Tree - rpms/firewalld - CentOS Git server

rpms / firewalld

Blame SOURCES/0005-tests-firewall-cmd-exercise-check-config.patch

Blob History Raw

		4d71d0	`From b388398d8c4b9859fba9b45371239bd2e5d6bfd4 Mon Sep 17 00:00:00 2001`
		4d71d0	`From: Eric Garver <e@erig.me>`
		4d71d0	`Date: Thu, 24 May 2018 16:30:41 -0400`
		4d71d0	`Subject: [PATCH 5/5] tests/firewall-cmd: exercise --check-config`
		4d71d0
		4d71d0	`This exercises the --check-config option for both firewall-cmd and`
		4d71d0	`firewall-offline-cmd.`
		4d71d0
		4d71d0	`We also remove the explicit check in config/Makefile as it's now part of`
		4d71d0	`the normal testsuite.`
		4d71d0
		4d71d0	`(cherry picked from commit c2bd43e71018ca4e43141ca93fab352e344f4a30)`
		4d71d0	`---`
		4d71d0	`src/tests/firewall-cmd.at \| 374 ++++++++++++++++++++++++++++++++++++++++++++++`
		4d71d0	`src/tests/functions.at \| 3 +`
		4d71d0	`2 files changed, 377 insertions(+)`
		4d71d0
		4d71d0	`diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at`
		4d71d0	`index 7364e9770d27..92cade844b9e 100644`
		4d71d0	`--- a/src/tests/firewall-cmd.at`
		4d71d0	`+++ b/src/tests/firewall-cmd.at`
		4d71d0	`@@ -840,3 +840,377 @@ FWD_END_TEST([-e '/ERROR: INVALID_RULE:/d' dnl`
		4d71d0	`-e '/ERROR: INVALID_LOG_LEVEL: eror/d' dnl`
		4d71d0	`-e '/ERROR: MISSING_FAMILY/d' dnl`
		4d71d0	`-e '/ERROR: INVALID_LIMIT: 1\/2m/d'])`
		4d71d0	`+`
		4d71d0	`+FWD_START_TEST([config validation])`
		4d71d0	`+ dnl default config`
		4d71d0	`+ FWD_CHECK([--check-config], 0, ignore)`
		4d71d0	`+`
		4d71d0	`+ dnl The rest of these are negative test cases.`
		4d71d0	`+`
		4d71d0	`+ dnl firewalld.conf`
		4d71d0	`+ AT_CHECK([cp ./firewalld.conf ./firewalld.conf.orig])`
		4d71d0	`+ AT_CHECK([echo "SomeBogusField=yes" >> ./firewalld.conf])`
		4d71d0	`+ FWD_CHECK([--check-config], 0, ignore, [dnl`
		4d71d0	`+m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [dnl`
		4d71d0	`+ERROR: Invalid option: 'SomeBogusField=yes'`
		4d71d0	`+ERROR: Invalid option: 'SomeBogusField=yes'`
		4d71d0	`+])])`
		4d71d0	`+ AT_CHECK([cp ./firewalld.conf.orig ./firewalld.conf])`
		4d71d0	`+`
		4d71d0	`+ dnl direct`
		4d71d0	`+ AT_DATA([./direct.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<direct>`
		4d71d0	`+<chain table="filter" ipv="ipv7" chain="foobar"/>`
		4d71d0	`+</direct>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 111, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./direct.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<direct>`
		4d71d0	`+<rule />`
		4d71d0	`+</direct>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+ AT_CHECK([rm ./direct.xml])`
		4d71d0	`+`
		4d71d0	`+ dnl lockdown-whitelist`
		4d71d0	`+ AT_DATA([./lockdown-whitelist.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<whitelist>`
		4d71d0	`+ <user uid="666"/>`
		4d71d0	`+</whitelist>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./lockdown-whitelist.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<whitelist>`
		4d71d0	`+ <uid id="666"/>`
		4d71d0	`+</whitelist>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./lockdown-whitelist.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<whitelist>`
		4d71d0	`+ <group name="foobar" />`
		4d71d0	`+</whitelist>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+ AT_CHECK([rm ./lockdown-whitelist.xml])`
		4d71d0	`+`
		4d71d0	`+ dnl ipset`
		4d71d0	`+ AT_CHECK([mkdir -p ./ipsets])`
		4d71d0	`+ AT_DATA([./ipsets/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<ipset type="hash:mac">`
		4d71d0	`+ <entry>12:34:56:78:90</entry>`
		4d71d0	`+</ipset>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 0, ignore, [dnl`
		4d71d0	`+m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [dnl`
		4d71d0	`+WARNING: INVALID_ENTRY: invalid mac address '12:34:56:78:90' in '12:34:56:78:90', ignoring.`
		4d71d0	`+WARNING: INVALID_ENTRY: invalid mac address '12:34:56:78:90' in '12:34:56:78:90', ignoring.`
		4d71d0	`+])])`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./ipsets/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<ipset type="hash:mac">`
		4d71d0	`+ <entry bogus_attr="bogus">12:34:56:78:90:ab</entry>`
		4d71d0	`+</ipset>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./ipsets/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<ipset type="hash:ip,bogus">`
		4d71d0	`+</ipset>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 119, ignore, ignore)`
		4d71d0	`+ AT_CHECK([rm ./ipsets/foobar.xml])`
		4d71d0	`+`
		4d71d0	`+ dnl helpers`
		4d71d0	`+ AT_CHECK([mkdir -p ./helpers])`
