From 0921f0adac5fb1e880b506a31cb2ac37b6409a43 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Mon, 13 May 2019 14:00:21 -0400 Subject: [PATCH 49/73] fix: tests: guard occurrences of IPv6 Since we can run without IPv6 support we need to skip test areas that explicitly use IPv6. (cherry picked from commit bcb33e448abbf3a2a3a8721c257ad48bfc18dd9d) (cherry picked from commit 9344ff8c7ce3e55a2296ca3d565b51d9a52065c4) --- src/tests/firewall-cmd.at | 30 +++++++++++++++++++++++++---- src/tests/regression/gh335.at | 6 ++++++ src/tests/regression/rhbz1594657.at | 2 ++ 3 files changed, 34 insertions(+), 4 deletions(-) diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at index bcbfe9639ef1..a3844151aeb3 100644 --- a/src/tests/firewall-cmd.at +++ b/src/tests/firewall-cmd.at @@ -199,8 +199,10 @@ sources: $1 check_zone_source([1.2.3.4]) check_zone_source([192.168.1.0/24]) + IF_IPV6_SUPPORTED([ check_zone_source([3ffe:501:ffff::/64]) check_zone_source([dead:beef::babe]) + ]) m4_undefine([check_zone_source]) @@ -292,10 +294,12 @@ FWD_START_TEST([user services]) FWD_CHECK([--permanent --service=foobar --set-destination=ipv4:foo], 105, ignore, ignore) dnl bad address FWD_CHECK([--permanent --service=foobar --set-destination=ipv4:1.2.3.4], 0, ignore) FWD_CHECK([--permanent --service=foobar --remove-destination=ipv4], 0, ignore) + IF_IPV6_SUPPORTED([ FWD_CHECK([--permanent --service=foobar --set-destination=ipv6:fd00:dead:beef:ff0::/64], 0, ignore) FWD_CHECK([--permanent --service=foobar --query-destination=ipv6:fd00:dead:beef:ff0::/64], 0, ignore) FWD_CHECK([--permanent --service=foobar --remove-destination=ipv6], 0, ignore) FWD_CHECK([--permanent --service=foobar --query-destination=ipv6:fd00:dead:beef:ff0::/64], 1, ignore) + ]) FWD_CHECK([--permanent --zone=public --add-service=foobar], 0, ignore) FWD_CHECK([--permanent --zone=public --list-services | grep foobar], 0, ignore) @@ -447,10 +451,12 @@ FWD_START_TEST([forward ports]) FWD_CHECK([--query-forward-port port=66:proto=sctp:toport=66:toaddr=7.7.7.7 --zone=public], 0, ignore) FWD_CHECK([--remove-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7], 0, ignore) FWD_CHECK([--query-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7], 1, ignore) + IF_IPV6_SUPPORTED([ FWD_CHECK([--add-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 0, ignore) FWD_CHECK([--query-forward-port port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0:: --zone=public], 0, ignore) FWD_CHECK([--remove-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 0, ignore) FWD_CHECK([--query-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 1, ignore) + ]) FWD_CHECK([--add-forward-port=port=88:proto=udp:toport=99 --add-forward-port port=100:proto=tcp:toport=200], 0, ignore) FWD_CHECK([--query-forward-port=port=100:proto=tcp:toport=200], 0, ignore) FWD_CHECK([--query-forward-port=port=88:proto=udp:toport=99 --zone=public], 0, ignore) @@ -473,10 +479,12 @@ FWD_START_TEST([forward ports]) FWD_CHECK([--permanent --query-forward-port port=66:proto=sctp:toport=66:toaddr=7.7.7.7 --zone=public], 0, ignore) FWD_CHECK([--permanent --remove-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7], 0, ignore) FWD_CHECK([--permanent --query-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7], 1, ignore) + IF_IPV6_SUPPORTED([ FWD_CHECK([--permanent --add-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 0, ignore) FWD_CHECK([--permanent --query-forward-port