From 2b76468d515858e27a1c50b9b27864adbb1bb96f Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 13 May 2019 14:00:21 -0400
Subject: [PATCH 37/37] fix: tests: guard occurrences of IPv6
Since we can run without IPv6 support we need to skip test areas that
explicitly use IPv6.
(cherry picked from commit bcb33e448abbf3a2a3a8721c257ad48bfc18dd9d)
(cherry picked from commit 9344ff8c7ce3e55a2296ca3d565b51d9a52065c4)
---
src/tests/firewall-cmd.at | 30 +++++++++++++++++++++++++----
src/tests/regression/gh335.at | 6 ++++++
src/tests/regression/rhbz1594657.at | 2 ++
3 files changed, 34 insertions(+), 4 deletions(-)
diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
index bcbfe9639ef1..a3844151aeb3 100644
--- a/src/tests/firewall-cmd.at
+++ b/src/tests/firewall-cmd.at
@@ -199,8 +199,10 @@ sources: $1
check_zone_source([1.2.3.4])
check_zone_source([192.168.1.0/24])
+ IF_IPV6_SUPPORTED([
check_zone_source([3ffe:501:ffff::/64])
check_zone_source([dead:beef::babe])
+ ])
m4_undefine([check_zone_source])
@@ -292,10 +294,12 @@ FWD_START_TEST([user services])
FWD_CHECK([--permanent --service=foobar --set-destination=ipv4:foo], 105, ignore, ignore) dnl bad address
FWD_CHECK([--permanent --service=foobar --set-destination=ipv4:1.2.3.4], 0, ignore)
FWD_CHECK([--permanent --service=foobar --remove-destination=ipv4], 0, ignore)
+ IF_IPV6_SUPPORTED([
FWD_CHECK([--permanent --service=foobar --set-destination=ipv6:fd00:dead:beef:ff0::/64], 0, ignore)
FWD_CHECK([--permanent --service=foobar --query-destination=ipv6:fd00:dead:beef:ff0::/64], 0, ignore)
FWD_CHECK([--permanent --service=foobar --remove-destination=ipv6], 0, ignore)
FWD_CHECK([--permanent --service=foobar --query-destination=ipv6:fd00:dead:beef:ff0::/64], 1, ignore)
+ ])
FWD_CHECK([--permanent --zone=public --add-service=foobar], 0, ignore)
FWD_CHECK([--permanent --zone=public --list-services | grep foobar], 0, ignore)
@@ -447,10 +451,12 @@ FWD_START_TEST([forward ports])
FWD_CHECK([--query-forward-port port=66:proto=sctp:toport=66:toaddr=7.7.7.7 --zone=public], 0, ignore)
FWD_CHECK([--remove-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7], 0, ignore)
FWD_CHECK([--query-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7], 1, ignore)
+ IF_IPV6_SUPPORTED([
FWD_CHECK([--add-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 0, ignore)
FWD_CHECK([--query-forward-port port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0:: --zone=public], 0, ignore)
FWD_CHECK([--remove-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 0, ignore)
FWD_CHECK([--query-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 1, ignore)
+ ])
FWD_CHECK([--add-forward-port=port=88:proto=udp:toport=99 --add-forward-port port=100:proto=tcp:toport=200], 0, ignore)
FWD_CHECK([--query-forward-port=port=100:proto=tcp:toport=200], 0, ignore)
FWD_CHECK([--query-forward-port=port=88:proto=udp:toport=99 --zone=public], 0, ignore)
@@ -473,10 +479,12 @@ FWD_START_TEST([forward ports])
FWD_CHECK([--permanent --query-forward-port port=66:proto=sctp:toport=66:toaddr=7.7.7.7 --zone=public], 0, ignore)
FWD_CHECK([--permanent --remove-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7], 0, ignore)
FWD_CHECK([--permanent --query-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7], 1, ignore)
+ IF_IPV6_SUPPORTED([
FWD_CHECK([--permanent --add-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 0, ignore)
FWD_CHECK([--permanent --query-forward-port port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0:: --zone=public], 0, ignore)
