|
 |
136e2c |
From 8baba36ffff504e6c107448b002a553a2c072850 Mon Sep 17 00:00:00 2001
|
|
|
136e2c |
From: Eric Garver <eric@garver.life>
|
|
|
136e2c |
Date: Wed, 7 Aug 2019 08:41:11 -0400
|
|
|
136e2c |
Subject: [PATCH 78/79] test: regression/rhbz1734765: add coverage for rhbz
|
|
|
136e2c |
1738545
|
|
|
136e2c |
|
|
|
136e2c |
(cherry picked from commit 20cd5c7d29c586fa55e76d6f21adfee6a7ca34bb)
|
|
|
136e2c |
(cherry picked from commit cea43b784a092a8b155190b9988927daeeb0a0a4)
|
|
|
136e2c |
---
|
|
|
136e2c |
src/tests/regression/rhbz1734765.at | 46 +++++++++++++++++++++++++----
|
|
|
136e2c |
1 file changed, 41 insertions(+), 5 deletions(-)
|
|
|
136e2c |
|
|
|
136e2c |
diff --git a/src/tests/regression/rhbz1734765.at b/src/tests/regression/rhbz1734765.at
|
|
|
136e2c |
index 5145d716e576..de8e1ab40598 100644
|
|
|
136e2c |
--- a/src/tests/regression/rhbz1734765.at
|
|
|
136e2c |
+++ b/src/tests/regression/rhbz1734765.at
|
|
|
136e2c |
@@ -1,5 +1,5 @@
|
|
|
136e2c |
FWD_START_TEST([zone sources ordered by name])
|
|
|
136e2c |
-AT_KEYWORDS(zone rhbz1734765 rhbz1421222 gh166)
|
|
|
136e2c |
+AT_KEYWORDS(zone rhbz1734765 rhbz1421222 gh166 rhbz1738545)
|
|
|
136e2c |
dnl
|
|
|
136e2c |
dnl Users depend on firewalld ordering source-based zone dispatch by zone name.
|
|
|
136e2c |
dnl
|
|
|
136e2c |
@@ -11,20 +11,28 @@ FWD_CHECK([-q --permanent --new-zone=foobar_03])
|
|
|
136e2c |
FWD_CHECK([-q --permanent --new-zone=foobar_01])
|
|
|
136e2c |
FWD_CHECK([-q --permanent --new-zone=foobar_04])
|
|
|
136e2c |
FWD_CHECK([-q --permanent --new-zone=foobar_010])
|
|
|
136e2c |
+FWD_CHECK([-q --permanent --new-zone=foobar_011])
|
|
|
136e2c |
+FWD_CHECK([-q --permanent --new-zone=foobar_012])
|
|
|
136e2c |
|
|
|
136e2c |
-FWD_CHECK([-q --permanent --zone=foobar_00 --add-source="10.1.1.1"])
|
|
|
136e2c |
+FWD_CHECK([-q --permanent --new-ipset 'ipsetv4' --type hash:ip])
|
|
|
136e2c |
+FWD_CHECK([-q --permanent --new-ipset 'ipsetv6' --type hash:ip --family=inet6])
|
|
|
136e2c |
+FWD_CHECK([-q --permanent --ipset ipsetv4 --add-entry '192.0.2.12'])
|
|
|
136e2c |
+FWD_CHECK([-q --permanent --ipset ipsetv6 --add-entry '::2'])
|
|
|
136e2c |
+
|
|
|
136e2c |
+FWD_CHECK([-q --permanent --zone=foobar_011 --add-source ipset:ipsetv4])
|
|
|
136e2c |
FWD_CHECK([-q --permanent --zone=foobar_01 --add-source="10.1.1.0/24"])
|
|
|
136e2c |
FWD_CHECK([-q --permanent --zone=foobar_02 --add-source="10.1.0.0/16"])
|
|
|
136e2c |
-FWD_CHECK([-q --permanent --zone=foobar_03 --add-source="10.2.2.0/24"])
|
|
|
136e2c |
FWD_CHECK([-q --permanent --zone=foobar_04 --add-source="10.2.0.0/16"])
|
|
|
136e2c |
+FWD_CHECK([-q --permanent --zone=foobar_00 --add-source="10.1.1.1"])
|
|
|
136e2c |
+FWD_CHECK([-q --permanent --zone=foobar_03 --add-source="10.2.2.0/24"])
|
|
|
136e2c |
FWD_CHECK([-q --permanent --zone=foobar_05 --add-source="10.0.0.0/8"])
|
|
|
136e2c |
IF_IPV6_SUPPORTED([
|
|
|
136e2c |
-FWD_CHECK([-q --permanent --zone=foobar_00 --add-source="1234:5678::1:1:1"])
|
|
|
136e2c |
