|
 |
bb602c |
From 942c551547e23965f1653776f140297f790a4400 Mon Sep 17 00:00:00 2001
|
|
|
bb602c |
From: Eric Garver <eric@garver.life>
|
|
|
bb602c |
Date: Wed, 16 Oct 2019 12:56:57 -0400
|
|
|
bb602c |
Subject: [PATCH 118/122] fix: tests: convert nftables fib checks to runtime
|
|
|
bb602c |
|
|
|
bb602c |
Instead of when the testsuite is generated.
|
|
|
bb602c |
|
|
|
bb602c |
(cherry picked from commit d5d05165222eb7a4933aace8fe2bc9c46bddab36)
|
|
|
bb602c |
(cherry picked from commit 4aa4e01315b3404370ecaef661cc7eba604eee3d)
|
|
|
bb602c |
---
|
|
|
bb602c |
src/tests/dbus/firewalld.conf.at | 16 +++++++++++++---
|
|
|
bb602c |
src/tests/functions.at | 26 +++++++++++++-------------
|
|
|
bb602c |
src/tests/regression/gh258.at | 26 +++++++++++++++++---------
|
|
|
bb602c |
src/tests/regression/gh509.at | 2 +-
|
|
|
bb602c |
4 files changed, 44 insertions(+), 26 deletions(-)
|
|
|
bb602c |
|
|
|
bb602c |
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
|
|
|
bb602c |
index 3887d7ee4a7d..05eb3dd5f650 100644
|
|
|
bb602c |
--- a/src/tests/dbus/firewalld.conf.at
|
|
|
bb602c |
+++ b/src/tests/dbus/firewalld.conf.at
|
|
|
bb602c |
@@ -1,17 +1,27 @@
|
|
|
bb602c |
FWD_START_TEST([firewalld.conf])
|
|
|
bb602c |
|
|
|
bb602c |
dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
|
|
|
bb602c |
+IF_HOST_SUPPORTS_NFT_FIB([
|
|
|
bb602c |
DBUS_GETALL([config], [config], 0, [dnl
|
|
|
bb602c |
string "AutomaticHelpers" : variant string "system"
|
|
|
bb602c |
string "CleanupOnExit" : variant string "no"
|
|
|
bb602c |
string "DefaultZone" : variant string "public"
|
|
|
bb602c |
-m4_if(no, HOST_SUPPORTS_NFT_FIB, [dnl
|
|
|
bb602c |
-string "IPv6_rpfilter" : variant string "no"],[dnl
|
|
|
bb602c |
-string "IPv6_rpfilter" : variant string "yes"])
|
|
|
bb602c |
+string "IPv6_rpfilter" : variant string "yes"
|
|
|
bb602c |
string "IndividualCalls" : variant string "no"
|
|
|
bb602c |
string "Lockdown" : variant string "no"
|
|
|
bb602c |
string "LogDenied" : variant string "off"
|
|
|
bb602c |
string "MinimalMark" : variant int32 100
|
|
|
bb602c |
+])], [
|
|
|
bb602c |
+DBUS_GETALL([config], [config], 0, [dnl
|
|
|
bb602c |
+string "AutomaticHelpers" : variant string "system"
|
|
|
bb602c |
+string "CleanupOnExit" : variant string "no"
|
|
|
bb602c |
+string "DefaultZone" : variant string "public"
|
|
|
bb602c |
+string "IPv6_rpfilter" : variant string "no"
|
|
|
bb602c |
+string "IndividualCalls" : variant string "no"
|
|
|
bb602c |
+string "Lockdown" : variant string "no"
|
|
|
bb602c |
+string "LogDenied" : variant string "off"
|
|
|
bb602c |
+string "MinimalMark" : variant int32 100
|
|
|
bb602c |
+])
|
|
|
bb602c |
])
|
|
|
bb602c |
|
|
|
bb602c |
m4_define([_helper], [
|
|
|
bb602c |
diff --git a/src/tests/functions.at b/src/tests/functions.at
|
|
|
bb602c |
index debabba8b8eb..fb68388776c9 100644
|
|
|
bb602c |
--- a/src/tests/functions.at
|
|
|
bb602c |
+++ b/src/tests/functions.at
|
|
|
bb602c |
@@ -74,7 +74,7 @@ m4_define([FWD_START_TEST], [
|
|
|
bb602c |
dnl fib matching is pretty new in nftables. Don't use rpfilter on older
|
|
|
bb602c |
dnl kernels.
