|
 |
3d17f4 |
diff -up firewalld-0.3.9/src/tests/firewall-cmd_test.sh.RHBZ#1261502 firewalld-0.3.9/src/tests/firewall-cmd_test.sh
|
|
|
3d17f4 |
--- firewalld-0.3.9/src/tests/firewall-cmd_test.sh.RHBZ#1261502 2015-09-09 17:20:20.935578859 +0200
|
|
|
3d17f4 |
+++ firewalld-0.3.9/src/tests/firewall-cmd_test.sh 2015-09-09 17:18:24.729287573 +0200
|
|
|
3d17f4 |
@@ -0,0 +1,730 @@
|
|
|
3d17f4 |
+#!/bin/bash
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+#readonly path="/usr/bin/"
|
|
|
3d17f4 |
+readonly path="../"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+readonly RED='\033[00;31m'
|
|
|
3d17f4 |
+readonly GREEN='\033[00;32m'
|
|
|
3d17f4 |
+readonly RESTORE='\033[0m'
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good() {
|
|
|
3d17f4 |
+ local args="${1}"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+ ${path}firewall-cmd ${args} > /dev/null
|
|
|
3d17f4 |
+ if [[ "$?" -eq 0 ]]; then
|
|
|
3d17f4 |
+ echo "${args} ... OK"
|
|
|
3d17f4 |
+ else
|
|
|
3d17f4 |
+ ((failures++))
|
|
|
3d17f4 |
+ echo -e "${args} ... ${RED}${failures}. FAILED (non-zero exit status)${RESTORE}"
|
|
|
3d17f4 |
+ fi
|
|
|
3d17f4 |
+}
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good_notempty() {
|
|
|
3d17f4 |
+ local args="${1}"
|
|
|
3d17f4 |
+ local ret
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+ ret=$(${path}firewall-cmd ${args}) > /dev/null
|
|
|
3d17f4 |
+ if [[ ( "$?" -eq 0 ) && ( -n "${ret}" ) ]]; then
|
|
|
3d17f4 |
+ echo "${args} ... OK"
|
|
|
3d17f4 |
+ else
|
|
|
3d17f4 |
+ ((failures++))
|
|
|
3d17f4 |
+ echo -e "${args} ... ${RED}${failures}. FAILED (non-zero exit status or empty return value)${RESTORE}"
|
|
|
3d17f4 |
+ fi
|
|
|
3d17f4 |
+}
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good_empty() {
|
|
|
3d17f4 |
+ local args="${1}"
|
|
|
3d17f4 |
+ local ret
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+ ret=$(${path}firewall-cmd ${args}) > /dev/null
|
|
|
3d17f4 |
+ if [[ ( "$?" -eq 0 ) && ( -z "${ret}" ) ]]; then
|
|
|
3d17f4 |
+ echo "${args} ... OK"
|
|
|
3d17f4 |
+ else
|
|
|
3d17f4 |
+ ((failures++))
|
|
|
3d17f4 |
+ echo -e "${args} ... ${RED}${failures}. FAILED (non-zero exit status or non-empty return value)${RESTORE}"
|
|
|
3d17f4 |
+ fi
|
|
|
3d17f4 |
+}
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good_equals() {
|
|
|
3d17f4 |
+ local args="${1}"
|
|
|
3d17f4 |
+ local value="${2}"
|
|
|
3d17f4 |
+ local ret
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+ ret=$(${path}firewall-cmd ${args}) > /dev/null
|
|
|
3d17f4 |
+ if [[ ( "$?" -eq 0 ) && ( "${ret}" = "${value}" ) ]]; then
|
|
|
3d17f4 |
+ echo "${args} ... OK"
|
|
|
3d17f4 |
+ else
|
|
|
3d17f4 |
+ ((failures++))
|
|
|
3d17f4 |
+ echo -e "${args} ... ${RED}${failures}. FAILED (non-zero exit status or '${ret}' != '${value}')${RESTORE}"
|
|
|
3d17f4 |
+ fi
|
|
|
3d17f4 |
+}
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good_contains() {
|
|
|
3d17f4 |
+ local args="${1}"
|
|
|
3d17f4 |
+ local value="${2}"
|
|
|
3d17f4 |
+ local ret
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+ ret=$(${path}firewall-cmd ${args}) > /dev/null
|
|
|
3d17f4 |
+ if [[ ( "$?" -eq 0 ) && ( "${ret}" = *${value}* ) ]]; then
|
|
|
3d17f4 |
+ echo "${args} ... OK"
|
|
|
3d17f4 |
+ else
|
|
|
3d17f4 |
+ ((failures++))
|
|
|
3d17f4 |
+ echo -e "${args} ... ${RED}${failures}. FAILED (non-zero exit status or '${ret}' does not contain '${value}')${RESTORE}"
|
|
|
3d17f4 |
+ fi
|
|
|
3d17f4 |
+}
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_bad() {
|
|
|
3d17f4 |
+ local args="${1}"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+ ${path}firewall-cmd ${args} 1> /dev/null 2>&1
|
|
|
3d17f4 |
+ if [[ "$?" -ne 0 ]]; then
|
|
|
3d17f4 |
+ echo "${args} ... OK"
|
|
|
3d17f4 |
+ else
|
|
|
3d17f4 |
+ ((failures++))
|
|
|
3d17f4 |
+ echo -e "${args} ... ${RED}${failures}. FAILED (zero exit status)${RESTORE}"
|
|
|
3d17f4 |
+ fi
|
|
|
3d17f4 |
+}
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_bad_contains() {
|
|
|
3d17f4 |
+ local args="${1}"
|
|
|
3d17f4 |
+ local value="${2}"
|
|
|
3d17f4 |
+ local ret
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+ ret=$(${path}firewall-cmd ${args}) > /dev/null
|
|
|
3d17f4 |
+ if [[ ( "$?" -ne 0 ) || ( "${ret}" = *${value}* ) ]]; then
|
|
|
3d17f4 |
+ ((failures++))
|
|
|
3d17f4 |
+ echo -e "${args} ... ${RED}${failures}. FAILED (non-zero exit status or '${ret}' does contain '${value}')${RESTORE}"
|
|
|
3d17f4 |
+ else
|
|
|
3d17f4 |
+ echo "${args} ... OK"
|
|
|
3d17f4 |
+ fi
|
|
|
3d17f4 |
+}
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+# rich rules need separate assert methods because of quotation hell
|
|
|
3d17f4 |
+assert_rich_good() {
|
|
|
3d17f4 |
+ local operation="${1}"
|
|
|
3d17f4 |
+ local args="${2}"
|
|
|
3d17f4 |
+ local command
|
|
|
3d17f4 |
+ local permanent
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+ [[ "${operation}" = *permanent* ]] && permanent="--permanent"
|
|
|
3d17f4 |
+ if [[ "${operation}" = *add* ]]; then
|
|
|
3d17f4 |
+ command="--add-rich-rule"
|
|
|
3d17f4 |
+ elif [[ "${operation}" = *remove* ]]; then
|
|
|
3d17f4 |
+ command="--remove-rich-rule"
|
|
|
3d17f4 |
+ elif [[ "${operation}" = *query* ]]; then
|
|
|
3d17f4 |
+ command="--query-rich-rule"
|
|
|
3d17f4 |
+ fi
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+ ${path}firewall-cmd ${permanent} ${command} "${args}" > /dev/null
|
|
|
3d17f4 |
+ if [[ "$?" -eq 0 ]]; then
|
|
|
3d17f4 |
+ echo ${permanent} ${command} "${args} ... OK"
|
|
|
3d17f4 |
+ else
|
|
|
3d17f4 |
+ ((failures++))
|
|
|
3d17f4 |