port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0:: --zone=public], 0, ignore) FWD_CHECK([--permanent --remove-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 0, ignore) FWD_CHECK([--permanent --query-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 1, ignore) + ]) FWD_CHECK([--permanent --add-forward-port=port=88:proto=udp:toport=99 --add-forward-port port=100:proto=tcp:toport=200], 0, ignore) FWD_CHECK([--permanent --query-forward-port=port=100:proto=tcp:toport=200], 0, ignore) FWD_CHECK([--permanent --query-forward-port=port=88:proto=udp:toport=99 --zone=public], 0, ignore) @@ -592,12 +600,14 @@ FWD_START_TEST([ipset]) FWD_CHECK([--permanent --delete-ipset=foobar], 0, ignore) FWD_RELOAD + IF_IPV6_SUPPORTED([ FWD_CHECK([--permanent --new-ipset=foobar --type=hash:mac], 0, ignore) FWD_CHECK([--permanent --ipset=foobar --add-entry=12:34:56:78:90:ab], 0, ignore) FWD_RELOAD FWD_CHECK([--ipset=foobar --add-entry=12:34:56:78:90:ac], 0, ignore) FWD_CHECK([--permanent --delete-ipset=foobar], 0, ignore) FWD_RELOAD + ]) FWD_END_TEST([-e '/ERROR: INVALID_ENTRY: invalid address/d']) FWD_START_TEST([user helpers]) @@ -733,11 +743,13 @@ FWD_START_TEST([direct passthrough]) FWD_CHECK([--direct --remove-passthrough ipv4 --table filter --append INPUT --in-interface dummy0 --protocol tcp --destination-port 67 --jump ACCEPT], 0, ignore) FWD_CHECK([--direct --query-passthrough ipv4 --table filter --append INPUT --in-interface dummy0 --protocol tcp --destination-port 67 --jump ACCEPT], 1, ignore, ignore) + m4_if(yes, HOST_SUPPORTS_IP6TABLES, [dnl FWD_CHECK([--direct --add-passthrough ipv6 --table filter --append FORWARD --destination fd00:dead:beef:ff0::/64 --in-interface dummy0 --out-interface dummy0 --jump ACCEPT], 0, ignore) FWD_CHECK([--direct --get-passthroughs ipv6 | grep "fd00:dead:beef:ff0::/64"], 0, ignore) FWD_CHECK([--direct --get-all-passthroughs | grep "fd00:dead:beef:ff0::/64"], 0, ignore) FWD_CHECK([--direct --passthrough ipv6 -nvL | grep "fd00:dead:beef:ff0::/64"], 0, ignore) FWD_CHECK([--direct --remove-passthrough ipv6 --table filter --delete FORWARD --destination fd00:dead:beef:ff0::/64 --in-interface dummy0 --out-interface dummy0 --jump ACCEPT], 0, ignore, ignore) + ]) FWD_CHECK([--direct --passthrough ipv5 -nvL], 111, ignore, ignore) FWD_CHECK([--direct --passthrough ipv4], 2, ignore, ignore) @@ -868,21 +880,25 @@ FWD_START_TEST([rich rules good]) rich_rule_test([rule protocol value="sctp" log]) rich_rule_test([rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp: " level="info" limit value="1/m" accept]) rich_rule_test([rule family="ipv4" source not address="192.168.0.0/24" service name="dns" log prefix="dns: " level="info" limit value="2/m" drop]) + IF_IPV6_SUPPORTED([ rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns -- " level="info" limit value="3/m" reject type="icmp6-addr-unreachable" limit value="20/m"]) rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" port port="4011" protocol="tcp" log prefix="port 4011: " level="info" limit value="4/m" drop]) rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" forward-port port="4011" protocol="tcp" to-port="4012" to-addr="1::2:3:4:7"]) + rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" icmp-block name="redirect" log prefix="redirected: " level="info" limit value="4/m"]) + rich_rule_test([rule family="ipv6" source address="1:2:3:4::/64" destination address="1:2:3:5::/64" accept]) + rich_rule_test([rule