From 959584ced5e1c1853b62ff5e15c3e9fa49837ea4 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Thu, 30 May 2019 16:16:51 -0400 Subject: [PATCH 60/73] test: add coverage for #258 and #441 (cherry picked from commit 0c49548a4954a0c5f2a982fd3a46b135afa74965) (cherry picked from commit 87235daf6290eba20c38178edca6c9bd7475caf3) --- src/tests/regression.at | 1 + src/tests/regression/gh258.at | 441 ++++++++++++++++++++++++++++++++++ 2 files changed, 442 insertions(+) create mode 100644 src/tests/regression/gh258.at diff --git a/src/tests/regression.at b/src/tests/regression.at index 8bcb576238e6..00690fc6459e 100644 --- a/src/tests/regression.at +++ b/src/tests/regression.at @@ -19,3 +19,4 @@ m4_include([regression/gh335.at]) m4_include([regression/gh482.at]) m4_include([regression/gh478.at]) m4_include([regression/gh453.at]) +m4_include([regression/gh258.at]) diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at new file mode 100644 index 000000000000..d0c4f2fa7432 --- /dev/null +++ b/src/tests/regression/gh258.at @@ -0,0 +1,441 @@ +FWD_START_TEST([zone dispatch layout]) +AT_KEYWORDS(zone gh258 gh441) + +FWD_CHECK([--zone=work --add-source="1.2.3.0/24"], 0, ignore) +IF_IPV6_SUPPORTED([ +FWD_CHECK([--zone=public --add-source="dead:beef::/54"], 0, ignore) +]) +FWD_CHECK([--zone=work --add-interface=dummy0], 0, ignore) +FWD_CHECK([--zone=public --add-interface=dummy1], 0, ignore) + +dnl verify layout of zone dispatch +m4_if(nftables, FIREWALL_BACKEND, [ +NFT_LIST_RULES([inet], [filter_INPUT], 0, [dnl + table inet firewalld { + chain filter_INPUT { + ct state established,related accept + iifname "lo" accept + jump filter_INPUT_ZONES + ct state invalid drop + reject with icmpx type admin-prohibited + } + } +]) +NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl + table inet firewalld { + chain filter_INPUT_ZONES { + ip6 saddr dead:beef::/54 goto filter_IN_public + ip saddr 1.2.3.0/24 goto filter_IN_work + goto filter_INPUT_ZONES_IFACES + } + } +]) +NFT_LIST_RULES([inet], [filter_INPUT_ZONES_IFACES], 0, [dnl + table inet firewalld { + chain filter_INPUT_ZONES_IFACES { + iifname "dummy1" goto filter_IN_public + iifname "dummy0" goto filter_IN_work + goto filter_IN_public + } + } +]) +NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl + table inet firewalld { + chain filter_FORWARD { + ct state established,related accept + iifname "lo" accept + jump filter_FORWARD_IN_ZONES + jump filter_FORWARD_OUT_ZONES + ct state invalid drop + reject with icmpx type admin-prohibited + } + } +]) +NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES], 0, [dnl + table inet firewalld { + chain filter_FORWARD_IN_ZONES { + ip6 saddr dead:beef::/54 goto filter_FWDI_public + ip saddr 1.2.3.0/24 goto filter_FWDI_work + goto filter_FORWARD_IN_ZONES_IFACES + } + } +]) +NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES_IFACES], 0, [dnl + table inet firewalld { + chain filter_FORWARD_IN_ZONES_IFACES { + iifname "dummy1" goto filter_FWDI_public + iifname "dummy0" goto filter_FWDI_work + goto filter_FWDI_public + } + } +]) +NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl + table inet firewalld { + chain filter_FORWARD_OUT_ZONES { + ip6 daddr dead:beef::/54 goto filter_FWDO_public + ip daddr 1.2.3.0/24 goto filter_FWDO_work + goto filter_FORWARD_OUT_ZONES_IFACES + } + } +]) +NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES_IFACES], 0, [dnl + table inet firewalld { + chain filter_FORWARD_OUT_ZONES_IFACES { + oifname "dummy1" goto filter_FWDO_public + oifname "dummy0" goto filter_FWDO_work + goto filter_FWDO_public + } + } +]) +NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl + table inet firewalld { + chain raw_PREROUTING { + m4_if(yes, HOST_SUPPORTS_NFT_FIB, [dnl + icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept + meta nfproto ipv6 fib saddr . iif oif missing drop + ])dnl + jump raw_PREROUTING_ZONES + } + } +]) +NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl + table inet firewalld { + chain raw_PREROUTING_ZONES { + ip6 saddr dead:beef::/54 goto raw_PRE_public + ip saddr 1.2.3.0/24 goto raw_PRE_work + goto raw_PREROUTING_ZONES_IFACES + } + } +]) +NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES_IFACES], 0, [dnl + table inet firewalld { + chain raw_PREROUTING_ZONES_IFACES { + iifname "dummy1" goto raw_PRE_public + iifname "dummy0" goto raw_PRE_work + goto raw_PRE_public + } + } +]) +NFT_LIST_RULES([inet], [mangle_PREROUTING], 0, [dnl + table inet firewalld { + chain mangle_PREROUTING { + jump mangle_PREROUTING_ZONES + } + } +]) +NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl + table inet firewalld { + chain mangle_PREROUTING_ZONES { + ip6 saddr dead:beef::/54 goto mangle_PRE_public + ip saddr 1.2.3.0/24 goto mangle_PRE_work + goto mangle_PREROUTING_ZONES_IFACES + } + } +]) +NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES_IFACES], 0, [dnl + table inet firewalld { + chain mangle_PREROUTING_ZONES_IFACES { + iifname "dummy1" goto mangle_PRE_public + iifname "dummy0" goto mangle_PRE_work + goto mangle_PRE_public + } + } +]) +NFT_LIST_RULES([ip], [nat_PREROUTING], 0, [dnl + table ip firewalld { + chain nat_PREROUTING { + jump nat_PREROUTING_ZONES + } + } +]) +NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl + table ip firewalld { + chain nat_PREROUTING_ZONES { + ip saddr 1.2.3.0/24 goto nat_PRE_work + goto nat_PREROUTING_ZONES_IFACES + } + } +]) +NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES_IFACES], 0, [dnl + table ip firewalld { + chain nat_PREROUTING_ZONES_IFACES { + iifname "dummy1" goto nat_PRE_public + iifname "dummy0" goto nat_PRE_work + goto nat_PRE_public + } + } +]) +NFT_LIST_RULES([ip], [nat_POSTROUTING], 0, [dnl + table ip firewalld { + chain nat_POSTROUTING { + jump nat_POSTROUTING_ZONES + } + } +]) +NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl + table ip firewalld { + chain nat_POSTROUTING_ZONES { + ip daddr 1.2.3.0/24 goto nat_POST_work + goto nat_POSTROUTING_ZONES_IFACES + } + } +]) +NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_IFACES], 0, [dnl + table ip firewalld { + chain nat_POSTROUTING_ZONES_IFACES { + oifname "dummy1" goto nat_POST_public + oifname "dummy0" goto nat_POST_work + goto nat_POST_public + } + } +]) +NFT_LIST_RULES([ip6], [nat_PREROUTING], 0, [dnl + table ip6 firewalld { + chain nat_PREROUTING { + jump nat_PREROUTING_ZONES + } + } +]) +NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl + table ip6 firewalld { + chain nat_PREROUTING_ZONES { + ip6 saddr dead:beef::/54 goto nat_PRE_public + goto nat_PREROUTING_ZONES_IFACES + } + } +]) +NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES_IFACES], 0, [dnl + table ip6 firewalld { + chain nat_PREROUTING_ZONES_IFACES { + iifname "dummy1" goto nat_PRE_public + iifname "dummy0" goto nat_PRE_work + goto nat_PRE_public + } + } +]) +NFT_LIST_RULES([ip6], [nat_POSTROUTING], 0, [dnl + table ip6 firewalld { + chain nat_POSTROUTING { + jump nat_POSTROUTING_ZONES + } + } +]) +NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl + table ip6 firewalld { + chain nat_POSTROUTING_ZONES { + ip6 daddr dead:beef::/54 goto nat_POST_public + goto nat_POSTROUTING_ZONES_IFACES + } + } +]) +NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_IFACES], 0, [dnl + table ip firewalld { + chain nat_POSTROUTING_ZONES_IFACES { + oifname "dummy1" goto nat_POST_public + oifname "dummy0" goto nat_POST_work + goto nat_POST_public + } + } +]) +], [ + +IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl + ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED + ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 + INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0 + INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0 + DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID + REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited +]) +IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0, [dnl + IN_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@ + INPUT_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ +]) +IPTABLES_LIST_RULES([filter], [INPUT_ZONES_IFACES], 0, [dnl + IN_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ + IN_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ + IN_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ +]) +IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl + ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED + ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 + FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0 + FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0 + FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0 + DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID + REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited +]) +IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, [dnl + FWDI_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@ + FORWARD_IN_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ +]) +IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_IFACES], 0, [dnl + FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ + FWDI_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ + FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ +]) +IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, [dnl + FWDO_work all -- 0.0.0.0/0 1.2.3.0/24 @<:@goto@:>@ + FORWARD_OUT_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ +]) +IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_IFACES], 0, [dnl + FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ + FWDO_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ + FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ +]) +IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl + PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0 + PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 +]) +IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, [dnl + PRE_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@ + PREROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ +]) +IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES_IFACES], 0, [dnl + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ + PRE_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ +]) +IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl + PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0 + PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 +]) +IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, [dnl + PRE_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@ + PREROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ +]) +IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES_IFACES], 