+ echo -e ${permanent} ${command} "${args} ... ${RED}${failures}. FAILED (non-zero exit status)${RESTORE}"
|
|
|
3d17f4 |
+ fi
|
|
|
3d17f4 |
+}
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_rich_bad() {
|
|
|
3d17f4 |
+ local operation="${1}"
|
|
|
3d17f4 |
+ local args="${2}"
|
|
|
3d17f4 |
+ local command
|
|
|
3d17f4 |
+ local permanent
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+ [[ "${operation}" = *permanent* ]] && permanent="--permanent"
|
|
|
3d17f4 |
+ if [[ "${operation}" = *add* ]]; then
|
|
|
3d17f4 |
+ command="--add-rich-rule"
|
|
|
3d17f4 |
+ elif [[ "${operation}" = *remove* ]]; then
|
|
|
3d17f4 |
+ command="--remove-rich-rule"
|
|
|
3d17f4 |
+ elif [[ "${operation}" = *query* ]]; then
|
|
|
3d17f4 |
+ command="--query-rich-rule"
|
|
|
3d17f4 |
+ fi
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+ ${path}firewall-cmd ${permanent} ${command} "${args}" > /dev/null
|
|
|
3d17f4 |
+ if [[ "$?" -ne 0 ]]; then
|
|
|
3d17f4 |
+ echo ${permanent} ${command} "${args} ... OK"
|
|
|
3d17f4 |
+ else
|
|
|
3d17f4 |
+ ((failures++))
|
|
|
3d17f4 |
+ echo -e ${permanent} ${command} "${args} ... ${RED}${failures}. FAILED (zero exit status)${RESTORE}"
|
|
|
3d17f4 |
+ fi
|
|
|
3d17f4 |
+}
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+if ! ${path}firewall-cmd --state --quiet; then
|
|
|
3d17f4 |
+ echo "FirewallD is not running"
|
|
|
3d17f4 |
+ exit 1
|
|
|
3d17f4 |
+fi
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+# MAIN
|
|
|
3d17f4 |
+failures=0
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "-h"
|
|
|
3d17f4 |
+assert_good "--help"
|
|
|
3d17f4 |
+assert_good "-V"
|
|
|
3d17f4 |
+assert_good "--reload"
|
|
|
3d17f4 |
+assert_good "--complete-reload"
|
|
|
3d17f4 |
+assert_good "--panic-on"
|
|
|
3d17f4 |
+assert_good "--query-panic"
|
|
|
3d17f4 |
+assert_good "--panic-off"
|
|
|
3d17f4 |
+assert_bad "--query-panic"
|
|
|
3d17f4 |
+#assert_good "--lockdown-on"
|
|
|
3d17f4 |
+#assert_good "--query-lockdown"
|
|
|
3d17f4 |
+#assert_good "--lockdown-off"
|
|
|
3d17f4 |
+#assert_bad "--query-lockdown"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+default_zone=$(${path}firewall-cmd --get-default-zone)
|
|
|
3d17f4 |
+zone="home"
|
|
|
3d17f4 |
+assert_good_notempty "--get-default-zone"
|
|
|
3d17f4 |
+assert_good "--set-default-zone=${zone}"
|
|
|
3d17f4 |
+assert_good_equals "--get-default-zone" "${zone}"
|
|
|
3d17f4 |
+assert_good "--set-default-zone=${default_zone}"
|
|
|
3d17f4 |
+assert_bad "--set-default-zone" # missing argument
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good_notempty "--get-zones"
|
|
|
3d17f4 |
+assert_good_notempty "--get-services"
|
|
|
3d17f4 |
+assert_good_notempty "--get-icmptypes"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good_notempty "--permanent --get-zones"
|
|
|
3d17f4 |
+assert_good_notempty "--permanent --get-services"
|
|
|
3d17f4 |
+assert_good_notempty "--permanent --get-icmptypes"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "--list-all-zones"
|
|
|
3d17f4 |
+assert_good "--list-all"
|
|
|
3d17f4 |
+assert_good "--permanent --list-all-zones"
|
|
|
3d17f4 |
+assert_good "--permanent --list-all"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+iface="dummy0"
|
|
|
3d17f4 |
+zone="work"
|
|
|
3d17f4 |
+assert_good "--zone=${zone} --add-interface=${iface}"
|
|
|
3d17f4 |
+assert_good_equals "--get-zone-of-interface=${iface}" "${zone}"
|
|
|
3d17f4 |
+assert_good_contains "--get-active-zones" "${zone}"
|
|
|
3d17f4 |
+assert_good "--zone ${zone} --query-interface=${iface}"
|
|
|
3d17f4 |
+zone="public"
|
|
|
3d17f4 |
+assert_good "--zone=${zone} --change-interface=${iface}"
|
|
|
3d17f4 |
+assert_good_equals "--get-zone-of-interface=${iface}" "${zone}"
|
|
|
3d17f4 |
+zone="dmz"
|
|
|
3d17f4 |
+assert_good "--zone=${zone} --change-zone=${iface}"
|
|
|
3d17f4 |
+assert_good_equals "--get-zone-of-interface=${iface}" "${zone}"
|
|
|
3d17f4 |
+assert_good_contains "--zone=${zone} --list-interfaces" "${iface}"
|
|
|
3d17f4 |
+assert_good "--zone=${zone} --remove-interface=${iface}"
|
|
|
3d17f4 |
+assert_bad "--zone=${zone} --query-interface ${iface}"
|
|
|
3d17f4 |
+assert_good "--zone=${zone} --change-interface=${iface}" # should work as add
|
|
|
3d17f4 |
+assert_good "--zone=${zone} --query-interface ${iface}"
|
|
|
3d17f4 |
+assert_good "--zone=${zone} --remove-interface=${iface}"
|
|
|
3d17f4 |
+assert_bad "--zone=${zone} --query-interface ${iface}"
|
|
|
3d17f4 |
+assert_bad "--get-zone-of-interface=${iface}" # in no zone
|
|
|
3d17f4 |
+assert_bad "--get-zone-of-interface" # missing argument
|
|
|
3d17f4 |
+assert_bad "--zone=${zone} --get-zones" # impossible combination
|
|
|
3d17f4 |
+assert_bad "--zone=${zone} --get-services" # impossible combination
|
|
|
3d17f4 |
+assert_bad "--zone=${zone} --get-default-zone" # impossible combination
|
|
|
3d17f4 |
+assert_bad "--zone=${zone} --set-default-zone" # impossible combination
|
|
|
3d17f4 |
+assert_bad "--zone=${zone} --get-zone-of-interface" # impossible combination
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+iface="perm_dummy0"
|
|
|
3d17f4 |
+zone="work"
|
|
|
3d17f4 |
+assert_good "--permanent --zone=${zone} --add-interface=${iface}"
|
|
|
3d17f4 |
+assert_good_equals "--permanent --get-zone-of-interface=${iface}" "${zone}"
|
|
|
3d17f4 |
+assert_good "--permanent --zone ${zone} --query-interface=${iface}"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --zone=${zone} --list-interfaces" "${iface}"
|
|
|
3d17f4 |
+zone="public"
|
|
|
3d17f4 |
+assert_bad "--permanent --zone=${zone} --add-interface=${iface}" # already in another zone
