|
 |
343241 |
From b2075eb46f1798ba897ca443ea14872b17267d69 Mon Sep 17 00:00:00 2001
|
|
|
343241 |
From: Eric Garver <eric@garver.life>
|
|
|
343241 |
Date: Mon, 13 Sep 2021 14:54:42 -0400
|
|
|
343241 |
Subject: [PATCH 39/50] test(icmp): don't log blocked if ICMP inversion
|
|
|
343241 |
|
|
|
343241 |
Coverage: #696
|
|
|
343241 |
Coverage: rhbz1945833
|
|
|
343241 |
(cherry picked from commit b7d9a74731f9c5a1a6faf0f2959adcc315d2ca16)
|
|
|
343241 |
(cherry picked from commit d45c614967cec6a608c93c1e8531089d7b1150bb)
|
|
|
343241 |
---
|
|
|
343241 |
src/tests/regression/gh696.at | 102 +++++++++++++++++++++++++++++
|
|
|
343241 |
src/tests/regression/regression.at | 1 +
|
|
|
343241 |
2 files changed, 103 insertions(+)
|
|
|
343241 |
create mode 100644 src/tests/regression/gh696.at
|
|
|
343241 |
|
|
|
343241 |
diff --git a/src/tests/regression/gh696.at b/src/tests/regression/gh696.at
|
|
|
343241 |
new file mode 100644
|
|
|
343241 |
index 000000000000..19b8d485a0a5
|
|
|
343241 |
--- /dev/null
|
|
|
343241 |
+++ b/src/tests/regression/gh696.at
|
|
|
343241 |
@@ -0,0 +1,102 @@
|
|
|
343241 |
+FWD_START_TEST([icmp-block-inversion no log blocked])
|
|
|
343241 |
+AT_KEYWORDS(icmp gh696 rhbz1945833)
|
|
|
343241 |
+
|
|
|
343241 |
+FWD_CHECK([--permanent --zone public --remove-icmp-block-inversion], 0, [ignore], [ignore])
|
|
|
343241 |
+FWD_CHECK([--permanent --zone public --add-icmp-block echo-request], 0, [ignore])
|
|
|
343241 |
+FWD_RELOAD()
|
|
|
343241 |
+
|
|
|
343241 |
+NFT_LIST_RULES([inet], [filter_IN_public_deny], 0, [dnl
|
|
|
343241 |
+ table inet firewalld {
|
|
|
343241 |
+ chain filter_IN_public_deny {
|
|
|
343241 |
+ icmp type echo-request reject with icmpx type admin-prohibited
|
|
|
343241 |
+ icmpv6 type echo-request reject with icmpx type admin-prohibited
|
|
|
343241 |
+ }
|
|
|
343241 |
+ }
|
|
|
343241 |
+])
|
|
|
343241 |
+
|
|
|
343241 |
+IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
|
|
|
343241 |
+ REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 reject-with icmp-host-prohibited
|
|
|
343241 |
+])
|
|
|
343241 |
+IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
|
|
|
343241 |
+ REJECT icmpv6 ::/0 ::/0 ipv6-icmptype 128 reject-with icmp6-adm-prohibited
|
|
|
343241 |
+])
|
|
|
343241 |
+
|
|
|
343241 |
+dnl since inversion is disabled we should get logs when the ICMP is blocked.
|
|
|
343241 |
+FWD_CHECK([--set-log-denied all], 0, [ignore])
|
|
|
343241 |
+
|
|
|
343241 |
+NFT_LIST_RULES([inet], [filter_IN_public_deny], 0, [dnl
|
|
|
343241 |
+ table inet firewalld {
|
|
|
343241 |
+ chain filter_IN_public_deny {
|
|
|
343241 |
+ icmp type echo-request log prefix ""filter_zone_public_HOST_ICMP_BLOCK: ""
|
|
|
343241 |
+ icmp type echo-request reject with icmpx type admin-prohibited
|
|
|
343241 |
+ icmpv6 type echo-request log prefix ""filter_zone_public_HOST_ICMP_BLOCK: ""
|
|
|
343241 |
+ icmpv6 type echo-request reject with icmpx type admin-prohibited
|
|
|
343241 |
+ }
|
|
|
343241 |
+ }
|
|
|
343241 |
+])
|
|
|
343241 |
+
|
|
|
343241 |
+IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
|
|
|
343241 |
+ LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 LOG flags 0 level 4 prefix "zone_public_HOST_ICMP_BLOCK: "
|
|
|
343241 |
+ REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 reject-with icmp-host-prohibited
|
|
|
343241 |
+])
|
|
|
343241 |
+IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
|
|
|
343241 |
+ LOG icmpv6 ::/0 ::/0 ipv6-icmptype 128 LOG flags 0 level 4 prefix "zone_public_HOST_ICMP_BLOCK: "
|
|
|
343241 |
+ REJECT icmpv6 ::/0 ::/0 ipv6-icmptype 128 reject-with icmp6-adm-prohibited
|
|
|
343241 |
+])
|
|
|
343241 |
+
|
|
|
343241 |
+dnl ########################################
|
|
|
343241 |
+dnl ########################################
|
|
|
343241 |
+dnl Same as above, but with icmp block inversion.
