From a698ca94c40b6edf058995f9f2b1fc197a16efe4 Mon Sep 17 00:00:00 2001

From: Eric Garver <eric@garver.life>

Date: Thu, 16 Jan 2020 09:02:28 -0500

Subject: [PATCH 27/37] test: enhance test for rhbz1729097

(cherry picked from commit c2b8059559c210e586b03b44eaf189370b976770)

(cherry picked from commit 47368842f5519b43cb02cb4f2cca59b9049e5268)

---

 src/tests/regression/rhbz1715977.at | 107 +++++++++++++++++++++++++++-

 1 file changed, 105 insertions(+), 2 deletions(-)

diff --git a/src/tests/regression/rhbz1715977.at b/src/tests/regression/rhbz1715977.at

index ce6dd075c2b5..5de9b5679023 100644

--- a/src/tests/regression/rhbz1715977.at

+++ b/src/tests/regression/rhbz1715977.at

@@ -1,9 +1,112 @@

-FWD_START_TEST([rich rule destination with service destination])

-AT_KEYWORDS(rich service rhbz1715977)

+FWD_START_TEST([rich rule source/destination with service destination])

+AT_KEYWORDS(rich service rhbz1715977 rhbz1729097 rhbz1791783)

 FWD_CHECK([-q --permanent --zone=internal --add-interface=foobar0])

 FWD_CHECK([-q --permanent --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="ssh" accept'])

 FWD_RELOAD

+NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl

+    table inet firewalld {

+        chain filter_IN_internal_allow {

+            tcp dport 22 ct state new,untracked accept

+            ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept

+            ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept

+            udp dport 137 ct helper set "helper-netbios-ns-udp"

+            udp dport 137 ct state new,untracked accept

+            udp dport 138 ct state new,untracked accept

+            ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept

+            tcp dport 9090 ct state new,untracked accept

+            ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept

+        }

+    }

+])

+IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl

+    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED

+    ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED

+    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED

+    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED

+    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED

+    ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED

+])

+IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl

+    ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED

+    ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED

+    ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED

+    ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED

+    ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED

+    ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED

+])

+

+FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.111.222/32" source address="10.10.10.0/24" service name="ssh" accept'])

+NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl

+    table inet firewalld {

+        chain filter_IN_internal_allow {

+            tcp dport 22 ct state new,untracked accept

+            ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept

+            ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept

+            udp dport 137 ct helper set "helper-netbios-ns-udp"

+            udp dport 137 ct state new,untracked accept

+            udp dport 138 ct state new,untracked accept

+            ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept

+            tcp dport 9090 ct state new,untracked accept

+            ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept

+            ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept

+        }

+    }

+])

+IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl

+    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED

+    ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED

+    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED

+    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED

+    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED

+    ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED

+    ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED

+])

+IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl

+    ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED

+    ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED

+    ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED

+    ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED

+    ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED

+    ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED

+])

+

+FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 service name="ssdp" accept'])

+NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl

+    table inet firewalld {

+        chain filter_IN_internal_allow {

+            tcp dport 22 ct state new,untracked accept

+            ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept

+            ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept

+            udp dport 137 ct helper set "helper-netbios-ns-udp"

+            udp dport 137 ct state new,untracked accept

+            udp dport 138 ct state new,untracked accept

+            ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept

+            tcp dport 9090 ct state new,untracked accept

+            ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept

+            ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept

+            ip daddr 239.255.255.250 udp dport 1900 ct state new,untracked accept

+        }

+    }

+])

+IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl

+    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED

+    ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED

+    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED

+    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED

+    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED

+    ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED

+    ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED

+    ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900 ctstate NEW,UNTRACKED

+])

+IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl

+    ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED

+    ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED

+    ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED

+    ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED

+    ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED

+    ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED

+])

 FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="mdns" accept'], 122, [ignore], [ignore])

 FWD_CHECK([-q --permanent --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="mdns" accept'])

-- 

2.23.0