|
|
|
3d17f4 |
+assert_good "--permanent --zone=${zone} --change-interface=${iface}"
|
|
|
3d17f4 |
+assert_good_equals "--permanent --get-zone-of-interface=${iface}" "${zone}"
|
|
|
3d17f4 |
+assert_good "--permanent --zone=${zone} --remove-interface=${iface}"
|
|
|
3d17f4 |
+assert_bad "--permanent --zone=${zone} --query-interface ${iface}"
|
|
|
3d17f4 |
+assert_good "--permanent --zone=${zone} --change-interface=${iface}" # should work as add
|
|
|
3d17f4 |
+assert_good_equals "--permanent --get-zone-of-interface=${iface}" "${zone}"
|
|
|
3d17f4 |
+assert_good "--permanent --zone=${zone} --remove-interface=${iface}"
|
|
|
3d17f4 |
+assert_bad "--permanent --zone=${zone} --query-interface ${iface}"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+iface1="foo"
|
|
|
3d17f4 |
+iface2="bar"
|
|
|
3d17f4 |
+zone="trusted"
|
|
|
3d17f4 |
+assert_good "--add-interface=${iface1}"
|
|
|
3d17f4 |
+assert_good "--add-interface=${iface2} --zone=${default_zone}"
|
|
|
3d17f4 |
+assert_good "--set-default-zone=${zone}"
|
|
|
3d17f4 |
+assert_good_equals "--get-default-zone" "${zone}"
|
|
|
3d17f4 |
+# check that changing default zone moves interfaces in that zone
|
|
|
3d17f4 |
+assert_good "--query-interface ${iface1} --zone=${zone}"
|
|
|
3d17f4 |
+# check that *only* iface1 was moved to new default zone
|
|
|
3d17f4 |
+assert_good "--query-interface ${iface2} --zone=${default_zone}"
|
|
|
3d17f4 |
+assert_good "--set-default-zone=${default_zone}"
|
|
|
3d17f4 |
+assert_good "--remove-interface=${iface1}"
|
|
|
3d17f4 |
+assert_good "--remove-interface=${iface2}"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+sources=( "dead:beef::babe" "3ffe:501:ffff::/64" "1.2.3.4" "192.168.1.0/24" )
|
|
|
3d17f4 |
+for (( i=0;i<${#sources[@]};i++)); do
|
|
|
3d17f4 |
+ zone="public"
|
|
|
3d17f4 |
+ source=${sources[${i}]}
|
|
|
3d17f4 |
+ assert_good "--zone=${zone} --add-source=${source}"
|
|
|
3d17f4 |
+ assert_good_equals "--get-zone-of-source=${source}" "${zone}"
|
|
|
3d17f4 |
+ assert_good_contains "--zone=${zone} --list-sources" "${source}"
|
|
|
3d17f4 |
+ assert_good_contains "--zone=${zone} --list-all" "${source}"
|
|
|
3d17f4 |
+ assert_good_contains "--get-active-zones" "${source}"
|
|
|
3d17f4 |
+ assert_good "--zone ${zone} --query-source=${source}"
|
|
|
3d17f4 |
+ zone="work"
|
|
|
3d17f4 |
+ assert_good "--zone=${zone} --change-source=${source}"
|
|
|
3d17f4 |
+ assert_good_equals "--get-zone-of-source=${source}" "${zone}"
|
|
|
3d17f4 |
+ assert_good "--zone=${zone} --remove-source=${source}"
|
|
|
3d17f4 |
+ assert_bad "--zone ${zone} --query-source=${source}"
|
|
|
3d17f4 |
+ assert_bad "--get-zone-of-source=${source}" # in no zone
|
|
|
3d17f4 |
+ assert_bad "--get-zone-of-source" # missing argument
|
|
|
3d17f4 |
+done
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+for (( i=0;i<${#sources[@]};i++)); do
|
|
|
3d17f4 |
+ zone="public"
|
|
|
3d17f4 |
+ source=${sources[${i}]}
|
|
|
3d17f4 |
+ assert_good "--permanent --zone=${zone} --add-source=${source}"
|
|
|
3d17f4 |
+ assert_good_equals "--permanent --get-zone-of-source=${source}" "${zone}"
|
|
|
3d17f4 |
+ assert_good_contains "--permanent --zone=${zone} --list-sources" "${source}"
|
|
|
3d17f4 |
+ assert_good_contains "--permanent --zone=${zone} --list-all" "${source}"
|
|
|
3d17f4 |
+ assert_good "--permanent --zone ${zone} --query-source=${source}"
|
|
|
3d17f4 |
+ zone="work"
|
|
|
3d17f4 |
+ assert_bad "--permanent --zone=${zone} --add-source=${source}" # already in another zone
|
|
|
3d17f4 |
+ assert_good "--permanent --zone=${zone} --change-source=${source}"
|
|
|
3d17f4 |
+ assert_good_equals "--permanent --get-zone-of-source=${source}" "${zone}"
|
|
|
3d17f4 |
+ assert_good "--permanent --zone=${zone} --remove-source=${source}"
|
|
|
3d17f4 |
+ assert_bad "--permanent --zone ${zone} --query-source=${source}"
|
|
|
3d17f4 |
+done
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good " --add-service=dns --timeout 60 --zone=${default_zone}"
|
|
|
3d17f4 |
+assert_good " --query-service dns"
|
|
|
3d17f4 |
+assert_good "--remove-service=dns"
|
|
|
3d17f4 |
+assert_bad " --query-service=dns"
|
|
|
3d17f4 |
+assert_bad " --add-service=smtps" # bad service name
|
|
|
3d17f4 |
+assert_bad " --add-service=dns --timeout" # missing argument
|
|
|
3d17f4 |
+assert_bad " --add-service=dns --add-interface=dummy0" # impossible combination
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_bad "--permanent --zone=external --add-service=dns --timeout 60" # impossible combination
|
|
|
3d17f4 |
+assert_good "--permanent --zone=external --add-service dns"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --zone=external --list-services" "dns"
|
|
|
3d17f4 |
+assert_good "--permanent --zone=external --query-service dns"
|
|
|
3d17f4 |
+assert_good "--permanent --zone=external --remove-service=dns"
|
|
|
3d17f4 |
+assert_bad "--permanent --zone=external --query-service=dns" # removed
|
|
|
3d17f4 |
+assert_bad "--permanent --zone=external --add-service=smtps" # bad service name
|
|
|
3d17f4 |
+assert_bad "--permanent --zone=external --add-service=dns --add-interface=dummy0" # impossible combination
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good " --add-service=http --add-service=nfs --timeout=1h"
|
|
|
3d17f4 |
+assert_good " --query-service http"
|
|
|
3d17f4 |
+assert_good " --query-service=nfs --zone=${default_zone}"
|
|
|
3d17f4 |
+assert_good "--remove-service=nfs --remove-service=http"
|
|
|
3d17f4 |
+assert_bad " --query-service http"
|
|
|
3d17f4 |
+assert_bad " --query-service nfs"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "--permanent --add-service=http --add-service=nfs"