		4d71d0	`+ AT_DATA([./helpers/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<helper>`
		4d71d0	`+</helper>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./helpers/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<helper family="ipv7" module="nf_conntrack_ftp">`
		4d71d0	`+</helper>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 111, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./helpers/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<helper family="ipv6" module="nf_conntrack_ftp">`
		4d71d0	`+<port protocol="aoeui" port="666" />`
		4d71d0	`+</helper>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 103, ignore, ignore)`
		4d71d0	`+ AT_CHECK([rm ./helpers/foobar.xml])`
		4d71d0	`+`
		4d71d0	`+ dnl icmptype`
		4d71d0	`+ AT_CHECK([mkdir -p ./icmptypes])`
		4d71d0	`+ AT_DATA([./icmptypes/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<bad_element />`
		4d71d0	`+<icmptype>`
		4d71d0	`+</icmptype>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./icmptypes/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<icmptype>`
		4d71d0	`+<destination unexpected_attr="foobar" />`
		4d71d0	`+</icmptype>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+ AT_CHECK([rm ./icmptypes/foobar.xml])`
		4d71d0	`+`
		4d71d0	`+ dnl services`
		4d71d0	`+ AT_CHECK([mkdir -p ./services])`
		4d71d0	`+ AT_DATA([./services/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<service>`
		4d71d0	`+<protocol value="aoeui" />`
		4d71d0	`+</service>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 103, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./services/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<service>`
		4d71d0	`+<protocol bad_attr="foo" />`
		4d71d0	`+</service>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./services/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<service>`
		4d71d0	`+<bad_element />`
		4d71d0	`+</service>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./services/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<service>`
		4d71d0	`+<module module="bad_attr" />`
		4d71d0	`+</service>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./services/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<service>`
		4d71d0	`+<port protocol="aoeu" port="666" />`
		4d71d0	`+</service>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 103, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./services/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<service>`
		4d71d0	`+<port protocol="tcp" port="ssssssh" />`
		4d71d0	`+</service>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 102, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./services/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<service>`
		4d71d0	`+<port protocol="tcp" port="22" />`
		4d71d0	`+<source-port protocol="tcp" port="sssssh" />`
		4d71d0	`+</service>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 102, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./services/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<service>`
		4d71d0	`+<destination ipv4="224.0.0.1" ipv7="1234" />`
		4d71d0	`+</service>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+ AT_CHECK([rm ./services/foobar.xml])`
		4d71d0	`+`
		4d71d0	`+ dnl zones`
		4d71d0	`+ AT_CHECK([mkdir -p ./zones])`
		4d71d0	`+ AT_DATA([./zones/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 112, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./zones/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<zone>`
		4d71d0	`+<service name="bogus_service_name" />`
		4d71d0	`+</zone>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 101, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./zones/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<zone>`
		4d71d0	`+<port protocol="ipv4" />`
		4d71d0	`+</zone>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./zones/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<zone>`
		4d71d0	`+<protocol value="thisdoesnotexist" />`
		4d71d0	`+</zone>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 103, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./zones/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<zone>`
		4d71d0	`+<icmp-block invalid_attr=""/>`
		4d71d0	`+</zone>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./zones/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<zone>`
		4d71d0	`+<icmp-type />`
		4d71d0	`+</zone>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./zones/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<zone>`
		4d71d0	`+<masquerade value="true" />`