|
|
|
343241 |
+dnl ########################################
|
|
|
343241 |
+dnl ########################################
|
|
|
343241 |
+
|
|
|
343241 |
+FWD_CHECK([--permanent --zone public --add-icmp-block-inversion], 0, [ignore])
|
|
|
343241 |
+FWD_CHECK([--set-log-denied off], 0, [ignore])
|
|
|
343241 |
+
|
|
|
343241 |
+NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
|
|
|
343241 |
+ table inet firewalld {
|
|
|
343241 |
+ chain filter_IN_public_allow {
|
|
|
343241 |
+ tcp dport 22 ct state new,untracked accept
|
|
|
343241 |
+ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
|
|
|
343241 |
+ icmp type echo-request accept
|
|
|
343241 |
+ icmpv6 type echo-request accept
|
|
|
343241 |
+ }
|
|
|
343241 |
+ }
|
|
|
343241 |
+])
|
|
|
343241 |
+
|
|
|
343241 |
+IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
|
|
|
343241 |
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
|
|
|
343241 |
+ ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
|
|
|
343241 |
+])
|
|
|
343241 |
+IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
|
|
|
343241 |
+ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
|
|
|
343241 |
+ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
|
|
|
343241 |
+ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128
|
|
|
343241 |
+])
|
|
|
343241 |
+
|
|
|
343241 |
+dnl since inversion is enabled, it should be the same whether set-log-denied is
|
|
|
343241 |
+dnl enabled or not.
|
|
|
343241 |
+FWD_CHECK([--set-log-denied all], 0, [ignore])
|
|
|
343241 |
+
|
|
|
343241 |
+NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
|
|
|
343241 |
+ table inet firewalld {
|
|
|
343241 |
+ chain filter_IN_public_allow {
|
|
|
343241 |
+ tcp dport 22 ct state new,untracked accept
|
|
|
343241 |
+ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
|
|
|
343241 |
+ icmp type echo-request accept
|
|
|
343241 |
+ icmpv6 type echo-request accept
|
|
|
343241 |
+ }
|
|
|
343241 |
+ }
|
|
|
343241 |
+])
|
|
|
343241 |
+
|
|
|
343241 |
+IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
|
|
|
343241 |
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
|
|
|
343241 |
+ ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
|
|
|
343241 |
+])
|
|
|
343241 |
+IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
|
|
|
343241 |
+ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
|
|
|
343241 |
+ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
|
|
|
343241 |
+ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128
|
|
|
343241 |
+])
|
|
|
343241 |
+
|
|
|
343241 |
+FWD_END_TEST([-d '/WARNING: NOT_ENABLED: icmp-block-inversion/d'])
|
|
|
343241 |
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
|
|
|
343241 |
index aadd948a459f..ba41a56b29b5 100644
|
|
|
343241 |
--- a/src/tests/regression/regression.at
|
|
|
343241 |
+++ b/src/tests/regression/regression.at
|
|
|
343241 |
@@ -42,3 +42,4 @@ m4_include([regression/ipset_netmask_allowed.at])
|
|
|
343241 |
m4_include([regression/rhbz1940928.at])
|
|
|
343241 |
m4_include([regression/rhbz1936896.at])
|
|
|
343241 |
m4_include([regression/rhbz1914935.at])
|
|
|
343241 |
+m4_include([regression/gh696.at])
|
|
|
343241 |
--
|
|
|
343241 |
2.27.0
|
|
|
343241 |
|