family="ipv6" masquerade]) + ]) rich_rule_test([rule family="ipv4" destination address="1.2.3.4" forward-port port="4011" protocol="tcp" to-port="4012" to-addr="9.8.7.6"]) rich_rule_test([rule family="ipv4" source address="192.168.0.0/24" icmp-block name="source-quench" log prefix="source-quench: " level="info" limit value="4/m"]) - rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" icmp-block name="redirect" log prefix="redirected: " level="info" limit value="4/m"]) rich_rule_test([rule family="ipv4" source address="192.168.1.0/24" masquerade]) rich_rule_test([rule family="ipv4" source address="10.1.1.0/24" destination address="192.168.1.0/24" accept]) - rich_rule_test([rule family="ipv6" source address="1:2:3:4::/64" destination address="1:2:3:5::/64" accept]) rich_rule_test([rule family="ipv4" destination address="192.168.1.0/24" masquerade]) - rich_rule_test([rule family="ipv6" masquerade]) rich_rule_test([rule forward-port port="2222" to-port="22" to-addr="192.168.100.2" protocol="tcp" family="ipv4" source address="192.168.2.100"]) rich_rule_test([rule forward-port port="66" to-port="666" to-addr="192.168.100.2" protocol="sctp" family="ipv4" source address="192.168.2.100"]) + IF_IPV6_SUPPORTED([ rich_rule_test([rule forward-port port="99" to-port="999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"]) rich_rule_test([rule forward-port port="99" to-port="10999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"]) + ]) rich_rule_test([rule family="ipv4" port port="222" protocol="tcp" mark set="0xff"]) FWD_END_TEST FWD_START_TEST([rich rules audit]) @@ -897,7 +913,6 @@ FWD_START_TEST([rich rules bad]) FWD_CHECK([--permanent --add-rich-rule='$1'], $2, ignore, ignore) ]) rich_rule_test([], 122) dnl empty - rich_rule_test([family="ipv6" accept], 122) dnl no rule rich_rule_test([name="dns" accept], 122) dnl no rule rich_rule_test([protocol value="ah" reject], 122) dnl no rule rich_rule_test([rule protocol value="ah" reject type="icmp-host-prohibited"], 122) dnl reject type needs specific family @@ -911,8 +926,11 @@ FWD_START_TEST([rich rules bad]) rich_rule_test([rule service name="radius" port port="4011" reject], 122) dnl service && port rich_rule_test([rule service bad_attribute="dns"], 122) dnl bad attribute rich_rule_test([rule protocol value="igmp" log level="eror"], 125) dnl bad log level + IF_IPV6_SUPPORTED([ + rich_rule_test([family="ipv6" accept], 122) dnl no rule rich_rule_test([rule source address="1:2:3:4:6::" icmp-block name="redirect" log level="info" limit value="1/2m"], 207) dnl missing family rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" icmp-block name="redirect" log level="info" limit value="1/2m"], 123) dnl bad limit + ]) rich_rule_test([rule protocol value="esp"], 122) dnl no action/log/audit rich_rule_test([rule family="ipv4" masquerade drop], 122) dnl masquerade & action rich_rule_test([rule family="ipv4" icmp-block name="redirect" accept], 122) dnl icmp-block & action @@ -1029,6 +1047,7 @@ WARNING: INVALID_ENTRY: invalid mac address '12:34:56:78:90' in '12:34:56:78:90' ]) FWD_CHECK([--check-config], 111, ignore, ignore) + IF_IPV6_SUPPORTED([ AT_DATA([./helpers/foobar.xml], [dnl @@ -1036,6 +1055,7 @@ WARNING: INVALID_ENTRY: invalid mac address '12:34:56:78:90' in '12:34:56:78:90' ]) FWD_CHECK([--check-config], 103, ignore, ignore) + ]) AT_CHECK([rm ./helpers/foobar.xml]) dnl icmptype @@ -1278,6 +1298,7 @@ WARNING: Invalid rule: Invalid log level ]) FWD_CHECK([--check-config], 28, ignore, ignore) + IF_IPV6_SUPPORTED([ AT_DATA([./zones/foobar.xml], [dnl @@ -1292,6 +1313,7 @@ m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [dnl WARNING: INVALID_ADDR: 10.0.0.1/24: rule family="ipv6" source address="10.0.0.1/24" accept WARNING: INVALID_ADDR: 10.0.0.1/24: rule family="ipv6" source address="10.0.0.1/24" accept ])]) + ]) AT_CHECK([rm ./zones/foobar.xml]) FWD_END_TEST([-e '/ERROR:/d'dnl diff --git a/src/tests/regression/gh335.at b/src/tests/regression/gh335.at index 901e2fa04f69..54cc4c66e163 100644 --- a/src/tests/regression/gh335.at +++ b/src/tests/regression/gh335.at @@ -7,12 +7,14 @@ NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 0, [ignor NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore]) FWD_RELOAD +IF_IPV6_SUPPORTED([ NS_CHECK([sysctl -w net.ipv4.conf.all.forwarding=0], 0, [ignore], [ignore]) NS_CHECK([sysctl -w net.ipv6.conf.all.forwarding=0], 0, [ignore], [ignore]) FWD_CHECK([-q --add-forward-port=port=12345:proto=tcp:toport=54321:toaddr="1234:5678::4321"]) NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore]) NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 0, [ignore], [ignore]) FWD_RELOAD +]) NS_CHECK([sysctl -w net.ipv4.conf.all.forwarding=0], 0, [ignore], [ignore]) NS_CHECK([sysctl -w net.ipv6.conf.all.forwarding=0], 0, [ignore], [ignore]) @@ -21,12 +23,14 @@ NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 0, [ignor NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore]) FWD_RELOAD +IF_IPV6_SUPPORTED([ NS_CHECK([sysctl -w net.ipv4.conf.all.forwarding=0], 0, [ignore], [ignore]) NS_CHECK([sysctl -w net.ipv6.conf.all.forwarding=0], 0, [ignore], [ignore]) FWD_CHECK([-q --add-rich-rule='rule family=ipv6 forward-port port="12345" protocol="tcp" to-port="54321" to-addr="1234:5678::4321"']) NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore]) NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 0, [ignore], [ignore]) FWD_RELOAD +]) dnl following tests should _not_ enable IP forwarding NS_CHECK([sysctl -w net.ipv4.conf.all.forwarding=0], 0, [ignore], [ignore]) @@ -40,8 +44,10 @@ FWD_CHECK([-q --add-rich-rule='rule family=ipv4 forward-port port="12345" protoc NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore]) NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore]) +IF_IPV6_SUPPORTED([ FWD_CHECK([-q --add-rich-rule='rule family=ipv6 forward-port port="12345" protocol="tcp" to-port="54321"']) NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore]) NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore]) +]) FWD_END_TEST diff --git a/src/tests/regression/rhbz1594657.at b/src/tests/regression/rhbz1594657.at index c01a34012875..33b7bafe6b08 100644 --- a/src/tests/regression/rhbz1594657.at +++ b/src/tests/regression/rhbz1594657.at @@ -6,7 +6,9 @@ FWD_CHECK([--direct --passthrough ipv4 -t filter -C dummy_chain -j ACCEPT], 13, FWD_CHECK([--direct --passthrough ipv4 -t filter -L dummy_chain], 13, [ignore], [ignore]) FWD_CHECK([--direct --passthrough ipv4 -t filter -L INPUT], 0, [ignore]) +m4_if(yes, HOST_SUPPORTS_IP6TABLES, [dnl FWD_CHECK([--direct --passthrough ipv6 -t filter -C dummy_chain -j ACCEPT], 13, [ignore], [ignore]) FWD_CHECK([--direct --passthrough ipv6 -t filter -L dummy_chain], 13, [ignore], [ignore]) FWD_CHECK([--direct --passthrough ipv6 -t filter -L INPUT], 0, [ignore]) +]) FWD_END_TEST -- 2.20.1