FWD_CHECK([--permanent --remove-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 0, ignore)
FWD_CHECK([--permanent --query-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 1, ignore)
+ ])
FWD_CHECK([--permanent --add-forward-port=port=88:proto=udp:toport=99 --add-forward-port port=100:proto=tcp:toport=200], 0, ignore)
FWD_CHECK([--permanent --query-forward-port=port=100:proto=tcp:toport=200], 0, ignore)
FWD_CHECK([--permanent --query-forward-port=port=88:proto=udp:toport=99 --zone=public], 0, ignore)
@@ -592,12 +600,14 @@ FWD_START_TEST([ipset])
FWD_CHECK([--permanent --delete-ipset=foobar], 0, ignore)
FWD_RELOAD
+ IF_IPV6_SUPPORTED([
FWD_CHECK([--permanent --new-ipset=foobar --type=hash:mac], 0, ignore)
FWD_CHECK([--permanent --ipset=foobar --add-entry=12:34:56:78:90:ab], 0, ignore)
FWD_RELOAD
FWD_CHECK([--ipset=foobar --add-entry=12:34:56:78:90:ac], 0, ignore)
FWD_CHECK([--permanent --delete-ipset=foobar], 0, ignore)
FWD_RELOAD
+ ])
FWD_END_TEST([-e '/ERROR: INVALID_ENTRY: invalid address/d'])
FWD_START_TEST([user helpers])
@@ -733,11 +743,13 @@ FWD_START_TEST([direct passthrough])
FWD_CHECK([--direct --remove-passthrough ipv4 --table filter --append INPUT --in-interface dummy0 --protocol tcp --destination-port 67 --jump ACCEPT], 0, ignore)
FWD_CHECK([--direct --query-passthrough ipv4 --table filter --append INPUT --in-interface dummy0 --protocol tcp --destination-port 67 --jump ACCEPT], 1, ignore, ignore)
+ m4_if(yes, HOST_SUPPORTS_IP6TABLES, [dnl
FWD_CHECK([--direct --add-passthrough ipv6 --table filter --append FORWARD --destination fd00:dead:beef:ff0::/64 --in-interface dummy0 --out-interface dummy0 --jump ACCEPT], 0, ignore)
FWD_CHECK([--direct --get-passthroughs ipv6 | grep "fd00:dead:beef:ff0::/64"], 0, ignore)
FWD_CHECK([--direct --get-all-passthroughs | grep "fd00:dead:beef:ff0::/64"], 0, ignore)
FWD_CHECK([--direct --passthrough ipv6 -nvL | grep "fd00:dead:beef:ff0::/64"], 0, ignore)
FWD_CHECK([--direct --remove-passthrough ipv6 --table filter --delete FORWARD --destination fd00:dead:beef:ff0::/64 --in-interface dummy0 --out-interface dummy0 --jump ACCEPT], 0, ignore, ignore)
+ ])
FWD_CHECK([--direct --passthrough ipv5 -nvL], 111, ignore, ignore)
FWD_CHECK([--direct --passthrough ipv4], 2, ignore, ignore)
@@ -868,21 +880,25 @@ FWD_START_TEST([rich rules good])
rich_rule_test([rule protocol value="sctp" log])
rich_rule_test([rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp: " level="info" limit value="1/m" accept])
rich_rule_test([rule family="ipv4" source not address="192.168.0.0/24" service name="dns" log prefix="dns: " level="info" limit value="2/m" drop])
+ IF_IPV6_SUPPORTED([
rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns -- " level="info" limit value="3/m" reject type="icmp6-addr-unreachable" limit value="20/m"])
rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" port port="4011" protocol="tcp" log prefix="port 4011: " level="info" limit value="4/m" drop])
rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" forward-port port="4011" protocol="tcp" to-port="4012" to-addr="1::2:3:4:7"])
+ rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" icmp-block name="redirect" log prefix="redirected: " level="info" limit value="4/m"])
+ rich_rule_test([rule family="ipv6" source address="1:2:3:4::/64" destination address="1:2:3:5::/64" accept])
+ rich_rule_test([rule family="ipv6" masquerade])
+ ])