		4d71d0	`+</zone>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./zones/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<zone>`
		4d71d0	`+<forward-port port="666" />`
		4d71d0	`+</zone>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./zones/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<zone>`
		4d71d0	`+<forward-port protocol="sctppp" />`
		4d71d0	`+</zone>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./zones/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<zone>`
		4d71d0	`+<source-port port="-1" />`
		4d71d0	`+</zone>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./zones/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<zone>`
		4d71d0	`+<interface />`
		4d71d0	`+</zone>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./zones/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<zone>`
		4d71d0	`+<source />`
		4d71d0	`+</zone>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 0, ignore, [dnl`
		4d71d0	`+m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [dnl`
		4d71d0	`+WARNING: Invalid source: No address no ipset.`
		4d71d0	`+WARNING: Invalid source: No address no ipset.`
		4d71d0	`+])])`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./zones/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<zone>`
		4d71d0	`+<rule>`
		4d71d0	`+<source address="10.0.0.1/24" />`
		4d71d0	`+<limit />`
		4d71d0	`+</rule>`
		4d71d0	`+</zone>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./zones/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<zone>`
		4d71d0	`+<rule family="ipv4">`
		4d71d0	`+<source address="10.0.0.1/24" />`
		4d71d0	`+<accept>`
		4d71d0	`+<limit value="none" />`
		4d71d0	`+</accept>`
		4d71d0	`+</rule>`
		4d71d0	`+</zone>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 0, ignore, [dnl`
		4d71d0	`+m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [dnl`
		4d71d0	`+WARNING: INVALID_LIMIT: none: rule family="ipv4" source address="10.0.0.1/24" accept limit value="none"`
		4d71d0	`+WARNING: INVALID_LIMIT: none: rule family="ipv4" source address="10.0.0.1/24" accept limit value="none"`
		4d71d0	`+])])`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./zones/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<zone>`
		4d71d0	`+<rule>`
		4d71d0	`+<source address="10.0.0.1/24" />`
		4d71d0	`+<log level="super_critical" />`
		4d71d0	`+</rule>`
		4d71d0	`+</zone>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 0, ignore, [dnl`
		4d71d0	`+m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [dnl`
		4d71d0	`+WARNING: Invalid rule: Invalid log level`
		4d71d0	`+WARNING: Invalid rule: Invalid log level`
		4d71d0	`+])])`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./zones/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<zone>`
		4d71d0	`+<rule family="ipv4">`
		4d71d0	`+<source address="10.0.0.1/24" />`
		4d71d0	`+<audit prefix="foobar" />`
		4d71d0	`+</rule>`
		4d71d0	`+</zone>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 28, ignore, ignore)`
		4d71d0	`+`
		4d71d0	`+ AT_DATA([./zones/foobar.xml], [dnl`
		4d71d0	`+`
		4d71d0	`+<zone>`
		4d71d0	`+<rule family="ipv6">`
		4d71d0	`+<source address="10.0.0.1/24" />`
		4d71d0	`+<accept />`
		4d71d0	`+</rule>`
		4d71d0	`+</zone>`
		4d71d0	`+])`
		4d71d0	`+ FWD_CHECK([--check-config], 0, ignore, [dnl`
		4d71d0	`+m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [dnl`
		4d71d0	`+WARNING: INVALID_ADDR: 10.0.0.1/24: rule family="ipv6" source address="10.0.0.1/24" accept`
		4d71d0	`+WARNING: INVALID_ADDR: 10.0.0.1/24: rule family="ipv6" source address="10.0.0.1/24" accept`
		4d71d0	`+])])`
		4d71d0	`+ AT_CHECK([rm ./zones/foobar.xml])`
		4d71d0	`+`
		4d71d0	`+FWD_END_TEST([-e '/ERROR:/d'dnl`
		4d71d0	`+ -e '/WARNING:/d'])`
		4d71d0	`diff --git a/src/tests/functions.at b/src/tests/functions.at`
		4d71d0	`index 7bd66d5c74fe..d9b1ce401bb0 100644`
		4d71d0	`--- a/src/tests/functions.at`
		4d71d0	`+++ b/src/tests/functions.at`
		4d71d0	`@@ -122,6 +122,9 @@ m4_define([FWD_CHECK], [`
		4d71d0	`m4_if(-1, m4_index([$1], [-default-zone]), [], [`
		4d71d0	`m4_define([FWD_CHECK_RUN_FIREWALL_OFFLINE_CMD])`
		4d71d0	`])`
		4d71d0	`+ m4_if(-1, m4_index([$1], [--check-config]), [], [`
		4d71d0	`+ m4_define([FWD_CHECK_RUN_FIREWALL_OFFLINE_CMD])`
		4d71d0	`+ ])`
		4d71d0	`], [`
		4d71d0	`m4_if(-1, m4_index([$1], [--timeout]), [`
		4d71d0	`m4_define([FWD_CHECK_RUN_FIREWALL_OFFLINE_CMD])`
		4d71d0	`--`
		4d71d0	`2.16.3`
		4d71d0

rpms / firewalld

Source Code

Blame SOURCES/0005-tests-firewall-cmd-exercise-check-config.patch