|
|
|
3d17f4 |
+assert_good "--permanent --query-service http"
|
|
|
3d17f4 |
+assert_good "--permanent --query-service=nfs --zone=${default_zone}"
|
|
|
3d17f4 |
+assert_good "--permanent --remove-service=nfs --remove-service=http"
|
|
|
3d17f4 |
+assert_bad "--permanent --query-service http"
|
|
|
3d17f4 |
+assert_bad "--permanent --query-service nfs"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_bad " --add-port=666" # no protocol
|
|
|
3d17f4 |
+assert_bad " --add-port=666/dummy" # bad protocol
|
|
|
3d17f4 |
+assert_good " --add-port=666/tcp --zone=${default_zone} --timeout=30m"
|
|
|
3d17f4 |
+assert_good "--remove-port=666/tcp"
|
|
|
3d17f4 |
+assert_good " --add-port=111-222/udp"
|
|
|
3d17f4 |
+assert_good " --query-port=111-222/udp --zone=${default_zone}"
|
|
|
3d17f4 |
+assert_good "--remove-port 111-222/udp"
|
|
|
3d17f4 |
+assert_bad " --query-port=111-222/udp"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_bad "--permanent --add-port=666" # no protocol
|
|
|
3d17f4 |
+assert_bad "--permanent --add-port=666/dummy" # bad protocol
|
|
|
3d17f4 |
+assert_good "--permanent --add-port=666/tcp"
|
|
|
3d17f4 |
+assert_good "--permanent --remove-port=666/tcp --zone=${default_zone}"
|
|
|
3d17f4 |
+assert_good "--permanent --add-port=111-222/udp --zone=${default_zone}"
|
|
|
3d17f4 |
+assert_good "--permanent --query-port=111-222/udp"
|
|
|
3d17f4 |
+assert_good "--permanent --remove-port 111-222/udp"
|
|
|
3d17f4 |
+assert_bad "--permanent --query-port=111-222/udp"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good " --add-port=80/tcp --add-port 443-444/udp"
|
|
|
3d17f4 |
+assert_good " --query-port=80/tcp --zone=${default_zone}"
|
|
|
3d17f4 |
+assert_good " --query-port=443-444/udp"
|
|
|
3d17f4 |
+assert_good "--remove-port 80/tcp --remove-port=443-444/udp"
|
|
|
3d17f4 |
+assert_bad " --query-port=80/tcp"
|
|
|
3d17f4 |
+assert_bad " --query-port=443-444/udp"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "--permanent --add-port=80/tcp --add-port 443-444/udp"
|
|
|
3d17f4 |
+assert_good "--permanent --query-port=80/tcp --zone=${default_zone}"
|
|
|
3d17f4 |
+assert_good "--permanent --query-port=443-444/udp"
|
|
|
3d17f4 |
+assert_good "--permanent --remove-port 80/tcp --remove-port=443-444/udp"
|
|
|
3d17f4 |
+assert_bad "--permanent --query-port=80/tcp"
|
|
|
3d17f4 |
+assert_bad "--permanent --query-port=443-444/udp"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good " --add-masquerade --zone=${default_zone}"
|
|
|
3d17f4 |
+assert_good " --query-masquerade "
|
|
|
3d17f4 |
+assert_good "--remove-masquerade"
|
|
|
3d17f4 |
+assert_bad " --query-masquerade"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "--permanent --add-masquerade"
|
|
|
3d17f4 |
+assert_good "--permanent --query-masquerade --zone=${default_zone}"
|
|
|
3d17f4 |
+assert_good "--permanent --remove-masquerade --zone=${default_zone}"
|
|
|
3d17f4 |
+assert_bad "--permanent --query-masquerade"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_bad "--zone=external --add-icmp-block=dummyblock" # invalid icmp type
|
|
|
3d17f4 |
+assert_good "--zone=external --add-icmp-block=redirect"
|
|
|
3d17f4 |
+assert_good "--zone=external --query-icmp-block=redirect"
|
|
|
3d17f4 |
+assert_good "--zone=external --remove-icmp-block redirect"
|
|
|
3d17f4 |
+assert_bad "--zone=external --query-icmp-block=redirect"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_bad "--permanent --zone=external --add-icmp-block=dummyblock" # invalid icmp type
|
|
|
3d17f4 |
+assert_good "--permanent --zone=external --add-icmp-block=redirect"
|
|
|
3d17f4 |
+assert_good "--permanent --zone=external --query-icmp-block=redirect"
|
|
|
3d17f4 |
+assert_good "--permanent --zone=external --remove-icmp-block redirect"
|
|
|
3d17f4 |
+assert_bad "--permanent --zone=external --query-icmp-block=redirect"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "--zone=external --add-icmp-block=echo-reply --add-icmp-block=router-solicitation"
|
|
|
3d17f4 |
+assert_good "--zone=external --query-icmp-block=echo-reply"
|
|
|
3d17f4 |
+assert_good "--zone=external --query-icmp-block=router-solicitation"
|
|
|
3d17f4 |
+assert_good "--zone=external --remove-icmp-block echo-reply --remove-icmp-block=router-solicitation"
|
|
|
3d17f4 |
+assert_bad "--zone=external --query-icmp-block=echo-reply"
|
|
|
3d17f4 |
+assert_bad "--zone=external --query-icmp-block=router-solicitation"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "--permanent --zone=external --add-icmp-block=echo-reply --add-icmp-block=router-solicitation"
|
|
|
3d17f4 |
+assert_good "--permanent --zone=external --query-icmp-block=echo-reply"
|
|
|
3d17f4 |
+assert_good "--permanent --zone=external --query-icmp-block=router-solicitation"
|
|
|
3d17f4 |
+assert_good "--permanent --zone=external --remove-icmp-block echo-reply --remove-icmp-block=router-solicitation"
|
|
|
3d17f4 |
+assert_bad "--permanent --zone=external --query-icmp-block=echo-reply"
|
|
|
3d17f4 |
+assert_bad "--permanent --zone=external --query-icmp-block=router-solicitation"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_bad " --add-forward-port=666" # no protocol
|
|
|
3d17f4 |
+assert_good " --add-forward-port=port=11:proto=tcp:toport=22"
|
|
|
3d17f4 |
+assert_good "--remove-forward-port=port=11:proto=tcp:toport=22 --zone=${default_zone}"
|
|
|
3d17f4 |
+assert_bad " --add-forward-port=port=33:proto=tcp:toaddr=4444" # bad address
|
|
|
3d17f4 |
+assert_good " --add-forward-port=port=33:proto=tcp:toaddr=4.4.4.4 --zone=${default_zone}"