rich_rule_test([rule family="ipv4" destination address="1.2.3.4" forward-port port="4011" protocol="tcp" to-port="4012" to-addr="9.8.7.6"])
rich_rule_test([rule family="ipv4" source address="192.168.0.0/24" icmp-block name="source-quench" log prefix="source-quench: " level="info" limit value="4/m"])
- rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" icmp-block name="redirect" log prefix="redirected: " level="info" limit value="4/m"])
rich_rule_test([rule family="ipv4" source address="192.168.1.0/24" masquerade])
rich_rule_test([rule family="ipv4" source address="10.1.1.0/24" destination address="192.168.1.0/24" accept])
- rich_rule_test([rule family="ipv6" source address="1:2:3:4::/64" destination address="1:2:3:5::/64" accept])
rich_rule_test([rule family="ipv4" destination address="192.168.1.0/24" masquerade])
- rich_rule_test([rule family="ipv6" masquerade])
rich_rule_test([rule forward-port port="2222" to-port="22" to-addr="192.168.100.2" protocol="tcp" family="ipv4" source address="192.168.2.100"])
rich_rule_test([rule forward-port port="66" to-port="666" to-addr="192.168.100.2" protocol="sctp" family="ipv4" source address="192.168.2.100"])
+ IF_IPV6_SUPPORTED([
rich_rule_test([rule forward-port port="99" to-port="999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"])
rich_rule_test([rule forward-port port="99" to-port="10999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"])
+ ])
rich_rule_test([rule family="ipv4" port port="222" protocol="tcp" mark set="0xff"])
FWD_END_TEST
FWD_START_TEST([rich rules audit])
@@ -897,7 +913,6 @@ FWD_START_TEST([rich rules bad])
FWD_CHECK([--permanent --add-rich-rule='$1'], $2, ignore, ignore)
])
rich_rule_test([], 122) dnl empty
- rich_rule_test([family="ipv6" accept], 122) dnl no rule
rich_rule_test([name="dns" accept], 122) dnl no rule
rich_rule_test([protocol value="ah" reject], 122) dnl no rule
rich_rule_test([rule protocol value="ah" reject type="icmp-host-prohibited"], 122) dnl reject type needs specific family
@@ -911,8 +926,11 @@ FWD_START_TEST([rich rules bad])
rich_rule_test([rule service name="radius" port port="4011" reject], 122) dnl service && port
rich_rule_test([rule service bad_attribute="dns"], 122) dnl bad attribute
rich_rule_test([rule protocol value="igmp" log level="eror"], 125) dnl bad log level
+ IF_IPV6_SUPPORTED([
+ rich_rule_test([family="ipv6" accept], 122) dnl no rule
rich_rule_test([rule source address="1:2:3:4:6::" icmp-block name="redirect" log level="info" limit value="1/2m"], 207) dnl missing family
rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" icmp-block name="redirect" log level="info" limit value="1/2m"], 123) dnl bad limit
+ ])
rich_rule_test([rule protocol value="esp"], 122) dnl no action/log/audit
rich_rule_test([rule family="ipv4" masquerade drop], 122) dnl masquerade & action
rich_rule_test([rule family="ipv4" icmp-block name="redirect" accept], 122) dnl icmp-block & action
@@ -1029,6 +1047,7 @@ WARNING: INVALID_ENTRY: invalid mac address '12:34:56:78:90' in '12:34:56:78:90'
])
FWD_CHECK([--check-config], 111, ignore, ignore)
+ IF_IPV6_SUPPORTED([
AT_DATA([./helpers/foobar.xml], [dnl
<?xml version="1.0" encoding="utf-8"?>
<helper family="ipv6" module="nf_conntrack_ftp">
@@ -1036,6 +1055,7 @@ WARNING: INVALID_ENTRY: invalid mac address '12:34:56:78:90' in '12:34:56:78:90'
</helper>
])
FWD_CHECK([--check-config], 103, ignore, ignore)
+ ])
AT_CHECK([rm ./helpers/foobar.xml])
dnl icmptype
@@ -1278,6 +1298,7 @@ WARNING: Invalid rule: Invalid log level
