Tree - rpms/firewalld - CentOS Git server

rpms / firewalld

Files

Commit: 40251c0f663f4954f9c601dbb93aed1d85f9f7d4
Blob Blame History Raw
From a698ca94c40b6edf058995f9f2b1fc197a16efe4 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 16 Jan 2020 09:02:28 -0500
Subject: [PATCH 27/37] test: enhance test for rhbz1729097

(cherry picked from commit c2b8059559c210e586b03b44eaf189370b976770)
(cherry picked from commit 47368842f5519b43cb02cb4f2cca59b9049e5268)
---
 src/tests/regression/rhbz1715977.at | 107 +++++++++++++++++++++++++++-
 1 file changed, 105 insertions(+), 2 deletions(-)

diff --git a/src/tests/regression/rhbz1715977.at b/src/tests/regression/rhbz1715977.at
index ce6dd075c2b5..5de9b5679023 100644
--- a/src/tests/regression/rhbz1715977.at
+++ b/src/tests/regression/rhbz1715977.at
@@ -1,9 +1,112 @@
-FWD_START_TEST([rich rule destination with service destination])
-AT_KEYWORDS(rich service rhbz1715977)
+FWD_START_TEST([rich rule source/destination with service destination])
+AT_KEYWORDS(rich service rhbz1715977 rhbz1729097 rhbz1791783)
 
 FWD_CHECK([-q --permanent --zone=internal --add-interface=foobar0])
 FWD_CHECK([-q --permanent --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="ssh" accept'])
 FWD_RELOAD
+NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl
+    table inet firewalld {
+        chain filter_IN_internal_allow {
+            tcp dport 22 ct state new,untracked accept
+            ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept
+            ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept
+            udp dport 137 ct helper set "helper-netbios-ns-udp"
+            udp dport 137 ct state new,untracked accept
+            udp dport 138 ct state new,untracked accept
+            ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+            tcp dport 9090 ct state new,untracked accept
+            ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept
+        }
+    }
+])
+IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
+    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+    ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
+    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED
+    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED
+    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+    ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED
+])
+IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
+    ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+    ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED
+    ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED
+    ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED
+    ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+    ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+])
+
+FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.111.222/32" source address="10.10.10.0/24" service name="ssh" accept'])
+NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl
+    table inet firewalld {
+        chain filter_IN_internal_allow {
+            tcp dport 22 ct state new,untracked accept
+            ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept
+            ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept
+            udp dport 137 ct helper set "helper-netbios-ns-udp"
+            udp dport 137 ct state new,untracked accept
+            udp dport 138 ct state new,untracked accept
+            ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+            tcp dport 9090 ct state new,untracked accept
+            ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept
+            ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept
+        }
+    }
+])
+IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
+    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+    ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
+    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED
+    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED
+    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+    ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED
+    ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED
+])
+IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
+    ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+    ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED
+    ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED
+    ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED
+    ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+    ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+])
+
+FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 service name="ssdp" accept'])
+NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl
+    table inet firewalld {
+        chain filter_IN_internal_allow {
+            tcp dport 22 ct state new,untracked accept
+            ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept
+            ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept
+            udp dport 137 ct helper set "helper-netbios-ns-udp"
+            udp dport 137 ct state new,untracked accept
+            udp dport 138 ct state new,untracked accept
+            ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+            tcp dport 9090 ct state new,untracked accept
+            ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept
+            ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept
+            ip daddr 239.255.255.250 udp dport 1900 ct state new,untracked accept
+        }
+    }
+])
+IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
+    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+    ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
+    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED
+    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED
+    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+    ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED
+    ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED
+    ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900 ctstate NEW,UNTRACKED
+])
+IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
+    ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+    ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED
+    ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED
+    ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED
+    ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+    ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+])
 
 FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="mdns" accept'], 122, [ignore], [ignore])
 FWD_CHECK([-q --permanent --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="mdns" accept'])
-- 
2.23.0
rpms / firewalld

Source Code

Files