FWD_CHECK([-q --permanent --zone=foobar_01 --add-source="1234:5678::1:1:0/112"])
|
|
|
136e2c |
FWD_CHECK([-q --permanent --zone=foobar_02 --add-source="1234:5678::1:0:0/96"])
|
|
|
136e2c |
-FWD_CHECK([-q --permanent --zone=foobar_03 --add-source="1234:5678::2:2:0/112"])
|
|
|
136e2c |
FWD_CHECK([-q --permanent --zone=foobar_04 --add-source="1234:5678::2:0:0/96"])
|
|
|
136e2c |
+FWD_CHECK([-q --permanent --zone=foobar_03 --add-source="1234:5678::2:2:0/112"])
|
|
|
136e2c |
FWD_CHECK([-q --permanent --zone=foobar_05 --add-source="1234:5678::0:0:0/80"])
|
|
|
136e2c |
+FWD_CHECK([-q --permanent --zone=foobar_00 --add-source="1234:5678::1:1:1"])
|
|
|
136e2c |
])
|
|
|
136e2c |
|
|
|
136e2c |
FWD_CHECK([-q --permanent --zone=internal --add-interface=foobar0])
|
|
|
136e2c |
@@ -32,11 +40,31 @@ FWD_CHECK([-q --permanent --zone=trusted --add-interface=foobar1])
|
|
|
136e2c |
|
|
|
136e2c |
FWD_RELOAD
|
|
|
136e2c |
|
|
|
136e2c |
+NFT_LIST_SET([ipsetv4], 0, [dnl
|
|
|
136e2c |
+ table inet firewalld {
|
|
|
136e2c |
+ set ipsetv4 {
|
|
|
136e2c |
+ type ipv4_addr
|
|
|
136e2c |
+ flags interval
|
|
|
136e2c |
+ elements = { 192.0.2.12 }
|
|
|
136e2c |
+ }
|
|
|
136e2c |
+ }
|
|
|
136e2c |
+])
|
|
|
136e2c |
+NFT_LIST_SET([ipsetv6], 0, [dnl
|
|
|
136e2c |
+ table inet firewalld {
|
|
|
136e2c |
+ set ipsetv6 {
|
|
|
136e2c |
+ type ipv6_addr
|
|
|
136e2c |
+ flags interval
|
|
|
136e2c |
+ elements = { ::2 }
|
|
|
136e2c |
+ }
|
|
|
136e2c |
+ }
|
|
|
136e2c |
+])
|
|
|
136e2c |
+
|
|
|
136e2c |
FWD_CHECK([-q --zone=foobar_010 --add-source="10.10.10.10"])
|
|
|
136e2c |
FWD_CHECK([-q --zone=public --add-source="20.20.20.20"])
|
|
|
136e2c |
IF_IPV6_SUPPORTED([
|
|
|
136e2c |
FWD_CHECK([-q --zone=foobar_010 --add-source="1234:5678::10:10:10"])
|
|
|
136e2c |
FWD_CHECK([-q --zone=public --add-source="1234:5678::20:20:20"])
|
|
|
136e2c |
+FWD_CHECK([-q --zone=foobar_012 --add-source ipset:ipsetv6])
|
|
|
136e2c |
])
|
|
|
136e2c |
FWD_CHECK([-q --zone=foobar_010 --add-interface=foobar2])
|
|
|
136e2c |
|
|
|
136e2c |
@@ -50,6 +78,8 @@ NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl
|
|
|
136e2c |
ip6 saddr 1234:5678::1:1:0/112 goto filter_IN_foobar_01
|
|
|
136e2c |
ip saddr 10.10.10.10 goto filter_IN_foobar_010
|
|
|
136e2c |
ip6 saddr 1234:5678::10:10:10 goto filter_IN_foobar_010
|
|
|
136e2c |
+ ip saddr @ipsetv4 goto filter_IN_foobar_011
|
|
|
136e2c |
+ ip6 saddr @ipsetv6 goto filter_IN_foobar_012
|
|
|
136e2c |
ip saddr 10.1.0.0/16 goto filter_IN_foobar_02
|
|
|
136e2c |
ip6 saddr 1234:5678::1:0:0/96 goto filter_IN_foobar_02
|
|
|
136e2c |
ip saddr 10.2.2.0/24 goto filter_IN_foobar_03
|
|
|
136e2c |
@@ -73,6 +103,7 @@ NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl
|
|
|
136e2c |
ip daddr 10.1.1.1 goto nat_POST_foobar_00
|
|
|
136e2c |
ip daddr 10.1.1.0/24 goto nat_POST_foobar_01
|
|
|
136e2c |
ip daddr 10.10.10.10 goto nat_POST_foobar_010
|
|
|
136e2c |
+ ip daddr @ipsetv4 goto nat_POST_foobar_011
|
|
|
136e2c |
ip daddr 10.1.0.0/16 goto nat_POST_foobar_02