|
|
|
3d17f4 |
+assert_good "--remove-forward-port=port=33:proto=tcp:toaddr=4.4.4.4"
|
|
|
3d17f4 |
+assert_good " --add-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7"
|
|
|
3d17f4 |
+assert_good " --query-forward-port port=55:proto=tcp:toport=66:toaddr=7.7.7.7 --zone=${default_zone}"
|
|
|
3d17f4 |
+assert_good "--remove-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7"
|
|
|
3d17f4 |
+assert_bad " --query-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_bad "--permanent --add-forward-port=666" # no protocol
|
|
|
3d17f4 |
+assert_good "--permanent --add-forward-port=port=11:proto=tcp:toport=22 --zone=${default_zone}"
|
|
|
3d17f4 |
+assert_good "--permanent --remove-forward-port=port=11:proto=tcp:toport=22"
|
|
|
3d17f4 |
+assert_bad "--permanent --add-forward-port=port=33:proto=tcp:toaddr=4444" # bad address
|
|
|
3d17f4 |
+assert_good "--permanent --add-forward-port=port=33:proto=tcp:toaddr=4.4.4.4"
|
|
|
3d17f4 |
+assert_good "--permanent --remove-forward-port=port=33:proto=tcp:toaddr=4.4.4.4 --zone=${default_zone}"
|
|
|
3d17f4 |
+assert_good "--permanent --add-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7"
|
|
|
3d17f4 |
+assert_good "--permanent --query-forward-port port=55:proto=tcp:toport=66:toaddr=7.7.7.7"
|
|
|
3d17f4 |
+assert_good "--permanent --remove-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7"
|
|
|
3d17f4 |
+assert_bad "--permanent --query-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good " --add-forward-port=port=88:proto=udp:toport=99 --add-forward-port port=100:proto=tcp:toport=200"
|
|
|
3d17f4 |
+assert_good " --query-forward-port=port=100:proto=tcp:toport=200"
|
|
|
3d17f4 |
+assert_good " --query-forward-port=port=88:proto=udp:toport=99 --zone=${default_zone}"
|
|
|
3d17f4 |
+assert_good "--remove-forward-port port=100:proto=tcp:toport=200 --remove-forward-port=port=88:proto=udp:toport=99"
|
|
|
3d17f4 |
+assert_bad " --query-forward-port port=100:proto=tcp:toport=200"
|
|
|
3d17f4 |
+assert_bad " --query-forward-port=port=88:proto=udp:toport=99"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "--permanent --add-forward-port=port=88:proto=udp:toport=99 --add-forward-port port=100:proto=tcp:toport=200"
|
|
|
3d17f4 |
+assert_good "--permanent --query-forward-port=port=100:proto=tcp:toport=200"
|
|
|
3d17f4 |
+assert_good "--permanent --query-forward-port=port=88:proto=udp:toport=99 --zone=${default_zone}"
|
|
|
3d17f4 |
+assert_good "--permanent --remove-forward-port port=100:proto=tcp:toport=200 --remove-forward-port=port=88:proto=udp:toport=99"
|
|
|
3d17f4 |
+assert_bad "--permanent --query-forward-port port=100:proto=tcp:toport=200"
|
|
|
3d17f4 |
+assert_bad "--permanent --query-forward-port=port=88:proto=udp:toport=99"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good_contains "--zone=home --list-services" "ssh"
|
|
|
3d17f4 |
+assert_good "--zone home --list-ports"
|
|
|
3d17f4 |
+assert_good "--list-icmp-blocks"
|
|
|
3d17f4 |
+assert_good "--zone=home --list-forward-ports"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good_contains "--permanent --zone=work --list-services" "ssh"
|
|
|
3d17f4 |
+assert_good "--permanent --list-forward-ports"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_bad "--permanent --complete-reload" # impossible combination
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+myzone="myzone"
|
|
|
3d17f4 |
+myservice="myservice"
|
|
|
3d17f4 |
+myicmp="myicmp"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+# create new zone
|
|
|
3d17f4 |
+assert_bad "--new-zone=${myzone}" # no --permanent
|
|
|
3d17f4 |
+assert_good "--permanent --new-zone=${myzone}"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --get-zones" "${myzone}"
|
|
|
3d17f4 |
+# get/set default target
|
|
|
3d17f4 |
+assert_good_contains "--permanent --zone=${myzone} --get-target" "default"
|
|
|
3d17f4 |
+assert_bad "--permanent --zone=${myzone} --set-target=BAD"
|
|
|
3d17f4 |
+assert_good "--permanent --zone=${myzone} --set-target=%%REJECT%%"
|
|
|
3d17f4 |
+assert_good "--permanent --zone=${myzone} --set-target=DROP"
|
|
|
3d17f4 |
+assert_good "--permanent --zone=${myzone} --set-target=ACCEPT"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --zone=${myzone} --get-target" "ACCEPT"
|
|
|
3d17f4 |
+# create new service and icmptype
|
|
|
3d17f4 |
+assert_good "--permanent --new-service=${myservice}"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --get-services" "${myservice}"
|
|
|
3d17f4 |
+assert_good "--permanent --new-icmptype=${myicmp}"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --get-icmptypes" "${myicmp}"
|
|
|
3d17f4 |
+# add them to zone
|
|
|
3d17f4 |
+assert_good "--permanent --zone=${myzone} --add-service=${myservice}"
|
|
|
3d17f4 |
+assert_good "--permanent --zone=${myzone} --add-icmp-block=${myicmp}"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --zone=${myzone} --list-services" "${myservice}"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --zone=${myzone} --list-icmp-blocks" "${myicmp}"
|
|
|
3d17f4 |
+# delete the service and icmptype
|
|
|
3d17f4 |
+assert_good "--permanent --delete-service=${myservice}"
|
|
|
3d17f4 |
+assert_good "--permanent --delete-icmptype=${myicmp}"
|
|
|
3d17f4 |
+# make sure they were removed also from the zone
|
|
|
3d17f4 |
+assert_good_empty "--permanent --zone=${myzone} --list-services" "${myservice}"
|
|
|
3d17f4 |
+assert_good_empty "--permanent --zone=${myzone} --list-icmp-blocks" "${myicmp}"
|
|
|
3d17f4 |
+assert_good "--permanent --delete-zone=${myzone}"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+# ... --direct ...