|
|
|
bb602c |
m4_if(nftables, FIREWALL_BACKEND, [
|
|
|
bb602c |
- m4_if(no, HOST_SUPPORTS_NFT_FIB, [
|
|
|
bb602c |
+ IF_HOST_SUPPORTS_NFT_FIB([], [
|
|
|
bb602c |
sed -i 's/^IPv6_rpfilter.*/IPv6_rpfilter=no/' ./firewalld.conf
|
|
|
bb602c |
])
|
|
|
bb602c |
])
|
|
|
bb602c |
@@ -406,22 +406,22 @@ m4_define([CHECK_NFT_CT_HELPER], [
|
|
|
bb602c |
])
|
|
|
bb602c |
])
|
|
|
bb602c |
|
|
|
bb602c |
-m4_ifnblank(
|
|
|
bb602c |
- m4_esyscmd([
|
|
|
bb602c |
- KERNEL_MAJOR=`uname -r | cut -d. -f1`
|
|
|
bb602c |
- KERNEL_MINOR=`uname -r | cut -d. -f2`
|
|
|
bb602c |
- if test ${KERNEL_MAJOR} -eq 4 && test ${KERNEL_MINOR} -ge 10 || test ${KERNEL_MAJOR} -gt 4; then
|
|
|
bb602c |
- echo -n "yes"
|
|
|
bb602c |
- fi
|
|
|
bb602c |
- ]),
|
|
|
bb602c |
- [m4_define([HOST_SUPPORTS_NFT_FIB], [yes])],
|
|
|
bb602c |
- [m4_define([HOST_SUPPORTS_NFT_FIB], [no])]
|
|
|
bb602c |
-)
|
|
|
bb602c |
-
|
|
|
bb602c |
m4_define([CHECK_MODULE_PROTO_GRE], [
|
|
|
bb602c |
AT_SKIP_IF([! NS_CMD([modinfo nf_conntrack_proto_gre])])
|
|
|
bb602c |
])
|
|
|
bb602c |
|
|
|
bb602c |
+m4_define([IF_HOST_SUPPORTS_NFT_FIB], [
|
|
|
bb602c |
+ KERNEL_MAJOR=`uname -r | cut -d. -f1`
|
|
|
bb602c |
+ KERNEL_MINOR=`uname -r | cut -d. -f2`
|
|
|
bb602c |
+ if test ${KERNEL_MAJOR} -eq 4 && test ${KERNEL_MINOR} -ge 10 || test ${KERNEL_MAJOR} -gt 4; then
|
|
|
bb602c |
+ :
|
|
|
bb602c |
+ $1
|
|
|
bb602c |
+ else
|
|
|
bb602c |
+ :
|
|
|
bb602c |
+ $2
|
|
|
bb602c |
+ fi
|
|
|
bb602c |
+])
|
|
|
bb602c |
+
|
|
|
bb602c |
m4_define([NFT_NUMERIC_ARGS], m4_esyscmd([nft -h |grep "numeric-protocol" >/dev/null && echo -n "" || { echo -n "-" && echo -n "nn"; } ]))
|
|
|
bb602c |
|
|
|
bb602c |
m4_define([HOST_SUPPORTS_IP6TABLES], m4_esyscmd(
|
|
|
bb602c |
diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at
|
|
|
bb602c |
index fb863c35528e..a4b86e8a006f 100644
|
|
|
bb602c |
--- a/src/tests/regression/gh258.at
|
|
|
bb602c |
+++ b/src/tests/regression/gh258.at
|
|
|
bb602c |
@@ -66,16 +66,24 @@ NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl
|
|
|
bb602c |
}
|
|
|
bb602c |
}
|
|
|
bb602c |
])
|
|
|
bb602c |
-NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl
|
|
|
bb602c |
- table inet firewalld {
|
|
|
bb602c |
- chain raw_PREROUTING {
|
|
|
bb602c |
- m4_if(yes, HOST_SUPPORTS_NFT_FIB, [dnl
|
|
|
bb602c |
- icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
|
|
|
bb602c |
- meta nfproto ipv6 fib saddr . iif oif missing drop
|
|
|
bb602c |
- ])dnl
|
|
|
bb602c |
- jump raw_PREROUTING_ZONES
|
|
|
bb602c |
+IF_HOST_SUPPORTS_NFT_FIB([
|
|
|
bb602c |
+ NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl
|
|
|
bb602c |
+ table inet firewalld {
|
|
|
bb602c |
+ chain raw_PREROUTING {
|
|
|
bb602c |
+ icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
|
|
|
bb602c |
+ meta nfproto ipv6 fib saddr . iif oif missing drop
|
|
|
bb602c |
+ jump raw_PREROUTING_ZONES
|
|
|
bb602c |
+ }
|
|
|
bb602c |
}
|
|
|
bb602c |
- }
|
|
|
bb602c |
+ ])
|
|
|
bb602c |
+], [
|
|
|
bb602c |
+ NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl
|
|
|
bb602c |
+ table inet firewalld {
|
|
|
bb602c |
+ chain raw_PREROUTING {
|
|
|
bb602c |
+ jump raw_PREROUTING_ZONES
|
|
|
bb602c |
+ }
|
|
|
bb602c |
+ }
|
|
|
bb602c |
+ ])
|
|
|
bb602c |
])
|
|
|
bb602c |
NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl
|
|
|
bb602c |
table inet firewalld {
|
|
|
bb602c |
diff --git a/src/tests/regression/gh509.at b/src/tests/regression/gh509.at
|
|
|
bb602c |
index 44074fda3550..00cc51c9c51f 100644
|
|
|
bb602c |
--- a/src/tests/regression/gh509.at
|
|
|
bb602c |
+++ b/src/tests/regression/gh509.at
|
|
|
bb602c |
@@ -4,7 +4,7 @@ AT_KEYWORDS(gh509)
|
|
|
bb602c |
dnl We're going to wipe the config below and therefore use the defaults. As
|
|
|
bb602c |
dnl such, if our test host doesn't support defaults then we must skip this test
|
|
|
bb602c |
dnl group.
|
|
|
bb602c |
-m4_if(no, HOST_SUPPORTS_NFT_FIB, [AT_SKIP_IF([:])])
|
|
|
bb602c |
+IF_HOST_SUPPORTS_NFT_FIB([], [AT_SKIP_IF([:])])
|
|
|
bb602c |
|
|
|
bb602c |
AT_CHECK([if ! rm ./firewalld.conf; then exit 77; fi])
|
|
|
bb602c |
FWD_RESTART
|
|
|
bb602c |
--
|
|
|
bb602c |
2.23.0
|
|
|
bb602c |
|