From b2075eb46f1798ba897ca443ea14872b17267d69 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 13 Sep 2021 14:54:42 -0400
Subject: [PATCH 39/50] test(icmp): don't log blocked if ICMP inversion

Coverage: #696
Coverage: rhbz1945833
(cherry picked from commit b7d9a74731f9c5a1a6faf0f2959adcc315d2ca16)
(cherry picked from commit d45c614967cec6a608c93c1e8531089d7b1150bb)
---
 src/tests/regression/gh696.at      | 102 +++++++++++++++++++++++++++++
 src/tests/regression/regression.at |   1 +
 2 files changed, 103 insertions(+)
 create mode 100644 src/tests/regression/gh696.at

diff --git a/src/tests/regression/gh696.at b/src/tests/regression/gh696.at
new file mode 100644
index 000000000000..19b8d485a0a5
--- /dev/null
+++ b/src/tests/regression/gh696.at
@@ -0,0 +1,102 @@
+FWD_START_TEST([icmp-block-inversion no log blocked])
+AT_KEYWORDS(icmp gh696 rhbz1945833)
+
+FWD_CHECK([--permanent --zone public --remove-icmp-block-inversion], 0, [ignore], [ignore])
+FWD_CHECK([--permanent --zone public --add-icmp-block echo-request], 0, [ignore])
+FWD_RELOAD()
+
+NFT_LIST_RULES([inet], [filter_IN_public_deny], 0, [dnl
+    table inet firewalld {
+        chain filter_IN_public_deny {
+            icmp type echo-request reject with icmpx type admin-prohibited
+            icmpv6 type echo-request reject with icmpx type admin-prohibited
+        }
+    }
+])
+
+IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
+    REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 reject-with icmp-host-prohibited
+])
+IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
+    REJECT icmpv6 ::/0 ::/0 ipv6-icmptype 128 reject-with icmp6-adm-prohibited
+])
+
+dnl since inversion is disabled we should get logs when the ICMP is blocked.
+FWD_CHECK([--set-log-denied all], 0, [ignore])
+
+NFT_LIST_RULES([inet], [filter_IN_public_deny], 0, [dnl
+    table inet firewalld {
+        chain filter_IN_public_deny {
+            icmp type echo-request log prefix ""filter_zone_public_HOST_ICMP_BLOCK: ""
+            icmp type echo-request reject with icmpx type admin-prohibited
+            icmpv6 type echo-request log prefix ""filter_zone_public_HOST_ICMP_BLOCK: ""
+            icmpv6 type echo-request reject with icmpx type admin-prohibited
+        }
+    }
+])
+
+IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
+    LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 LOG flags 0 level 4 prefix "zone_public_HOST_ICMP_BLOCK: "
+    REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 reject-with icmp-host-prohibited
+])
+IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
+    LOG icmpv6 ::/0 ::/0 ipv6-icmptype 128 LOG flags 0 level 4 prefix "zone_public_HOST_ICMP_BLOCK: "
+    REJECT icmpv6 ::/0 ::/0 ipv6-icmptype 128 reject-with icmp6-adm-prohibited
+])
+
+dnl ########################################
+dnl ########################################
+dnl Same as above, but with icmp block inversion.
+dnl ########################################
+dnl ########################################
+
+FWD_CHECK([--permanent --zone public --add-icmp-block-inversion], 0, [ignore])
+FWD_CHECK([--set-log-denied off], 0, [ignore])
+
+NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
+    table inet firewalld {
+        chain filter_IN_public_allow {
+            tcp dport 22 ct state new,untracked accept
+            ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+            icmp type echo-request accept
+            icmpv6 type echo-request accept
+        }
+    }
+])
+
+IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
+    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
+])
+IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
+    ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+    ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+    ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128
+])
+
+dnl since inversion is enabled, it should be the same whether set-log-denied is
+dnl enabled or not.
+FWD_CHECK([--set-log-denied all], 0, [ignore])
+
+NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
+    table inet firewalld {
+        chain filter_IN_public_allow {
+            tcp dport 22 ct state new,untracked accept
+            ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+            icmp type echo-request accept
+            icmpv6 type echo-request accept
+        }
+    }
+])
+
+IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
+    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
+])
+IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
+    ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+    ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+    ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128
+])
+
+FWD_END_TEST([-d '/WARNING: NOT_ENABLED: icmp-block-inversion/d'])
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index aadd948a459f..ba41a56b29b5 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -42,3 +42,4 @@ m4_include([regression/ipset_netmask_allowed.at])
 m4_include([regression/rhbz1940928.at])
 m4_include([regression/rhbz1936896.at])
 m4_include([regression/rhbz1914935.at])
+m4_include([regression/gh696.at])
-- 
2.27.0