rpms / firewalld

Clone
Source Code
GIT

Blame SOURCES/firewalld-0.7-0008-tests-features-add-coverage-for-RFC3964_IPv4.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   21c891623aedfc93c402340bdbb20138c7b6dcba
  2.   SOURCES
  3.   firewalld-0.7-0008-tests-features-add-coverage-for-RFC3964_IPv4.patch
Blob History Raw
21c891 
From be105551fa365c5f0bc06d84da9c47fe2a078af9 Mon Sep 17 00:00:00 2001
21c891 
From: Eric Garver <e@erig.me>
21c891 
Date: Thu, 20 Dec 2018 14:40:20 -0500
21c891 
Subject: [PATCH 8/8] tests/features: add coverage for RFC3964_IPv4
21c891
21c891 
(cherry picked from commit 74211168c8f59994356619f214ad28d69ba1744b)
21c891 
---
21c891 
 src/tests/features.at              |   1 +
21c891 
 src/tests/features/rfc3964_ipv4.at | 116 +++++++++++++++++++++++++++++
21c891 
 2 files changed, 117 insertions(+)
21c891 
 create mode 100644 src/tests/features/rfc3964_ipv4.at
21c891
21c891 
diff --git a/src/tests/features.at b/src/tests/features.at
21c891 
index 5fdfbe35a926..744d313e9226 100644
21c891 
--- a/src/tests/features.at
21c891 
+++ b/src/tests/features.at
21c891 
@@ -1 +1,2 @@
21c891 
 AT_BANNER([features (FIREWALL_BACKEND)])
21c891 
+m4_include([features/rfc3964_ipv4.at])
21c891 
diff --git a/src/tests/features/rfc3964_ipv4.at b/src/tests/features/rfc3964_ipv4.at
21c891 
new file mode 100644
21c891 
index 000000000000..ea8dd40bb5c3
21c891 
--- /dev/null
21c891 
+++ b/src/tests/features/rfc3964_ipv4.at
21c891 
@@ -0,0 +1,116 @@
21c891 
+FWD_START_TEST([RFC3964_IPv4])
21c891 
+
21c891 
+AT_CHECK([sed -i 's/^LogDenied.*/LogDenied=all/' ./firewalld.conf])
21c891 
+AT_CHECK([sed -i 's/^RFC3964_IPv4.*/RFC3964_IPv4=yes/' ./firewalld.conf])
21c891 
+FWD_RELOAD
21c891 
+
21c891 
+m4_if(nftables, FIREWALL_BACKEND, [
21c891 
+    NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain raw_PREROUTING {
21c891 
+        ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_DROP: " drop
21c891 
+        m4_if(yes, HOST_SUPPORTS_NFT_FIB, [dnl
21c891 
+            icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
21c891 
+            meta nfproto ipv6 fib saddr . iif oif missing log prefix "rpfilter_DROP: " drop
21c891 
+        ])dnl
21c891 
+        jump raw_PREROUTING_ZONES_SOURCE
21c891 
+        jump raw_PREROUTING_ZONES
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([inet], [raw_OUTPUT], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain raw_OUTPUT {
21c891 
+        ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_DROP: " drop
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+], [
21c891 
+    IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
21c891 
+        LOG all ::/0 2002:e000::/19 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
21c891 
+        DROP all ::/0 2002:e000::/19
21c891 
+        LOG all ::/0 2002:a9fe::/32 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
21c891 
+        DROP all ::/0 2002:a9fe::/32
21c891 
+        LOG all ::/0 2002:c0a8::/32 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
21c891 
+        DROP all ::/0 2002:c0a8::/32
21c891 
+        LOG all ::/0 2002:ac10::/28 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
21c891 
+        DROP all ::/0 2002:ac10::/28
21c891 
+        LOG all ::/0 2002:7f00::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
21c891 
+        DROP all ::/0 2002:7f00::/24
21c891 
+        LOG all ::/0 2002:a00::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
21c891 
+        DROP all ::/0 2002:a00::/24
21c891 
+        LOG all ::/0 2002::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
21c891 
+        DROP all ::/0 2002::/24
21c891 
+        LOG all ::/0 ::ffff:0.0.0.0/96 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
