([--permanent --add-forward-port=port=88:proto=udp:toport=99 --add-forward-port port=100:proto=tcp:toport=200], 0, ignore)

     FWD_CHECK([--permanent --query-forward-port=port=100:proto=tcp:toport=200], 0, ignore)

     FWD_CHECK([--permanent --query-forward-port=port=88:proto=udp:toport=99 --zone=public], 0, ignore)

@@ -592,12 +600,14 @@ FWD_START_TEST([ipset])

     FWD_CHECK([--permanent --delete-ipset=foobar], 0, ignore)

     FWD_RELOAD

+    IF_IPV6_SUPPORTED([

     FWD_CHECK([--permanent --new-ipset=foobar --type=hash:mac], 0, ignore)

     FWD_CHECK([--permanent --ipset=foobar --add-entry=12:34:56:78:90:ab], 0, ignore)

     FWD_RELOAD

     FWD_CHECK([--ipset=foobar --add-entry=12:34:56:78:90:ac], 0, ignore)

     FWD_CHECK([--permanent --delete-ipset=foobar], 0, ignore)

     FWD_RELOAD

+    ])

 FWD_END_TEST([-e '/ERROR: INVALID_ENTRY: invalid address/d'])

 FWD_START_TEST([user helpers])

@@ -733,11 +743,13 @@ FWD_START_TEST([direct passthrough])

     FWD_CHECK([--direct --remove-passthrough ipv4 --table filter --append INPUT --in-interface dummy0 --protocol tcp --destination-port 67 --jump ACCEPT], 0, ignore)

     FWD_CHECK([--direct --query-passthrough ipv4 --table filter --append INPUT --in-interface dummy0 --protocol tcp --destination-port 67 --jump ACCEPT], 1, ignore, ignore)

+    m4_if(yes, HOST_SUPPORTS_IP6TABLES, [dnl

     FWD_CHECK([--direct --add-passthrough ipv6 --table filter --append FORWARD --destination fd00:dead:beef:ff0::/64 --in-interface dummy0 --out-interface dummy0 --jump ACCEPT], 0, ignore)

     FWD_CHECK([--direct --get-passthroughs ipv6 | grep "fd00:dead:beef:ff0::/64"], 0, ignore)

     FWD_CHECK([--direct --get-all-passthroughs | grep "fd00:dead:beef:ff0::/64"], 0, ignore)

     FWD_CHECK([--direct --passthrough ipv6 -nvL | grep "fd00:dead:beef:ff0::/64"], 0, ignore)

     FWD_CHECK([--direct --remove-passthrough ipv6 --table filter --delete FORWARD --destination fd00:dead:beef:ff0::/64 --in-interface dummy0 --out-interface dummy0 --jump ACCEPT], 0, ignore, ignore)

+    ])

     FWD_CHECK([--direct --passthrough ipv5 -nvL], 111, ignore, ignore)

     FWD_CHECK([--direct --passthrough ipv4], 2, ignore, ignore)

@@ -868,21 +880,25 @@ FWD_START_TEST([rich rules good])

     rich_rule_test([rule protocol value="sctp" log])

     rich_rule_test([rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp: " level="info" limit value="1/m" accept])

     rich_rule_test([rule family="ipv4" source not address="192.168.0.0/24" service name="dns" log prefix="dns: " level="info" limit value="2/m" drop])

+    IF_IPV6_SUPPORTED([

     rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns -- " level="info" limit value="3/m" reject type="icmp6-addr-unreachable" limit value="20/m"])

     rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" port port="4011" protocol="tcp" log prefix="port 4011: " level="info" limit value="4/m" drop])

     rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" forward-port port="4011" protocol="tcp" to-port="4012" to-addr="1::2:3:4:7"])

+    rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" icmp-block name="redirect" log prefix="redirected: " level="info" limit value="4/m"])

+    rich_rule_test([rule family="ipv6" source address="1:2:3:4::/64" destination address="1:2:3:5::/64" accept])

+    rich_rule_test([rule family="ipv6" masquerade])