])
FWD_CHECK([--check-config], 28, ignore, ignore)
+ IF_IPV6_SUPPORTED([
AT_DATA([./zones/foobar.xml], [dnl
<?xml version="1.0" encoding="utf-8"?>
<zone>
@@ -1292,6 +1313,7 @@ m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [dnl
WARNING: INVALID_ADDR: 10.0.0.1/24: rule family="ipv6" source address="10.0.0.1/24" accept
WARNING: INVALID_ADDR: 10.0.0.1/24: rule family="ipv6" source address="10.0.0.1/24" accept
])])
+ ])
AT_CHECK([rm ./zones/foobar.xml])
FWD_END_TEST([-e '/ERROR:/d'dnl
diff --git a/src/tests/regression/gh335.at b/src/tests/regression/gh335.at
index 901e2fa04f69..54cc4c66e163 100644
--- a/src/tests/regression/gh335.at
+++ b/src/tests/regression/gh335.at
@@ -7,12 +7,14 @@ NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 0, [ignor
NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore])
FWD_RELOAD
+IF_IPV6_SUPPORTED([
NS_CHECK([sysctl -w net.ipv4.conf.all.forwarding=0], 0, [ignore], [ignore])
NS_CHECK([sysctl -w net.ipv6.conf.all.forwarding=0], 0, [ignore], [ignore])
FWD_CHECK([-q --add-forward-port=port=12345:proto=tcp:toport=54321:toaddr="1234:5678::4321"])
NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore])
NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 0, [ignore], [ignore])
FWD_RELOAD
+])
NS_CHECK([sysctl -w net.ipv4.conf.all.forwarding=0], 0, [ignore], [ignore])
NS_CHECK([sysctl -w net.ipv6.conf.all.forwarding=0], 0, [ignore], [ignore])
@@ -21,12 +23,14 @@ NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 0, [ignor
NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore])
FWD_RELOAD
+IF_IPV6_SUPPORTED([
NS_CHECK([sysctl -w net.ipv4.conf.all.forwarding=0], 0, [ignore], [ignore])
NS_CHECK([sysctl -w net.ipv6.conf.all.forwarding=0], 0, [ignore], [ignore])
FWD_CHECK([-q --add-rich-rule='rule family=ipv6 forward-port port="12345" protocol="tcp" to-port="54321" to-addr="1234:5678::4321"'])
NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore])
NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 0, [ignore], [ignore])
FWD_RELOAD
+])
dnl following tests should _not_ enable IP forwarding
NS_CHECK([sysctl -w net.ipv4.conf.all.forwarding=0], 0, [ignore], [ignore])
@@ -40,8 +44,10 @@ FWD_CHECK([-q --add-rich-rule='rule family=ipv4 forward-port port="12345" protoc
NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore])
NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore])
+IF_IPV6_SUPPORTED([
FWD_CHECK([-q --add-rich-rule='rule family=ipv6 forward-port port="12345" protocol="tcp" to-port="54321"'])
NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore])
NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore])
+])
FWD_END_TEST
diff --git a/src/tests/regression/rhbz1594657.at b/src/tests/regression/rhbz1594657.at
index c01a34012875..33b7bafe6b08 100644
--- a/src/tests/regression/rhbz1594657.at
+++ b/src/tests/regression/rhbz1594657.at
@@ -6,7 +6,9 @@ FWD_CHECK([--direct --passthrough ipv4 -t filter -C dummy_chain -j ACCEPT], 13,
FWD_CHECK([--direct --passthrough ipv4 -t filter -L dummy_chain], 13, [ignore], [ignore])
FWD_CHECK([--direct --passthrough ipv4 -t filter -L INPUT], 0, [ignore])
+m4_if(yes, HOST_SUPPORTS_IP6TABLES, [dnl
FWD_CHECK([--direct --passthrough ipv6 -t filter -C dummy_chain -j ACCEPT], 13, [ignore], [ignore])
FWD_CHECK([--direct --passthrough ipv6 -t filter -L dummy_chain], 13, [ignore], [ignore])
FWD_CHECK([--direct --passthrough ipv6 -t filter -L INPUT], 0, [ignore])
+])
FWD_END_TEST
--
2.20.1