From be105551fa365c5f0bc06d84da9c47fe2a078af9 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Thu, 20 Dec 2018 14:40:20 -0500 Subject: [PATCH 8/8] tests/features: add coverage for RFC3964_IPv4 (cherry picked from commit 74211168c8f59994356619f214ad28d69ba1744b) --- src/tests/features.at | 1 + src/tests/features/rfc3964_ipv4.at | 116 +++++++++++++++++++++++++++++ 2 files changed, 117 insertions(+) create mode 100644 src/tests/features/rfc3964_ipv4.at diff --git a/src/tests/features.at b/src/tests/features.at index 5fdfbe35a926..744d313e9226 100644 --- a/src/tests/features.at +++ b/src/tests/features.at @@ -1 +1,2 @@ AT_BANNER([features (FIREWALL_BACKEND)]) +m4_include([features/rfc3964_ipv4.at]) diff --git a/src/tests/features/rfc3964_ipv4.at b/src/tests/features/rfc3964_ipv4.at new file mode 100644 index 000000000000..ea8dd40bb5c3 --- /dev/null +++ b/src/tests/features/rfc3964_ipv4.at @@ -0,0 +1,116 @@ +FWD_START_TEST([RFC3964_IPv4]) + +AT_CHECK([sed -i 's/^LogDenied.*/LogDenied=all/' ./firewalld.conf]) +AT_CHECK([sed -i 's/^RFC3964_IPv4.*/RFC3964_IPv4=yes/' ./firewalld.conf]) +FWD_RELOAD + +m4_if(nftables, FIREWALL_BACKEND, [ + NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl + table inet firewalld { + chain raw_PREROUTING { + ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_DROP: " drop + m4_if(yes, HOST_SUPPORTS_NFT_FIB, [dnl + icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept + meta nfproto ipv6 fib saddr . iif oif missing log prefix "rpfilter_DROP: " drop + ])dnl + jump raw_PREROUTING_ZONES_SOURCE + jump raw_PREROUTING_ZONES + } + } + ]) + NFT_LIST_RULES([inet], [raw_OUTPUT], 0, [dnl + table inet firewalld { + chain raw_OUTPUT { + ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_DROP: " drop + } + } + ]) +], [ + IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl + LOG all ::/0 2002:e000::/19 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: " + DROP all ::/0 2002:e000::/19 + LOG all ::/0 2002:a9fe::/32 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: " + DROP all ::/0 2002:a9fe::/32 + LOG all ::/0 2002:c0a8::/32 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: " + DROP all ::/0 2002:c0a8::/32 + LOG all ::/0 2002:ac10::/28 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: " + DROP all ::/0 2002:ac10::/28 + LOG all ::/0 2002:7f00::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: " + DROP all ::/0 2002:7f00::/24 + LOG all ::/0 2002:a00::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: " + DROP all ::/0 2002:a00::/24 + LOG all ::/0 2002::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: " + DROP all ::/0 2002::/24 + LOG all ::/0 ::ffff:0.0.0.0/96 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: " + DROP all ::/0 ::ffff:0.0.0.0/96 + LOG all ::/0 ::/96 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: " + DROP all ::/0 ::/96 + ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134 + ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135 + LOG all ::/0 ::/0 rpfilter invert LOG flags 0 level 4 prefix "rpfilter_DROP: " + DROP all ::/0 ::/0 rpfilter invert + PREROUTING_direct all ::/0 ::/0 + PREROUTING_ZONES_SOURCE all ::/0 ::/0 + PREROUTING_ZONES all ::/0 ::/0 + ]) + IP6TABLES_LIST_RULES([raw], [OUTPUT], 0, [dnl + LOG all ::/0 2002:e000::/19 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: " + DROP all ::/0 2002:e000::/19 + LOG all ::/0 2002:a9fe::/32 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: " + DROP all ::/0 2002:a9fe::/32 + LOG all ::/0 2002:c0a8::/32 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: " + DROP all ::/0 2002:c0a8::/32 + LOG all ::/0 2002:ac10::/28 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: " + DROP all ::/0 2002:ac10::/28 + LOG all ::/0 2002:7f00::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: " + DROP all ::/0 2002:7f00::/24 + LOG all ::/0 2002:a00::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: " + DROP all ::/0 2002:a00::/24 + LOG all ::/0 2002::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: " + DROP all ::/0 2002::/24 + LOG all ::/0 ::ffff:0.0.0.0/96 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: " + DROP all ::/0 ::ffff:0.0.0.0/96 + LOG all ::/0 ::/96 LOG flags 0 level 4 prefix "RFC3964_IPv4_DROP: " + DROP all ::/0 ::/96 + OUTPUT_direct all ::/0 ::/0 + ]) +]) + +AT_CHECK([sed -i 's/^RFC3964_IPv4.*/RFC3964_IPv4=no/' ./firewalld.conf]) +FWD_RELOAD + +m4_if(nftables, FIREWALL_BACKEND, [ + NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl + table inet firewalld { + chain raw_PREROUTING { + m4_if(yes, HOST_SUPPORTS_NFT_FIB, [dnl + icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept + meta nfproto ipv6 fib saddr . iif oif missing log prefix "rpfilter_DROP: " drop + ])dnl + jump raw_PREROUTING_ZONES_SOURCE + jump raw_PREROUTING_ZONES + } + } + ]) + NFT_LIST_RULES([inet], [raw_OUTPUT], 0, [dnl + table inet firewalld { + chain raw_OUTPUT { + } + } + ]) +], [ + IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl + ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134 + ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135 + LOG all ::/0 ::/0 rpfilter invert LOG flags 0 level 4 prefix "rpfilter_DROP: " + DROP all ::/0 ::/0 rpfilter invert + PREROUTING_direct all ::/0 ::/0 + PREROUTING_ZONES_SOURCE all ::/0 ::/0 + PREROUTING_ZONES all ::/0 ::/0 + ]) + IP6TABLES_LIST_RULES([raw], [OUTPUT], 0, [dnl + OUTPUT_direct all ::/0 ::/0 + ]) +]) + +FWD_END_TEST -- 2.18.0