+    ])

     rich_rule_test([rule family="ipv4" destination address="1.2.3.4" forward-port port="4011" protocol="tcp" to-port="4012" to-addr="9.8.7.6"])

     rich_rule_test([rule family="ipv4" source address="192.168.0.0/24" icmp-block name="source-quench" log prefix="source-quench: " level="info" limit value="4/m"])

-    rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" icmp-block name="redirect" log prefix="redirected: " level="info" limit value="4/m"])

     rich_rule_test([rule family="ipv4" source address="192.168.1.0/24" masquerade])

     rich_rule_test([rule family="ipv4" source address="10.1.1.0/24" destination address="192.168.1.0/24" accept])

-    rich_rule_test([rule family="ipv6" source address="1:2:3:4::/64" destination address="1:2:3:5::/64" accept])

     rich_rule_test([rule family="ipv4" destination address="192.168.1.0/24" masquerade])

-    rich_rule_test([rule family="ipv6" masquerade])

     rich_rule_test([rule forward-port port="2222" to-port="22" to-addr="192.168.100.2" protocol="tcp" family="ipv4" source address="192.168.2.100"])

     rich_rule_test([rule forward-port port="66" to-port="666" to-addr="192.168.100.2" protocol="sctp" family="ipv4" source address="192.168.2.100"])

+    IF_IPV6_SUPPORTED([

     rich_rule_test([rule forward-port port="99" to-port="999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"])

     rich_rule_test([rule forward-port port="99" to-port="10999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"])

+    ])

     rich_rule_test([rule family="ipv4" port port="222" protocol="tcp" mark set="0xff"])

 FWD_END_TEST

 FWD_START_TEST([rich rules audit])

@@ -897,7 +913,6 @@ FWD_START_TEST([rich rules bad])

         FWD_CHECK([--permanent --add-rich-rule='$1'], $2, ignore, ignore)

     ])

     rich_rule_test([], 122) dnl empty

-    rich_rule_test([family="ipv6" accept], 122) dnl no rule

     rich_rule_test([name="dns" accept], 122) dnl no rule

     rich_rule_test([protocol value="ah" reject], 122) dnl no rule

     rich_rule_test([rule protocol value="ah" reject type="icmp-host-prohibited"], 122) dnl reject type needs specific family

@@ -911,8 +926,11 @@ FWD_START_TEST([rich rules bad])

     rich_rule_test([rule service name="radius" port port="4011" reject], 122) dnl service && port

     rich_rule_test([rule service bad_attribute="dns"], 122) dnl bad attribute

     rich_rule_test([rule protocol value="igmp" log level="eror"], 125) dnl bad log level

+    IF_IPV6_SUPPORTED([

+    rich_rule_test([family="ipv6" accept], 122) dnl no rule

     rich_rule_test([rule source address="1:2:3:4:6::" icmp-block name="redirect" log level="info" limit value="1/2m"], 207) dnl missing family

     rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" icmp-block name="redirect" log level="info" limit value="1/2m"], 123) dnl bad limit

+    ])

     rich_rule_test([rule protocol value="esp"], 122) dnl no action/log/audit

     rich_rule_test([rule family="ipv4" masquerade drop], 122) dnl masquerade & action

     rich_rule_test([rule family="ipv4" icmp-block name="redirect" accept], 122) dnl icmp-block & action

@@ -1029,6 +1047,7 @@ WARNING: INVALID_ENTRY: invalid mac address '12:34:56:78:90' in '12:34:56:78:90'

 ])

     FWD_CHECK([--check-config], 111, ignore, ignore)

+    IF_IPV6_SUPPORTED([

     AT_DATA([./helpers/foobar.xml], [dnl

 <helper family="ipv6" module="nf_conntrack_ftp">

@@ -1036,6 +1055,7 @@ WARNING: INVALID_ENTRY: invalid mac address '12:34:56:78:90' in '12:34:56:78:90'

 </helper>

 ])

     FWD_CHECK([--check-config], 103, ignore, ignore)

+    ])

     AT_CHECK([rm ./helpers/foobar.xml])

     dnl icmptype

@@ -1278,6 +1298,7 @@ WARNING: Invalid rule: Invalid log level

 ])

     FWD_CHECK([--check-config], 28, ignore, ignore)

+    IF_IPV6_SUPPORTED([

     AT_DATA([./zones/foobar.xml], [dnl

 <zone>

@@ -1292,6 +1313,7 @@ m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [dnl

 WARNING: INVALID_ADDR: 10.0.0.1/24: rule family="ipv6" source address="10.0.0.1/24" accept

 WARNING: INVALID_ADDR: 10.0.0.1/24: rule family="ipv6" source address="10.0.0.1/24" accept

 ])])

+    ])

     AT_CHECK([rm ./zones/foobar.xml])

 FWD_END_TEST([-e '/ERROR:/d'dnl

diff --git a/src/tests/regression/gh335.at b/src/tests/regression/gh335.at

index 901e2fa04f69..54cc4c66e163 100644

--- a/src/tests/regression/gh335.at

+++ b/src/tests/regression/gh335.at

@@ -7,12 +7,14 @@ NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 0, [ignor

 NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore])

 FWD_RELOAD

+IF_IPV6_SUPPORTED([

 NS_CHECK([sysctl -w net.ipv4.conf.all.forwarding=0], 0, [ignore], [ignore])

 NS_CHECK([sysctl -w net.ipv6.conf.all.forwarding=0], 0, [ignore], [ignore])

 FWD_CHECK([-q --add-forward-port=port=12345:proto=tcp:toport=54321:toaddr="1234:5678::4321"])

 NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore])

 NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 0, [ignore], [ignore])

 FWD_RELOAD

+])

 NS_CHECK([sysctl -w net.ipv4.conf.all.forwarding=0], 0, [ignore], [ignore])

 NS_CHECK([sysctl -w net.ipv6.conf.all.forwarding=0], 0, [ignore], [ignore])

@@ -21,12 +23,14 @@ NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 0, [ignor

 NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore])

 FWD_RELOAD

+IF_IPV6_SUPPORTED([

 NS_CHECK([sysctl -w net.ipv4.conf.all.forwarding=0], 0, [ignore], [ignore])

 NS_CHECK([sysctl -w net.ipv6.conf.all.forwarding=0], 0, [ignore], [ignore])

 FWD_CHECK([-q --add-rich-rule='rule family=ipv6 forward-port port="12345" protocol="tcp" to-port="54321" to-addr="1234:5678::4321"'])

 NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore])

 NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 0, [ignore], [ignore])

 FWD_RELOAD

+])

 dnl following tests should _not_ enable IP forwarding

 NS_CHECK([sysctl -w net.ipv4.conf.all.forwarding=0], 0, [ignore], [ignore])

@@ -40,8 +44,10 @@ FWD_CHECK([-q --add-rich-rule='rule family=ipv4 forward-port port="12345" protoc

 NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore])

 NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore])

+IF_IPV6_SUPPORTED([

 FWD_CHECK([-q --add-rich-rule='rule family=ipv6 forward-port port="12345" protocol="tcp" to-port="54321"'])

 NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore])

 NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore])

+])

 FWD_END_TEST

diff --git a/src/tests/regression/rhbz1594657.at b/src/tests/regression/rhbz1594657.at

index c01a34012875..33b7bafe6b08 100644

--- a/src/tests/regression/rhbz1594657.at

+++ b/src/tests/regression/rhbz1594657.at

@@ -6,7 +6,9 @@ FWD_CHECK([--direct --passthrough ipv4 -t filter -C dummy_chain -j ACCEPT], 13,

 FWD_CHECK([--direct --passthrough ipv4 -t filter -L dummy_chain], 13, [ignore], [ignore])

 FWD_CHECK([--direct --passthrough ipv4 -t filter -L INPUT], 0, [ignore])

+m4_if(yes, HOST_SUPPORTS_IP6TABLES, [dnl

 FWD_CHECK([--direct --passthrough ipv6 -t filter -C dummy_chain -j ACCEPT], 13, [ignore], [ignore])

 FWD_CHECK([--direct --passthrough ipv6 -t filter -L dummy_chain], 13, [ignore], [ignore])

 FWD_CHECK([--direct --passthrough ipv6 -t filter -L INPUT], 0, [ignore])

+])

 FWD_END_TEST

-- 

2.20.1