0, [dnl + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ + PRE_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ +]) +IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl + PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0 + PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 +]) +IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, [dnl + PRE_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@ + PREROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ +]) +IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES_IFACES], 0, [dnl + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ + PRE_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ +]) +IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl + POSTROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0 + POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 +]) +IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, [dnl + POST_work all -- 0.0.0.0/0 1.2.3.0/24 @<:@goto@:>@ + POSTROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ +]) +IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES_IFACES], 0, [dnl + POST_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ + POST_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ + POST_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@ +]) + + +IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl + ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED + ACCEPT all ::/0 ::/0 + INPUT_direct all ::/0 ::/0 + INPUT_ZONES all ::/0 ::/0 + DROP all ::/0 ::/0 ctstate INVALID + REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited +]) +IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0, [dnl + IN_public all dead:beef::/54 ::/0 @<:@goto@:>@ + INPUT_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@ +]) +IP6TABLES_LIST_RULES([filter], [INPUT_ZONES_IFACES], 0, [dnl + IN_public all ::/0 ::/0 @<:@goto@:>@ + IN_work all ::/0 ::/0 @<:@goto@:>@ + IN_public all ::/0 ::/0 @<:@goto@:>@ +]) +IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl + ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED + ACCEPT all ::/0 ::/0 + FORWARD_direct all ::/0 ::/0 + FORWARD_IN_ZONES all ::/0 ::/0 + FORWARD_OUT_ZONES all ::/0 ::/0 + DROP all ::/0 ::/0 ctstate INVALID + REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited +]) +IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, [dnl + FWDI_public all dead:beef::/54 ::/0 @<:@goto@:>@ + FORWARD_IN_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@ +]) +IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_IFACES], 0, [dnl + FWDI_public all ::/0 ::/0 @<:@goto@:>@ + FWDI_work all ::/0 ::/0 @<:@goto@:>@ + FWDI_public all ::/0 ::/0 @<:@goto@:>@ +]) +IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, [dnl + FWDO_public all ::/0 dead:beef::/54 @<:@goto@:>@ + FORWARD_OUT_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@ +]) +IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_IFACES], 0, [dnl + FWDO_public all ::/0 ::/0 @<:@goto@:>@ + FWDO_work all ::/0 ::/0 @<:@goto@:>@ + FWDO_public all ::/0 ::/0 @<:@goto@:>@ +]) +IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl + ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134 + ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135 + DROP all ::/0 ::/0 rpfilter invert + PREROUTING_direct all ::/0 ::/0 + PREROUTING_ZONES all ::/0 ::/0 +]) +IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, [dnl + PRE_public all dead:beef::/54 ::/0 @<:@goto@:>@ + PREROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@ +]) +IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES_IFACES], 0, [dnl + PRE_public all ::/0 ::/0 @<:@goto@:>@ + PRE_work all ::/0 ::/0 @<:@goto@:>@ + PRE_public all ::/0 ::/0 @<:@goto@:>@ +]) +IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl + PREROUTING_direct all ::/0 ::/0 + PREROUTING_ZONES all ::/0 ::/0 +]) +IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, [dnl + PRE_public all dead:beef::/54 ::/0 @<:@goto@:>@ + PREROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@ +]) +IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES_IFACES], 0, [dnl + PRE_public all ::/0 ::/0 @<:@goto@:>@ + PRE_work all ::/0 ::/0 @<:@goto@:>@ + PRE_public all ::/0 ::/0 @<:@goto@:>@ +]) +IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl + PREROUTING_direct all ::/0 ::/0 + PREROUTING_ZONES all ::/0 ::/0 +]) +IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, [dnl + PRE_public all dead:beef::/54 ::/0 @<:@goto@:>@ + PREROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@ +]) +IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES_IFACES], 0, [dnl + PRE_public all ::/0 ::/0 @<:@goto@:>@ + PRE_work all ::/0 ::/0 @<:@goto@:>@ + PRE_public all ::/0 ::/0 @<:@goto@:>@ +]) +IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl + POSTROUTING_direct all ::/0 ::/0 + POSTROUTING_ZONES all ::/0 ::/0 +]) +IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, [dnl + POST_public all ::/0 dead:beef::/54 @<:@goto@:>@ + POSTROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@ +]) +IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES_IFACES], 0, [dnl + POST_public all ::/0 ::/0 @<:@goto@:>@ + POST_work all ::/0 ::/0 @<:@goto@:>@ + POST_public all ::/0 ::/0 @<:@goto@:>@ +]) +]) + +FWD_END_TEST -- 2.20.1