21c891 
+        DROP all ::/0 ::ffff:0.0.0.0/96
21c891 
+        LOG all ::/0 ::/96 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
21c891 
+        DROP all ::/0 ::/96
21c891 
+        ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134
21c891 
+        ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135
21c891 
+        LOG all ::/0 ::/0 rpfilter invert LOG flags 0 level 4 prefix "rpfilter_DROP: "
21c891 
+        DROP all ::/0 ::/0 rpfilter invert
21c891 
+        PREROUTING_direct all ::/0 ::/0
21c891 
+        PREROUTING_ZONES_SOURCE all ::/0 ::/0
21c891 
+        PREROUTING_ZONES all ::/0 ::/0
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([raw], [OUTPUT], 0, [dnl
21c891 
+        LOG all ::/0 2002:e000::/19 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
21c891 
+        DROP all ::/0 2002:e000::/19
21c891 
+        LOG all ::/0 2002:a9fe::/32 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
21c891 
+        DROP all ::/0 2002:a9fe::/32
21c891 
+        LOG all ::/0 2002:c0a8::/32 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
21c891 
+        DROP all ::/0 2002:c0a8::/32
21c891 
+        LOG all ::/0 2002:ac10::/28 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
21c891 
+        DROP all ::/0 2002:ac10::/28
21c891 
+        LOG all ::/0 2002:7f00::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
21c891 
+        DROP all ::/0 2002:7f00::/24
21c891 
+        LOG all ::/0 2002:a00::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
21c891 
+        DROP all ::/0 2002:a00::/24
21c891 
+        LOG all ::/0 2002::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
21c891 
+        DROP all ::/0 2002::/24
21c891 
+        LOG all ::/0 ::ffff:0.0.0.0/96 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
21c891 
+        DROP all ::/0 ::ffff:0.0.0.0/96
21c891 
+        LOG all ::/0 ::/96 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
21c891 
+        DROP all ::/0 ::/96
21c891 
+        OUTPUT_direct all ::/0 ::/0
21c891 
+    ])
21c891 
+])
21c891 
+
21c891 
+AT_CHECK([sed -i 's/^RFC3964_IPv4.*/RFC3964_IPv4=no/' ./firewalld.conf])
21c891 
+FWD_RELOAD
21c891 
+
21c891 
+m4_if(nftables, FIREWALL_BACKEND, [
21c891 
+    NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain raw_PREROUTING {
21c891 
+        m4_if(yes, HOST_SUPPORTS_NFT_FIB, [dnl
21c891 
+            icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
21c891 
+            meta nfproto ipv6 fib saddr . iif oif missing log prefix "rpfilter_DROP: " drop
21c891 
+        ])dnl
21c891 
+        jump raw_PREROUTING_ZONES_SOURCE
21c891 
+        jump raw_PREROUTING_ZONES
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([inet], [raw_OUTPUT], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain raw_OUTPUT {
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+], [
21c891 
+    IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
21c891 
+        ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134
21c891 
+        ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135
21c891 
+        LOG all ::/0 ::/0 rpfilter invert LOG flags 0 level 4 prefix "rpfilter_DROP: "
21c891 
+        DROP all ::/0 ::/0 rpfilter invert
21c891 
+        PREROUTING_direct all ::/0 ::/0
21c891 
+        PREROUTING_ZONES_SOURCE all ::/0 ::/0
21c891 
+        PREROUTING_ZONES all ::/0 ::/0
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([raw], [OUTPUT], 0, [dnl
21c891 
+        OUTPUT_direct all ::/0 ::/0
21c891 
+    ])
21c891 
+])
21c891 
+
21c891 
+FWD_END_TEST
21c891 
--
21c891 
2.18.0
21c891

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation