|
|
00cd46 |
From 08cc79942e820d9ce86c5c0bd0249ec4335955ce Mon Sep 17 00:00:00 2001
|
|
|
00cd46 |
From: Eric Garver <eric@garver.life>
|
|
|
00cd46 |
Date: Fri, 28 Aug 2020 10:48:35 -0400
|
|
|
00cd46 |
Subject: [PATCH 56/62] test(regression/rhbz1855140): add negative tests
|
|
|
00cd46 |
|
|
|
00cd46 |
(cherry picked from commit b50032185422f5538a8a6211cfa43cfaa2d67ec4)
|
|
|
00cd46 |
(cherry picked from commit 264375df35124b5920b9d3e690944aaad1e4790c)
|
|
|
00cd46 |
---
|
|
|
00cd46 |
src/tests/regression/rhbz1855140.at | 23 ++++++++++++++++++++++-
|
|
|
00cd46 |
1 file changed, 22 insertions(+), 1 deletion(-)
|
|
|
00cd46 |
|
|
|
00cd46 |
diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at
|
|
|
00cd46 |
index 8059e29fe71a..fbb33a419c56 100644
|
|
|
00cd46 |
--- a/src/tests/regression/rhbz1855140.at
|
|
|
00cd46 |
+++ b/src/tests/regression/rhbz1855140.at
|
|
|
00cd46 |
@@ -4,7 +4,15 @@ AT_KEYWORDS(rich icmp rhbz1855140)
|
|
|
00cd46 |
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore)
|
|
|
00cd46 |
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore)
|
|
|
00cd46 |
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore)
|
|
|
00cd46 |
+FWD_CHECK([--permanent --zone public --add-rich-rule 'rule icmp-type name=bad-header mark set=0x86/0x86'], 0, ignore)
|
|
|
00cd46 |
FWD_RELOAD
|
|
|
00cd46 |
+NFT_LIST_RULES([inet], [mangle_PRE_public_allow], 0, [dnl
|
|
|
00cd46 |
+ table inet firewalld {
|
|
|
00cd46 |
+ chain mangle_PRE_public_allow {
|
|
|
00cd46 |
+ icmpv6 type parameter-problem icmpv6 code no-route mark set mark & 0x00000086 ^ 0x00000086
|
|
|
00cd46 |
+ }
|
|
|
00cd46 |
+ }
|
|
|
00cd46 |
+])
|
|
|
00cd46 |
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
|
|
|
00cd46 |
table inet firewalld {
|
|
|
00cd46 |
chain filter_IN_public_allow {
|
|
|
00cd46 |
@@ -18,12 +26,17 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
|
|
|
00cd46 |
}
|
|
|
00cd46 |
}
|
|
|
00cd46 |
])
|
|
|
00cd46 |
+IPTABLES_LIST_RULES([mangle], [PRE_public_allow], 0, [dnl
|
|
|
00cd46 |
+])
|
|
|
00cd46 |
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
|
|
|
00cd46 |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
|
|
|
00cd46 |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
|
|
|
00cd46 |
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
|
|
|
00cd46 |
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 13
|
|
|
00cd46 |
])
|
|
|
00cd46 |
+IP6TABLES_LIST_RULES([mangle], [PRE_public_allow], 0, [dnl
|
|
|
00cd46 |
+ MARK icmpv6 ::/0 ::/0 ipv6-icmptype 4 code 0 MARK or 0x86
|
|
|
00cd46 |
+])
|
|
|
00cd46 |
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
|
|
|
00cd46 |
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
|
|
|
00cd46 |
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
|
|
|
00cd46 |
@@ -32,4 +45,12 @@ IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
|
|
|
00cd46 |
ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 136
|
|
|
00cd46 |
])
|
|
|
00cd46 |
|
|
|
00cd46 |
-FWD_END_TEST
|
|
|
00cd46 |
+dnl verify bad icmptypes are rejected
|
|
|
00cd46 |
+FWD_CHECK([--permanent --add-rich-rule 'rule icmp-type name=bogus mark set=0x86/0x86'], 107, [ignore], [ignore])
|
|
|
00cd46 |
+FWD_CHECK([ --add-rich-rule 'rule icmp-type name=bogus mark set=0x86/0x86'], 107, [ignore], [ignore])
|
|
|
00cd46 |
+FWD_CHECK([--permanent --add-rich-rule 'rule family=ipv6 icmp-type name=timestamp-request drop'], 107, [ignore], [ignore])
|
|
|
00cd46 |
+IF_HOST_SUPPORTS_IPV6_RULES([
|
|
|
00cd46 |
+FWD_CHECK([ --add-rich-rule 'rule family=ipv6 icmp-type name=timestamp-request drop'], 107, [ignore], [ignore])
|
|
|
00cd46 |
+])
|
|
|
00cd46 |
+
|
|
|
00cd46 |
+FWD_END_TEST([-e '/ERROR: INVALID_ICMPTYPE:/d'])
|
|
|
00cd46 |
--
|
|
|
00cd46 |
2.28.0
|
|
|
00cd46 |
|