|
|
|
3d17f4 |
+modprobe dummy
|
|
|
3d17f4 |
+assert_good "--direct --passthrough ipv4 --table mangle --append POSTROUTING --out-interface dummy0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill"
|
|
|
3d17f4 |
+assert_good "--direct --passthrough ipv4 --table mangle --delete POSTROUTING --out-interface dummy0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_bad "--direct --add-passthrough ipv7 --table filter -A INPUT --in-interface dummy0 --protocol tcp --destination-port 67 --jump ACCEPT" # bad ipv
|
|
|
3d17f4 |
+assert_good "--direct --add-passthrough ipv4 --table filter --append INPUT --in-interface dummy0 --protocol tcp --destination-port 67 --jump ACCEPT"
|
|
|
3d17f4 |
+assert_bad "--direct --query-passthrough ipv7 --table filter -A INPUT --in-interface dummy0 --protocol tcp --destination-port 67 --jump ACCEPT" # bad ipv
|
|
|
3d17f4 |
+assert_good "--direct --query-passthrough ipv4 --table filter --append INPUT --in-interface dummy0 --protocol tcp --destination-port 67 --jump ACCEPT"
|
|
|
3d17f4 |
+assert_bad "--direct --remove-passthrough ipv7 --table filter -A INPUT --in-interface dummy0 --protocol tcp --destination-port 67 --jump ACCEPT" # bad ipv
|
|
|
3d17f4 |
+assert_good "--direct --remove-passthrough ipv4 --table filter --append INPUT --in-interface dummy0 --protocol tcp --destination-port 67 --jump ACCEPT"
|
|
|
3d17f4 |
+assert_bad "--direct --query-passthrough ipv4 --table filter --append INPUT --in-interface dummy0 --protocol tcp --destination-port 67 --jump ACCEPT"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "--direct --add-passthrough ipv6 --table filter --append FORWARD --destination fd00:dead:beef:ff0::/64 --in-interface dummy0 --out-interface dummy0 --jump ACCEPT"
|
|
|
3d17f4 |
+assert_good_contains "--direct --get-passthroughs ipv6" "fd00:dead:beef:ff0::/64"
|
|
|
3d17f4 |
+assert_good_contains "--direct --get-all-passthroughs" "fd00:dead:beef:ff0::/64"
|
|
|
3d17f4 |
+assert_good_contains "--direct --passthrough ipv6 -nvL" "fd00:dead:beef:ff0::/64"
|
|
|
3d17f4 |
+assert_good "--direct --remove-passthrough ipv6 --table filter --delete FORWARD --destination fd00:dead:beef:ff0::/64 --in-interface dummy0 --out-interface dummy0 --jump ACCEPT"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_bad "--direct --passthrough ipv5 -nvL" # ipv5
|
|
|
3d17f4 |
+assert_bad "--direct --passthrough ipv4" # missing argument
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "--direct --add-chain ipv4 filter mychain"
|
|
|
3d17f4 |
+assert_good_contains "--direct --get-chains ipv4 filter" "mychain"
|
|
|
3d17f4 |
+assert_good_contains "--direct --get-all-chains" "ipv4 filter mychain"
|
|
|
3d17f4 |
+assert_good "--direct --query-chain ipv4 filter mychain"
|
|
|
3d17f4 |
+assert_bad "--direct --add-chain ipv5 filter mychain" # bad ipv
|
|
|
3d17f4 |
+assert_bad "--direct --add-chain ipv4 badtable mychain" # bad table name
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "--direct --add-rule ipv4 filter mychain 3 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good_contains "--direct --get-rules ipv4 filter mychain" "3 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good_contains "--direct --get-all-rules" "ipv4 filter mychain 3 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good "--direct --query-rule ipv4 filter mychain 3 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good "--direct --remove-rule ipv4 filter mychain 3 -j ACCEPT"
|
|
|
3d17f4 |
+assert_bad "--direct --query-rule ipv4 filter mychain 3 -j ACCEPT"
|
|
|
3d17f4 |
+assert_bad "--direct --add-rule ipv5 filter mychain 3 -j ACCEPT" # bad ipv
|
|
|
3d17f4 |
+assert_bad "--direct --add-rule ipv4 badtable mychain 3 -j ACCEPT" # bad table name
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "--direct --add-rule ipv4 filter mychain 3 -s 192.168.1.1 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good "--direct --add-rule ipv4 filter mychain 4 -s 192.168.1.2 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good "--direct --add-rule ipv4 filter mychain 5 -s 192.168.1.3 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good "--direct --add-rule ipv4 filter mychain 6 -s 192.168.1.4 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good_contains "--direct --get-rules ipv4 filter mychain" "3 -s 192.168.1.1 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good_contains "--direct --get-rules ipv4 filter mychain" "4 -s 192.168.1.2 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good_contains "--direct --get-rules ipv4 filter mychain" "5 -s 192.168.1.3 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good_contains "--direct --get-rules ipv4 filter mychain" "6 -s 192.168.1.4 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good "--direct --remove-rules ipv4 filter mychain"
|
|
|
3d17f4 |
+assert_bad "--direct --query-rule ipv4 filter mychain 3 -s 192.168.1.1 -j ACCEPT"
|
|
|
3d17f4 |
+assert_bad "--direct --query-rule ipv4 filter mychain 4 -s 192.168.1.2 -j ACCEPT"
|
|
|
3d17f4 |
+assert_bad "--direct --query-rule ipv4 filter mychain 5 -s 192.168.1.3 -j ACCEPT"
|
|
|
3d17f4 |
+assert_bad "--direct --query-rule ipv4 filter mychain 6 -s 192.168.1.4 -j ACCEPT"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_bad "--direct --remove-chain ipv5 filter mychain" # bad ipv
|
|
|
3d17f4 |
+assert_bad "--direct --remove-chain ipv4 badtable mychain" # bad table name
|
|
|
3d17f4 |
+assert_good "--direct --remove-chain ipv4 filter mychain"
|
|
|
3d17f4 |
+assert_bad "--direct --query-chain ipv4 filter mychain"
|
|
|
3d17f4 |
+assert_good "--direct --remove-chain ipv4 filter dummy" # removing nonexisting chain is just warning
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_bad "--direct --reload" # impossible combination
|
|
|
3d17f4 |
+assert_bad "--direct --list-all" # impossible combination
|
|
|
3d17f4 |
+assert_bad "--direct --get-services" # impossible combination
|
|
|
3d17f4 |
+assert_bad "--direct --get-default-zone" # impossible combination
|
|
|
3d17f4 |
+assert_bad "--direct --zone=home --list-services" # impossible combination
|
|
|
3d17f4 |
+assert_bad "--direct --permanent --list-all" # impossible combination
|
|
|
3d17f4 |
+assert_bad "--direct --passthrough --get-chains ipv4 filter" # impossible combination
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+# ... --permanent --direct ...
