From cc2b632a51ad32e7b3966f44057add92e45e60a5 Mon Sep 17 00:00:00 2001

From: Eric Garver <eric@garver.life>

Date: Fri, 14 Jun 2019 09:44:41 -0400

Subject: [PATCH 03/20] fix: tests: always list rules using macros

This is to make sure certain flags are used, e.g. "-w" for iptables.

Fixes: rhbz 1720650

(cherry picked from commit e527818500be462a724cd34c94948a2704560eb1)

---

 src/tests/features/rfc3964_ipv4.at            |  4 +-

 .../regression/icmp_block_in_forward_chain.at | 27 +++++--

 src/tests/regression/rhbz1514043.at           | 80 +++++++++++++++++--

 3 files changed, 98 insertions(+), 13 deletions(-)

diff --git a/src/tests/features/rfc3964_ipv4.at b/src/tests/features/rfc3964_ipv4.at

index cce828c0b3de..baff411793b2 100644

--- a/src/tests/features/rfc3964_ipv4.at

+++ b/src/tests/features/rfc3964_ipv4.at

@@ -93,8 +93,8 @@ NFT_LIST_RULES([inet], [filter_OUTPUT], 0, [dnl

     }

 ])

-m4_if(iptables, FIREWALL_BACKEND, [

-NS_CHECK([ip6tables -w -n -t filter -L RFC3964_IPv4], 1, [ignore], [ignore])

+IP6TABLES_LIST_RULES([filter], [RFC3964_IPv4], 0, [ignore], [dnl

+iptables: No chain/target/match by that name.

 ])

 IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl

     ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT

diff --git a/src/tests/regression/icmp_block_in_forward_chain.at b/src/tests/regression/icmp_block_in_forward_chain.at

index 769315d9534e..7580bc179470 100644

--- a/src/tests/regression/icmp_block_in_forward_chain.at

+++ b/src/tests/regression/icmp_block_in_forward_chain.at

@@ -2,12 +2,27 @@ FWD_START_TEST([ICMP block present FORWARD chain])

 AT_KEYWORDS(icmp)

 FWD_CHECK([-q --zone=public --add-icmp-block=host-prohibited])

-m4_if(iptables, FIREWALL_BACKEND, [

-    NS_CHECK([IPTABLES -L IN_public_deny | grep "host-prohibited"], 0, ignore)

-    NS_CHECK([IPTABLES -L FWDI_public_deny | grep "host-prohibited"], 0, ignore)

-], [

-    NS_CHECK([nft list chain inet firewalld filter_IN_public_deny | grep "destination-unreachable" |grep "\(code 10\|host-prohibited\)"], 0, ignore)

-    NS_CHECK([nft list chain inet firewalld filter_FWDI_public_deny | grep "destination-unreachable" |grep "\(code 10\|host-prohibited\)"], 0, ignore)

+

+NFT_LIST_RULES([inet], [filter_IN_public_deny | sed -e 's/icmp code 10/icmp code host-prohibited/'], 0, [dnl

+    table inet firewalld {

+        chain filter_IN_public_deny {

+            icmp type destination-unreachable icmp code host-prohibited reject with icmp type admin-prohibited

+        }

+    }

+])

+NFT_LIST_RULES([inet], [filter_FWDI_public_deny | sed -e 's/icmp code 10/icmp code host-prohibited/'], 0, [dnl

+    table inet firewalld {

+        chain filter_FWDI_public_deny {

+            icmp type destination-unreachable icmp code host-prohibited reject with icmp type admin-prohibited

+        }

+    }

+])

+

+IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl

+    REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 10 reject-with icmp-host-prohibited

+])

+IPTABLES_LIST_RULES([filter], [FWDI_public_deny], 0, [dnl

+    REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 10 reject-with icmp-host-prohibited

 ])

 FWD_END_TEST

diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at

index 88ce4934e5ea..241cf547f7f3 100644

--- a/src/tests/regression/rhbz1514043.at

+++ b/src/tests/regression/rhbz1514043.at

@@ -7,11 +7,81 @@ FWD_RELOAD

 FWD_CHECK([--zone=public --list-all | TRIM | grep ^services], 0, [dnl

 services: cockpit dhcpv6-client samba ssh

 ])

+

 dnl check that log denied actually took effect

-m4_if(iptables, FIREWALL_BACKEND, [

-	NS_CHECK([IPTABLES -t filter -L | grep "FINAL_REJECT:"], 0, ignore)

-], [

-	NS_CHECK([nft list chain inet firewalld filter_INPUT | grep "FINAL_REJECT"], 0, ignore)

-	NS_CHECK([nft list chain inet firewalld filter_FORWARD | grep "FINAL_REJECT"], 0, ignore)

+NFT_LIST_RULES([inet], [filter_INPUT], 0, [dnl

+    table inet firewalld {

+        chain filter_INPUT {

+            ct state established,related accept

+            ct status dnat accept

+            iifname "lo" accept

+            jump filter_INPUT_ZONES

+            ct state invalid log prefix "STATE_INVALID_DROP: "

+            ct state invalid drop

+            log prefix "FINAL_REJECT: "

+            reject with icmpx type admin-prohibited

+        }

+    }

+])

+NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl

+    table inet firewalld {

+        chain filter_FORWARD {

+            ct state established,related accept

+            ct status dnat accept

+            iifname "lo" accept

+            ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 type addr-unreachable

+            jump filter_FORWARD_IN_ZONES

+            jump filter_FORWARD_OUT_ZONES

+            ct state invalid log prefix "STATE_INVALID_DROP: "

+            ct state invalid drop

+            log prefix "FINAL_REJECT: "

+            reject with icmpx type admin-prohibited

+        }

+    }

+])

+

+IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl

+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT

+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

+    INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0

+    INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0

+    LOG all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "

+    DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID

+    LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "

+    REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

 ])

+IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl

+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT

+    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

+    FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0

+    FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0

+    FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0

+    LOG all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "

+    DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID

+    LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "

+    REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

+])

+IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl

+    ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT

+    ACCEPT all ::/0 ::/0

+    INPUT_direct all ::/0 ::/0

+    INPUT_ZONES all ::/0 ::/0

+    LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "

+    DROP all ::/0 ::/0 ctstate INVALID

+    LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "

+    REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited

+])

+IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl

+    ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT

+    ACCEPT all ::/0 ::/0

+    FORWARD_direct all ::/0 ::/0

+    RFC3964_IPv4 all ::/0 ::/0

+    FORWARD_IN_ZONES all ::/0 ::/0

+    FORWARD_OUT_ZONES all ::/0 ::/0

+    LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "

+    DROP all ::/0 ::/0 ctstate INVALID

+    LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "

+    REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited

+])

+

 FWD_END_TEST

-- 

2.20.1