64 lines
3.2 KiB
Diff
64 lines
3.2 KiB
Diff
|
From 63100ca625942e6be2c68422e7a48bc68f8d01c5 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Eric Garver <eric@garver.life>
|
||
|
|
Date: Fri, 13 Nov 2020 13:32:22 -0500
|
||
|
|
Subject: [PATCH 20/26] v1.0.0: test(rich): destination ipset: verify policy
|
||
|
|
support
|
||
|
|
|
||
|
|
(cherry picked from commit fdd120572cd45a6ea2515bc906b89482de6560ea)
|
||
|
|
---
|
||
|
|
src/tests/features/rich_destination_ipset.at | 23 ++++++++++++++++++++
|
||
|
|
1 file changed, 23 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/src/tests/features/rich_destination_ipset.at b/src/tests/features/rich_destination_ipset.at
|
||
|
|
index c07809141851..3286755d2252 100644
|
||
|
|
--- a/src/tests/features/rich_destination_ipset.at
|
||
|
|
+++ b/src/tests/features/rich_destination_ipset.at
|
||
|
|
@@ -1,9 +1,14 @@
|
||
|
|
FWD_START_TEST([rich destination ipset])
|
||
|
|
AT_KEYWORDS(rich ipset)
|
||
|
|
|
||
|
|
+FWD_CHECK([--permanent --new-policy=mypolicy], 0, [ignore])
|
||
|
|
+FWD_CHECK([--permanent --policy=mypolicy --add-ingress-zone ANY], 0, [ignore])
|
||
|
|
+FWD_CHECK([--permanent --policy=mypolicy --add-egress-zone HOST], 0, [ignore])
|
||
|
|
+
|
||
|
|
FWD_CHECK([--permanent --new-ipset=foobar --type=hash:ip], 0, [ignore])
|
||
|
|
FWD_RELOAD
|
||
|
|
|
||
|
|
+dnl zone
|
||
|
|
FWD_CHECK([--permanent --add-rich-rule='rule family=ipv4 destination ipset=foobar accept'], 0, [ignore])
|
||
|
|
FWD_CHECK([ --add-rich-rule='rule family=ipv4 destination ipset=foobar accept'], 0, [ignore])
|
||
|
|
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
|
||
|
|
@@ -20,11 +25,29 @@ IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
|
||
|
|
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set foobar dst
|
||
|
|
])
|
||
|
|
|
||
|
|
+dnl policy
|
||
|
|
+FWD_CHECK([--permanent --policy mypolicy --add-rich-rule='rule family=ipv4 destination ipset=foobar accept'], 0, [ignore])
|
||
|
|
+FWD_CHECK([ --policy mypolicy --add-rich-rule='rule family=ipv4 destination ipset=foobar accept'], 0, [ignore])
|
||
|
|
+NFT_LIST_RULES([inet], [filter_IN_policy_mypolicy_allow], 0, [dnl
|
||
|
|
+ table inet firewalld {
|
||
|
|
+ chain filter_IN_policy_mypolicy_allow {
|
||
|
|
+ ip daddr @foobar accept
|
||
|
|
+ }
|
||
|
|
+ }
|
||
|
|
+])
|
||
|
|
+IPTABLES_LIST_RULES([filter], [IN_mypolicy_allow], 0, [dnl
|
||
|
|
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set foobar dst
|
||
|
|
+])
|
||
|
|
+
|
||
|
|
dnl negative tests
|
||
|
|
FWD_CHECK([--permanent --add-rich-rule='rule family=ipv4 destination bogus=foobar accept'], 122, [ignore], [ignore])
|
||
|
|
FWD_CHECK([ --add-rich-rule='rule family=ipv4 destination bogus=foobar accept'], 122, [ignore], [ignore])
|
||
|
|
FWD_CHECK([--permanent --add-rich-rule='rule family=ipv4 destination address=10.0.0.1 ipset=foobar accept'], 121, [ignore], [ignore])
|
||
|
|
FWD_CHECK([ --add-rich-rule='rule family=ipv4 destination address=10.0.0.1 ipset=foobar accept'], 121, [ignore], [ignore])
|
||
|
|
+FWD_CHECK([--permanent --policy mypolicy --add-rich-rule='rule family=ipv4 destination bogus=foobar accept'], 122, [ignore], [ignore])
|
||
|
|
+FWD_CHECK([ --policy mypolicy --add-rich-rule='rule family=ipv4 destination bogus=foobar accept'], 122, [ignore], [ignore])
|
||
|
|
+FWD_CHECK([--permanent --policy mypolicy --add-rich-rule='rule family=ipv4 destination address=10.0.0.1 ipset=foobar accept'], 121, [ignore], [ignore])
|
||
|
|
+FWD_CHECK([ --policy mypolicy --add-rich-rule='rule family=ipv4 destination address=10.0.0.1 ipset=foobar accept'], 121, [ignore], [ignore])
|
||
|
|
|
||
|
|
FWD_END_TEST([-e '/ERROR: INVALID_RULE: bad attribute/d'dnl
|
||
|
|
-e '/ERROR: INVALID_DESTINATION: address and ipset/d'])
|
||
|
|
--
|
||
|
|
2.43.0
|
||
|
|
|