From be105551fa365c5f0bc06d84da9c47fe2a078af9 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Thu, 20 Dec 2018 14:40:20 -0500
Subject: [PATCH 8/8] tests/features: add coverage for RFC3964_IPv4
(cherry picked from commit 74211168c8f59994356619f214ad28d69ba1744b)
---
src/tests/features.at | 1 +
src/tests/features/rfc3964_ipv4.at | 116 +++++++++++++++++++++++++++++
2 files changed, 117 insertions(+)
create mode 100644 src/tests/features/rfc3964_ipv4.at
diff --git a/src/tests/features.at b/src/tests/features.at
index 5fdfbe35a926..744d313e9226 100644
--- a/src/tests/features.at
+++ b/src/tests/features.at
@@ -1 +1,2 @@
AT_BANNER([features (FIREWALL_BACKEND)])
+m4_include([features/rfc3964_ipv4.at])
diff --git a/src/tests/features/rfc3964_ipv4.at b/src/tests/features/rfc3964_ipv4.at
new file mode 100644
index 000000000000..ea8dd40bb5c3
--- /dev/null
+++ b/src/tests/features/rfc3964_ipv4.at
@@ -0,0 +1,116 @@
+FWD_START_TEST([RFC3964_IPv4])
+
+AT_CHECK([sed -i 's/^LogDenied.*/LogDenied=all/' ./firewalld.conf])
+AT_CHECK([sed -i 's/^RFC3964_IPv4.*/RFC3964_IPv4=yes/' ./firewalld.conf])
+FWD_RELOAD
+
+m4_if(nftables, FIREWALL_BACKEND, [
+ NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl
+ table inet firewalld {
+ chain raw_PREROUTING {
+ ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_DROP: " drop
+ m4_if(yes, HOST_SUPPORTS_NFT_FIB, [dnl
+ icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
+ meta nfproto ipv6 fib saddr . iif oif missing log prefix "rpfilter_DROP: " drop
+ ])dnl
+ jump raw_PREROUTING_ZONES_SOURCE
+ jump raw_PREROUTING_ZONES
+ }
+ }
+ ])
+ NFT_LIST_RULES([inet], [raw_OUTPUT], 0, [dnl
+ table inet firewalld {
+ chain raw_OUTPUT {
+ ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_DROP: " drop
+ }
+ }
+ ])
+], [
+ IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
+ LOG all ::/0 2002:e000::/19 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
+ DROP all ::/0 2002:e000::/19
+ LOG all ::/0 2002:a9fe::/32 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
+ DROP all ::/0 2002:a9fe::/32
+ LOG all ::/0 2002:c0a8::/32 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
+ DROP all ::/0 2002:c0a8::/32
+ LOG all ::/0 2002:ac10::/28 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
+ DROP all ::/0 2002:ac10::/28
+ LOG all ::/0 2002:7f00::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
+ DROP all ::/0 2002:7f00::/24
+ LOG all ::/0 2002:a00::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
+ DROP all ::/0 2002:a00::/24
+ LOG all ::/0 2002::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
+ DROP all ::/0 2002::/24
+ LOG all ::/0 ::ffff:0.0.0.0/96 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
+ DROP all ::/0 ::ffff:0.0.0.0/96
+ LOG all ::/0 ::/96 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
+ DROP all ::/0 ::/96
+ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134
+ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135
+ LOG all ::/0 ::/0 rpfilter invert LOG flags 0 level 4 prefix "rpfilter_DROP: "
+ DROP all ::/0 ::/0 rpfilter invert
+ PREROUTING_direct all ::/0 ::/0
+ PREROUTING_ZONES_SOURCE all ::/0 ::/0
+ PREROUTING_ZONES all ::/0 ::/0
+ ])
+ IP6TABLES_LIST_RULES([raw], [OUTPUT], 0, [dnl
+ LOG all ::/0 2002:e000::/19 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
+ DROP all ::/0 2002:e000::/19
+ LOG all ::/0 2002:a9fe::/32 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
+ DROP all ::/0 2002:a9fe::/32
+ LOG all ::/0 2002:c0a8::/32 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
+ DROP all ::/0 2002:c0a8::/32
+ LOG all ::/0 2002:ac10::/28 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
+ DROP all ::/0 2002:ac10::/28
+ LOG all ::/0 2002:7f00::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
+ DROP all ::/0 2002:7f00::/24
+ LOG all ::/0 2002:a00::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
+ DROP all ::/0 2002:a00::/24
+ LOG all ::/0 2002::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
+ DROP all ::/0 2002::/24
+ LOG all ::/0 ::ffff:0.0.0.0/96 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
+ DROP all ::/0 ::ffff:0.0.0.0/96
+ LOG all ::/0 ::/96 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: "
+ DROP all ::/0 ::/96
+ OUTPUT_direct all ::/0 ::/0
+ ])
+])
+
+AT_CHECK([sed -i 's/^RFC3964_IPv4.*/RFC3964_IPv4=no/' ./firewalld.conf])
+FWD_RELOAD
+
+m4_if(nftables, FIREWALL_BACKEND, [
+ NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl
+ table inet firewalld {
+ chain raw_PREROUTING {
+ m4_if(yes, HOST_SUPPORTS_NFT_FIB, [dnl
+ icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
+ meta nfproto ipv6 fib saddr . iif oif missing log prefix "rpfilter_DROP: " drop
+ ])dnl
+ jump raw_PREROUTING_ZONES_SOURCE
+ jump raw_PREROUTING_ZONES
+ }
+ }
+ ])
+ NFT_LIST_RULES([inet], [raw_OUTPUT], 0, [dnl
+ table inet firewalld {
+ chain raw_OUTPUT {
+ }
+ }
+ ])
+], [
+ IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
+ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134
+ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135
+ LOG all ::/0 ::/0 rpfilter invert LOG flags 0 level 4 prefix "rpfilter_DROP: "
+ DROP all ::/0 ::/0 rpfilter invert
+ PREROUTING_direct all ::/0 ::/0
+ PREROUTING_ZONES_SOURCE all ::/0 ::/0
+ PREROUTING_ZONES all ::/0 ::/0
+ ])
+ IP6TABLES_LIST_RULES([raw], [OUTPUT], 0, [dnl
+ OUTPUT_direct all ::/0 ::/0
+ ])
+])
+
+FWD_END_TEST
--
2.18.0