|
 |
c8bceb |
From 83c620c895a03d9e99997d61ee532869ae3ef906 Mon Sep 17 00:00:00 2001
|
|
|
c8bceb |
From: Eric Garver <eric@garver.life>
|
|
|
c8bceb |
Date: Fri, 14 Jun 2019 09:44:41 -0400
|
|
|
c8bceb |
Subject: [PATCH 66/73] fix: tests: always list rules using macros
|
|
|
c8bceb |
|
|
|
c8bceb |
This is to make sure certain flags are used, e.g. "-w" for iptables.
|
|
|
c8bceb |
|
|
|
c8bceb |
Fixes: rhbz 1720650
|
|
|
c8bceb |
(cherry picked from commit e527818500be462a724cd34c94948a2704560eb1)
|
|
|
c8bceb |
(cherry picked from commit e074dc55257bfd7e8b8e2805d2c46b58545aec05)
|
|
|
c8bceb |
---
|
|
|
c8bceb |
.../regression/icmp_block_in_forward_chain.at | 28 +++++--
|
|
|
c8bceb |
src/tests/regression/rhbz1514043.at | 77 ++++++++++++++++++-
|
|
|
c8bceb |
2 files changed, 96 insertions(+), 9 deletions(-)
|
|
|
c8bceb |
|
|
|
c8bceb |
diff --git a/src/tests/regression/icmp_block_in_forward_chain.at b/src/tests/regression/icmp_block_in_forward_chain.at
|
|
|
c8bceb |
index 3c8766a2b23b..bf834b1a1711 100644
|
|
|
c8bceb |
--- a/src/tests/regression/icmp_block_in_forward_chain.at
|
|
|
c8bceb |
+++ b/src/tests/regression/icmp_block_in_forward_chain.at
|
|
|
c8bceb |
@@ -1,12 +1,30 @@
|
|
|
c8bceb |
FWD_START_TEST([ICMP block present FORWARD chain])
|
|
|
c8bceb |
|
|
|
c8bceb |
FWD_CHECK([-q --zone=public --add-icmp-block=host-prohibited])
|
|
|
c8bceb |
-m4_if(iptables, FIREWALL_BACKEND, [
|
|
|
c8bceb |
- NS_CHECK([IPTABLES -L IN_public_deny | grep "host-prohibited"], 0, ignore)
|
|
|
c8bceb |
- NS_CHECK([IPTABLES -L FWDI_public_deny | grep "host-prohibited"], 0, ignore)
|
|
|
c8bceb |
+
|
|
|
c8bceb |
+m4_if(nftables, FIREWALL_BACKEND, [
|
|
|
c8bceb |
+NFT_LIST_RULES([inet], [filter_IN_public_deny | sed -e 's/icmp code 10/icmp code host-prohibited/'], 0, [dnl
|
|
|
c8bceb |
+ table inet firewalld {
|
|
|
c8bceb |
+ chain filter_IN_public_deny {
|
|
|
c8bceb |
+ icmp type destination-unreachable icmp code host-prohibited reject with icmp type admin-prohibited
|
|
|
c8bceb |
+ }
|
|
|
c8bceb |
+ }
|
|
|
c8bceb |
+])
|
|
|
c8bceb |
+NFT_LIST_RULES([inet], [filter_FWDI_public_deny | sed -e 's/icmp code 10/icmp code host-prohibited/'], 0, [dnl
|
|
|
c8bceb |
+ table inet firewalld {
|
|
|
c8bceb |
+ chain filter_FWDI_public_deny {
|
|
|
c8bceb |
+ icmp type destination-unreachable icmp code host-prohibited reject with icmp type admin-prohibited
|
|
|
c8bceb |
+ }
|
|
|
c8bceb |
+ }
|
|
|
c8bceb |
+])
|
|
|
c8bceb |
], [
|
|
|
c8bceb |
- NS_CHECK([nft list chain inet firewalld filter_IN_public_deny | grep "destination-unreachable" |grep "\(code 10\|host-prohibited\)"], 0, ignore)
|
|
|
c8bceb |
- NS_CHECK([nft list chain inet firewalld filter_FWDI_public_deny | grep "destination-unreachable" |grep "\(code 10\|host-prohibited\)"], 0, ignore)
|
|
|
c8bceb |
+
|
|
|
c8bceb |
+IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
|
|
|
c8bceb |
+ REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 10 reject-with icmp-host-prohibited
|
|
|
c8bceb |
+])
|
|
|
c8bceb |
+IPTABLES_LIST_RULES([filter], [FWDI_public_deny], 0, [dnl
|
|
|
c8bceb |
+ REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 10 reject-with icmp-host-prohibited
|
|
|
c8bceb |
+])
|
|
|
c8bceb |
])
|
|
|
c8bceb |
|
|
|
c8bceb |
FWD_END_TEST
|
|
|
c8bceb |
diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at
|
|
|
c8bceb |
index a9750a584898..ff2ede2ece71 100644
|
|
|
c8bceb |
--- a/src/tests/regression/rhbz1514043.at
|
|
|
c8bceb |
+++ b/src/tests/regression/rhbz1514043.at
|
|
|
c8bceb |
@@ -5,11 +5,80 @@ FWD_RELOAD
|
|
|
c8bceb |
FWD_CHECK([--zone=public --list-all | TRIM | grep ^services], 0, [dnl
|
|
|
c8bceb |
services: dhcpv6-client samba ssh
|
|
|
c8bceb |
])
|
|
|
c8bceb |
+
|
|
|
c8bceb |
dnl check that log denied actually took effect
|
|
|
c8bceb |
-m4_if(iptables, FIREWALL_BACKEND, [
|
|
|
c8bceb |
- NS_CHECK([IPTABLES -t filter -L | grep "FINAL_REJECT:"], 0, ignore)
|
|
|
c8bceb |
+m4_if(nftables, FIREWALL_BACKEND, [
|
|
|
c8bceb |
+NFT_LIST_RULES([inet], [filter_INPUT], 0, [dnl
|
|
|
c8bceb |
+ table inet firewalld {
|
|
|
c8bceb |
+ chain filter_INPUT {
|
|
|
c8bceb |
+ ct state established,related accept
|
|
|
c8bceb |
+ iifname "lo" accept
|
|
|
c8bceb |
+ jump filter_INPUT_ZONES
|
|
|
c8bceb |
+ ct state invalid log prefix "STATE_INVALID_DROP: "
|
|
|
c8bceb |
+ ct state invalid drop
|
|
|
c8bceb |
+ log prefix "FINAL_REJECT: "
|
|
|
c8bceb |
+ reject with icmpx type admin-prohibited
|
|
|
c8bceb |
+ }
|
|
|
c8bceb |
+ }
|
|
|
c8bceb |
+])
|
|
|
c8bceb |
+NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
|
|
|
c8bceb |
+ table inet firewalld {
|
|
|
c8bceb |
+ chain filter_FORWARD {
|
|
|
c8bceb |
+ ct state established,related accept
|
|
|
c8bceb |
+ iifname "lo" accept
|
|
|
c8bceb |
+ jump filter_FORWARD_IN_ZONES
|
|
|
c8bceb |
+ jump filter_FORWARD_OUT_ZONES
|
|
|
c8bceb |
+ ct state invalid log prefix "STATE_INVALID_DROP: "
|
|
|
c8bceb |
+ ct state invalid drop
|
|
|
c8bceb |
+ log prefix "FINAL_REJECT: "
|
|
|
c8bceb |
+ reject with icmpx type admin-prohibited
|
|
|
c8bceb |
+ }
|
|
|
c8bceb |
+ }
|
|
|
c8bceb |
+])
|
|
|
c8bceb |
], [
|
|
|
c8bceb |
- NS_CHECK([nft list chain inet firewalld filter_INPUT | grep "FINAL_REJECT"], 0, ignore)
|
|
|
c8bceb |
- NS_CHECK([nft list chain inet firewalld filter_FORWARD | grep "FINAL_REJECT"], 0, ignore)
|
|
|
c8bceb |
+
|
|
|
c8bceb |
+IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
|
|
|
c8bceb |
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
|
|
|
c8bceb |
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
c8bceb |
+ INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
c8bceb |
+ INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
c8bceb |
+ LOG all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
|
|
|
c8bceb |
+ DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
|
|
|
c8bceb |
+ LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
|
|
|
c8bceb |
+ REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
|
|
|
c8bceb |
+])
|
|
|
c8bceb |
+IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
|
|
|
c8bceb |
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
|
|
|
c8bceb |
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
c8bceb |
+ FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
c8bceb |
+ FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
c8bceb |
+ FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
c8bceb |
+ LOG all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
|
|
|
c8bceb |
+ DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
|
|
|
c8bceb |
+ LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
|
|
|
c8bceb |
+ REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
|
|
|
c8bceb |
+])
|
|
|
c8bceb |
+IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl
|
|
|
c8bceb |
+ ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED
|
|
|
c8bceb |
+ ACCEPT all ::/0 ::/0
|
|
|
c8bceb |
+ INPUT_direct all ::/0 ::/0
|
|
|
c8bceb |
+ INPUT_ZONES all ::/0 ::/0
|
|
|
c8bceb |
+ LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
|
|
|
c8bceb |
+ DROP all ::/0 ::/0 ctstate INVALID
|
|
|
c8bceb |
+ LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
|
|
|
c8bceb |
+ REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
|
|
|
c8bceb |
+])
|
|
|
c8bceb |
+IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
|
|
|
c8bceb |
+ ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED
|
|
|
c8bceb |
+ ACCEPT all ::/0 ::/0
|
|
|
c8bceb |
+ FORWARD_direct all ::/0 ::/0
|
|
|
c8bceb |
+ FORWARD_IN_ZONES all ::/0 ::/0
|
|
|
c8bceb |
+ FORWARD_OUT_ZONES all ::/0 ::/0
|
|
|
c8bceb |
+ LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
|
|
|
c8bceb |
+ DROP all ::/0 ::/0 ctstate INVALID
|
|
|
c8bceb |
+ LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
|
|
|
c8bceb |
+ REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
|
|
|
c8bceb |
+])
|
|
|
c8bceb |
])
|
|
|
c8bceb |
+
|
|
|
c8bceb |
FWD_END_TEST
|
|
|
c8bceb |
--
|
|
|
c8bceb |
2.20.1
|
|
|
c8bceb |
|