|
|
|
3d17f4 |
+assert_bad "--permanent --direct --add-passthrough ipv4" # missing argument
|
|
|
3d17f4 |
+assert_bad "--permanent --direct --add-passthrough ipv5 -nvL" # bad ipv
|
|
|
3d17f4 |
+assert_good "--permanent --direct --add-passthrough ipv4 -nvL"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --direct --get-passthroughs ipv4" "-nvL"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --direct --get-all-passthroughs" "ipv4 -nvL"
|
|
|
3d17f4 |
+assert_good "--permanent --direct --query-passthrough ipv4 -nvL"
|
|
|
3d17f4 |
+assert_good "--permanent --direct --remove-passthrough ipv4 -nvL"
|
|
|
3d17f4 |
+assert_bad "--permanent --direct --query-passthrough ipv4 -nvL"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+# try some non-ascii magic
|
|
|
3d17f4 |
+mychain_p="žluťoučký"
|
|
|
3d17f4 |
+assert_good "--permanent --direct --add-chain ipv4 filter ${mychain_p}"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --direct --get-chains ipv4 filter" "${mychain_p}"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --direct --get-all-chains" "ipv4 filter ${mychain_p}"
|
|
|
3d17f4 |
+assert_good "--permanent --direct --query-chain ipv4 filter ${mychain_p}"
|
|
|
3d17f4 |
+assert_bad "--permanent --direct --add-chain ipv5 filter ${mychain_p}" # bad ipv
|
|
|
3d17f4 |
+assert_bad "--permanent --direct --add-chain ipv4 badtable ${mychain_p}" # bad table name
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "--permanent --direct --add-rule ipv4 filter ${mychain_p} 3 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --direct --get-rules ipv4 filter ${mychain_p}" "ACCEPT"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --direct --get-all-rules" "ipv4 filter ${mychain_p} 3 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good "--permanent --direct --query-rule ipv4 filter ${mychain_p} 3 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good "--permanent --direct --remove-rule ipv4 filter ${mychain_p} 3 -j ACCEPT"
|
|
|
3d17f4 |
+assert_bad "--permanent --direct --query-rule ipv4 filter ${mychain_p} 3 -j ACCEPT"
|
|
|
3d17f4 |
+assert_bad "--permanent --direct --add-rule ipv5 filter ${mychain_p} 3 -j ACCEPT" # bad ipv
|
|
|
3d17f4 |
+assert_bad "--permanent --direct --add-rule ipv4 badtable ${mychain_p} 3 -j ACCEPT" # bad table name
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "--permanent --direct --add-rule ipv4 filter ${mychain_p} 3 -s 192.168.1.1 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good "--permanent --direct --add-rule ipv4 filter ${mychain_p} 4 -s 192.168.1.2 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good "--permanent --direct --add-rule ipv4 filter ${mychain_p} 5 -s 192.168.1.3 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good "--permanent --direct --add-rule ipv4 filter ${mychain_p} 6 -s 192.168.1.4 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --direct --get-rules ipv4 filter ${mychain_p}" "3 -s 192.168.1.1 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --direct --get-rules ipv4 filter ${mychain_p}" "4 -s 192.168.1.2 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --direct --get-rules ipv4 filter ${mychain_p}" "5 -s 192.168.1.3 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --direct --get-rules ipv4 filter ${mychain_p}" "6 -s 192.168.1.4 -j ACCEPT"
|
|
|
3d17f4 |
+assert_good "--permanent --direct --remove-rules ipv4 filter ${mychain_p}"
|
|
|
3d17f4 |
+assert_bad "--permanent --direct --query-rule ipv4 filter ${mychain_p} 3 -s 192.168.1.1 -j ACCEPT"
|
|
|
3d17f4 |
+assert_bad "--permanent --direct --query-rule ipv4 filter ${mychain_p} 4 -s 192.168.1.2 -j ACCEPT"
|
|
|
3d17f4 |
+assert_bad "--permanent --direct --query-rule ipv4 filter ${mychain_p} 5 -s 192.168.1.3 -j ACCEPT"
|
|
|
3d17f4 |
+assert_bad "--permanent --direct --query-rule ipv4 filter ${mychain_p} 6 -s 192.168.1.4 -j ACCEPT"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_bad "--permanent --direct --remove-chain ipv5 filter ${mychain_p}" # bad ipv
|
|
|
3d17f4 |
+assert_good "--permanent --direct --remove-chain ipv4 filter ${mychain_p}"
|
|
|
3d17f4 |
+assert_bad "--permanent --direct --query-chain ipv4 filter ${mychain_p}"
|
|
|
3d17f4 |
+assert_good "--permanent --direct --remove-chain ipv4 filter dummy" # removing nonexisting chain is just warning
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+rule1="ipv4 nat OUTPUT 0 -s 1.2.3.4 -d 1.2.3.4 -p tcp --dport 80 -j REDIRECT --to-ports 81"
|
|
|
3d17f4 |
+rule2="ipv4 nat OUTPUT 0 -s 1.2.3.4 -d 1.2.3.4 -p tcp --dport 80 -j REDIRECT --to-ports 82"
|
|
|
3d17f4 |
+assert_good "--permanent --direct --add-rule ${rule1}"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --direct --get-all-rules" "${rule1}"
|
|
|
3d17f4 |
+assert_good "--reload"
|
|
|
3d17f4 |
+assert_good_contains "--direct --get-all-rules" "${rule1}"
|
|
|
3d17f4 |
+assert_good "--permanent --direct --remove-rule ${rule1}"
|
|
|
3d17f4 |
+assert_good "--permanent --direct --add-rule ${rule2}"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --direct --get-all-rules" "${rule2}"
|
|
|
3d17f4 |
+assert_good "--reload"
|
|
|
3d17f4 |
+assert_bad_contains "--direct --get-all-rules" "${rule1}"
|
|
|
3d17f4 |
+assert_good_contains "--direct --get-all-rules" "${rule2}"
|
|
|
3d17f4 |
+assert_good "--permanent --direct --remove-rule ${rule2}"
|
|
|
3d17f4 |
+assert_good "--reload"
|
|
|
3d17f4 |
+assert_bad_contains "--direct --get-all-rules" "${rule2}"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+# lockdown
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+cmd="/usr/bin/command"
|
|
|
3d17f4 |
+ctxt="system_u:system_r:MadDaemon_t:s0"
|
|
|
3d17f4 |
+uid="6666"
|
|
|
3d17f4 |
+user="theboss"
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "--add-lockdown-whitelist-command ${cmd}"
|
|