|
|
|
136e2c |
ip daddr 10.2.2.0/24 goto nat_POST_foobar_03
|
|
|
136e2c |
ip daddr 10.2.0.0/16 goto nat_POST_foobar_04
|
|
|
136e2c |
@@ -91,6 +122,7 @@ NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl
|
|
|
136e2c |
ip6 daddr 1234:5678::1:1:1 goto nat_POST_foobar_00
|
|
|
136e2c |
ip6 daddr 1234:5678::1:1:0/112 goto nat_POST_foobar_01
|
|
|
136e2c |
ip6 daddr 1234:5678::10:10:10 goto nat_POST_foobar_010
|
|
|
136e2c |
+ ip6 daddr @ipsetv6 goto nat_POST_foobar_012
|
|
|
136e2c |
ip6 daddr 1234:5678::1:0:0/96 goto nat_POST_foobar_02
|
|
|
136e2c |
ip6 daddr 1234:5678::2:2:0/112 goto nat_POST_foobar_03
|
|
|
136e2c |
ip6 daddr 1234:5678::2:0:0/96 goto nat_POST_foobar_04
|
|
|
136e2c |
@@ -109,6 +141,7 @@ IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
|
|
|
136e2c |
[[IN_foobar_00 all -- 10.1.1.1 0.0.0.0/0 [goto]
|
|
|
136e2c |
IN_foobar_01 all -- 10.1.1.0/24 0.0.0.0/0 [goto]
|
|
|
136e2c |
IN_foobar_010 all -- 10.10.10.10 0.0.0.0/0 [goto]
|
|
|
136e2c |
+ IN_foobar_011 all -- 0.0.0.0/0 0.0.0.0/0 [goto] match-set ipsetv4 src
|
|
|
136e2c |
IN_foobar_02 all -- 10.1.0.0/16 0.0.0.0/0 [goto]
|
|
|
136e2c |
IN_foobar_03 all -- 10.2.2.0/24 0.0.0.0/0 [goto]
|
|
|
136e2c |
IN_foobar_04 all -- 10.2.0.0/16 0.0.0.0/0 [goto]
|
|
|
136e2c |
@@ -123,6 +156,7 @@ IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
|
|
|
136e2c |
[[IN_foobar_00 all 1234:5678::1:1:1 ::/0 [goto]
|
|
|
136e2c |
IN_foobar_01 all 1234:5678::1:1:0/112 ::/0 [goto]
|
|
|
136e2c |
IN_foobar_010 all 1234:5678::10:10:10 ::/0 [goto]
|
|
|
136e2c |
+ IN_foobar_012 all ::/0 ::/0 [goto] match-set ipsetv6 src
|
|
|
136e2c |
IN_foobar_02 all 1234:5678::1:0:0/96 ::/0 [goto]
|
|
|
136e2c |
IN_foobar_03 all 1234:5678::2:2:0/112 ::/0 [goto]
|
|
|
136e2c |
IN_foobar_04 all 1234:5678::2:0:0/96 ::/0 [goto]
|
|
|
136e2c |
@@ -137,6 +171,7 @@ IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
|
|
|
136e2c |
[[POST_foobar_00 all -- 0.0.0.0/0 10.1.1.1 [goto]
|
|
|
136e2c |
POST_foobar_01 all -- 0.0.0.0/0 10.1.1.0/24 [goto]
|
|
|
136e2c |
POST_foobar_010 all -- 0.0.0.0/0 10.10.10.10 [goto]
|
|
|
136e2c |
+ POST_foobar_011 all -- 0.0.0.0/0 0.0.0.0/0 [goto] match-set ipsetv4 dst
|
|
|
136e2c |
POST_foobar_02 all -- 0.0.0.0/0 10.1.0.0/16 [goto]
|
|
|
136e2c |
POST_foobar_03 all -- 0.0.0.0/0 10.2.2.0/24 [goto]
|
|
|
136e2c |
POST_foobar_04 all -- 0.0.0.0/0 10.2.0.0/16 [goto]
|
|
|
136e2c |
@@ -151,6 +186,7 @@ IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
|
|
|
136e2c |
[[POST_foobar_00 all ::/0 1234:5678::1:1:1 [goto]
|
|
|
136e2c |
POST_foobar_01 all ::/0 1234:5678::1:1:0/112 [goto]
|
|
|
136e2c |
POST_foobar_010 all ::/0 1234:5678::10:10:10 [goto]
|
|
|
136e2c |
+ POST_foobar_012 all ::/0 ::/0 [goto] match-set ipsetv6 dst
|
|
|
136e2c |
POST_foobar_02 all ::/0 1234:5678::1:0:0/96 [goto]
|
|
|
136e2c |
POST_foobar_03 all ::/0 1234:5678::2:2:0/112 [goto]
|
|
|
136e2c |
POST_foobar_04 all ::/0 1234:5678::2:0:0/96 [goto]
|
|
|
136e2c |
--
|
|
|
136e2c |
2.20.1
|
|
|
136e2c |
|