From ed0b0a7f967f33729e4ec7472b4229f0317fd92d Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Fri, 9 Apr 2021 13:34:31 -0400 Subject: [PATCH 24/30] test(direct): verify rule order with multiple address with -s/-d Coverage: rhbz 1940928 Coverage: rhbz 1949552 (cherry picked from commit 80c30dacc066af4d6d71d298b5e47625ecee5bdf) (cherry picked from commit c1262441db90108eb8044053ae1b93f66f0c2839) --- src/tests/regression/regression.at | 1 + src/tests/regression/rhbz1940928.at | 52 +++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 src/tests/regression/rhbz1940928.at diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at index a49bb3b756e7..8156ee608189 100644 --- a/src/tests/regression/regression.at +++ b/src/tests/regression/regression.at @@ -39,3 +39,4 @@ m4_include([regression/rhbz1871298.at]) m4_include([regression/rhbz1596304.at]) m4_include([regression/gh703.at]) m4_include([regression/ipset_netmask_allowed.at]) +m4_include([regression/rhbz1940928.at]) diff --git a/src/tests/regression/rhbz1940928.at b/src/tests/regression/rhbz1940928.at new file mode 100644 index 000000000000..0a4367080b5e --- /dev/null +++ b/src/tests/regression/rhbz1940928.at @@ -0,0 +1,52 @@ +FWD_START_TEST([direct -s/-d multiple addresses]) +AT_KEYWORDS(direct rhbz1940928 rhbz1949552) +CHECK_IPTABLES + +dnl test triggers a limitation in iptables-restore +dnl +AT_CHECK([sed -i 's/^IndividualCalls.*/IndividualCalls=no/' ./firewalld.conf]) +FWD_RELOAD + +FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT], 0, [ignore], [ignore]) +FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 2 -p tcp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore]) +FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 2 -p udp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore]) +FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 9 -j DROP], 0, [ignore], [ignore]) + +IPTABLES_LIST_RULES_ALWAYS([filter], [m4_if(iptables, FIREWALL_BACKEND, [OUTPUT_direct], [OUTPUT])], 0, [dnl + ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED + ACCEPT tcp -- 0.0.0.0/0 10.0.0.0/8 + ACCEPT tcp -- 0.0.0.0/0 172.16.0.0/16 + ACCEPT tcp -- 0.0.0.0/0 192.168.0.0/24 + ACCEPT udp -- 0.0.0.0/0 10.0.0.0/8 + ACCEPT udp -- 0.0.0.0/0 172.16.0.0/16 + ACCEPT udp -- 0.0.0.0/0 192.168.0.0/24 + DROP all -- 0.0.0.0/0 0.0.0.0/0 +]) + +FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 1 -p sctp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore]) + +IPTABLES_LIST_RULES_ALWAYS([filter], [m4_if(iptables, FIREWALL_BACKEND, [OUTPUT_direct], [OUTPUT])], 0, [dnl + ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED + ACCEPT sctp -- 0.0.0.0/0 10.0.0.0/8 + ACCEPT sctp -- 0.0.0.0/0 172.16.0.0/16 + ACCEPT sctp -- 0.0.0.0/0 192.168.0.0/24 + ACCEPT tcp -- 0.0.0.0/0 10.0.0.0/8 + ACCEPT tcp -- 0.0.0.0/0 172.16.0.0/16 + ACCEPT tcp -- 0.0.0.0/0 192.168.0.0/24 + ACCEPT udp -- 0.0.0.0/0 10.0.0.0/8 + ACCEPT udp -- 0.0.0.0/0 172.16.0.0/16 + ACCEPT udp -- 0.0.0.0/0 192.168.0.0/24 + DROP all -- 0.0.0.0/0 0.0.0.0/0 +]) + +FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT], 0, [ignore], [ignore]) +FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 1 -p sctp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore]) +FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 2 -p tcp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore]) +FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 2 -p udp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore]) +FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 9 -j DROP], 0, [ignore], [ignore]) + + +IPTABLES_LIST_RULES_ALWAYS([filter], [m4_if(iptables, FIREWALL_BACKEND, [OUTPUT_direct], [OUTPUT])], 0, [dnl +]) + +FWD_END_TEST -- 2.27.0