|
3d17f4 |
+assert_good "--query-lockdown-whitelist-command ${cmd}"
|
|
|
3d17f4 |
+assert_good_contains "--list-lockdown-whitelist-commands" "${cmd}"
|
|
|
3d17f4 |
+assert_good "--remove-lockdown-whitelist-command ${cmd}"
|
|
|
3d17f4 |
+assert_bad "--query-lockdown-whitelist-command ${cmd}" # already removed
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "--add-lockdown-whitelist-context ${ctxt}"
|
|
|
3d17f4 |
+assert_good "--query-lockdown-whitelist-context ${ctxt}"
|
|
|
3d17f4 |
+assert_good_contains "--list-lockdown-whitelist-contexts" "${ctxt}"
|
|
|
3d17f4 |
+assert_good "--remove-lockdown-whitelist-context ${ctxt}"
|
|
|
3d17f4 |
+assert_bad "--query-lockdown-whitelist-context ${ctxt}" # already removed
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "--add-lockdown-whitelist-uid ${uid}"
|
|
|
3d17f4 |
+assert_good "--query-lockdown-whitelist-uid ${uid}"
|
|
|
3d17f4 |
+assert_good_contains "--list-lockdown-whitelist-uids" "${uid}"
|
|
|
3d17f4 |
+assert_good "--remove-lockdown-whitelist-uid ${uid}"
|
|
|
3d17f4 |
+assert_bad "--query-lockdown-whitelist-uid ${uid}" # already removed
|
|
|
3d17f4 |
+assert_bad "--add-lockdown-whitelist-uid ${uid}x" # bad uid
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "--add-lockdown-whitelist-user ${user}"
|
|
|
3d17f4 |
+assert_good "--query-lockdown-whitelist-user ${user}"
|
|
|
3d17f4 |
+assert_good_contains "--list-lockdown-whitelist-users" "${user}"
|
|
|
3d17f4 |
+assert_good "--remove-lockdown-whitelist-user ${user}"
|
|
|
3d17f4 |
+assert_bad "--query-lockdown-whitelist-user ${user}" # already removed
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "--permanent --add-lockdown-whitelist-command ${cmd}"
|
|
|
3d17f4 |
+assert_good "--permanent --query-lockdown-whitelist-command ${cmd}"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --list-lockdown-whitelist-commands" "${cmd}"
|
|
|
3d17f4 |
+assert_good "--permanent --remove-lockdown-whitelist-command ${cmd}"
|
|
|
3d17f4 |
+assert_bad "--permanent --query-lockdown-whitelist-command ${cmd}" # already removed
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "--permanent --add-lockdown-whitelist-context ${ctxt}"
|
|
|
3d17f4 |
+assert_good "--permanent --query-lockdown-whitelist-context ${ctxt}"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --list-lockdown-whitelist-contexts" "${ctxt}"
|
|
|
3d17f4 |
+assert_good "--permanent --remove-lockdown-whitelist-context ${ctxt}"
|
|
|
3d17f4 |
+assert_bad "--permanent --query-lockdown-whitelist-context ${ctxt}" # already removed
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "--permanent --add-lockdown-whitelist-uid ${uid}"
|
|
|
3d17f4 |
+assert_good "--permanent --query-lockdown-whitelist-uid ${uid}"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --list-lockdown-whitelist-uids" "${uid}"
|
|
|
3d17f4 |
+assert_good "--permanent --remove-lockdown-whitelist-uid ${uid}"
|
|
|
3d17f4 |
+assert_bad "--permanent --query-lockdown-whitelist-uid ${uid}" # already removed
|
|
|
3d17f4 |
+assert_bad "--permanent --add-lockdown-whitelist-uid ${uid}x" # bad uid
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+assert_good "--permanent --add-lockdown-whitelist-user ${user}"
|
|
|
3d17f4 |
+assert_good "--permanent --query-lockdown-whitelist-user ${user}"
|
|
|
3d17f4 |
+assert_good_contains "--permanent --list-lockdown-whitelist-users" "${user}"
|
|
|
3d17f4 |
+assert_good "--permanent --remove-lockdown-whitelist-user ${user}"
|
|
|
3d17f4 |
+assert_bad "--permanent --query-lockdown-whitelist-user ${user}" # already removed
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+# rich rules
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+bad_rules=(
|
|
|
3d17f4 |
+ '' # empty
|
|
|
3d17f4 |
+ 'family="ipv6" accept' # no 'rule'
|
|
|
3d17f4 |
+ 'name="dns" accept' # no 'rule'
|
|
|
3d17f4 |
+ 'protocol value="ah" reject' # no 'rule'
|
|
|
3d17f4 |
+ 'rule protocol value="ah" reject type="icmp-host-prohibited"' # reject type needs specific family
|
|
|
3d17f4 |
+ 'rule family="ipv4" protocol value="ah" reject type="dummy"' # dummy reject type
|
|
|
3d17f4 |
+ 'rule' # no element
|
|
|
3d17f4 |
+ 'rule bad_element' # no unknown element
|
|
|
3d17f4 |
+ 'rule family="ipv5"' # bad family
|
|
|
3d17f4 |
+ 'rule name="dns" accept' # name outside of element
|
|
|
3d17f4 |
+ 'rule protocol="ah" accept' # bad protocol usage
|
|
|
3d17f4 |
+ 'rule protocol value="ah" accept drop' # accept && drop
|
|
|
3d17f4 |
+ 'rule service name="radius" port port="4011" reject' # service && port
|
|
|
3d17f4 |
+ 'rule service bad_attribute="dns"' # bad attribute
|
|
|
3d17f4 |
+ 'rule protocol value="mtp" log level="eror"' # bad log level
|
|
|
3d17f4 |
+ 'rule source address="1:2:3:4:6::" icmp-block name="redirect" log level="info" limit value="1/2m"' # bad limit
|
|
|
3d17f4 |
+ 'rule protocol value="esp"' # no action/log/audit
|
|
|
3d17f4 |
+ 'rule family="ipv4" masquerade drop' # masquerade & action
|
|
|
3d17f4 |
+ 'rule family="ipv4" destination address="192.168.1.0/24" masquerade' # masquerade & destination
|
|
|
3d17f4 |
+ 'rule family="ipv4" icmp-block name="redirect" accept' # icmp-block & action
|
|
|
3d17f4 |
+ 'rule forward-port port="2222" to-port="22" protocol="tcp" family="ipv4" accept' # forward-port & action
|
|
|
3d17f4 |
+)
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+for (( i=0;i<${#bad_rules[@]};i++)); do
|
|
|
3d17f4 |
+ rule=${bad_rules[${i}]}
|
|
|
3d17f4 |
+ assert_rich_bad "add" "${rule}"
|
|
|
3d17f4 |
+done
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+for (( i=0;i<${#bad_rules[@]};i++)); do
|
|
|
3d17f4 |
+ rule=${bad_rules[${i}]}
|
|
|
3d17f4 |
+ assert_rich_bad "permanent add" "${rule}"
|
|
|
3d17f4 |
+done
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+good_rules=(
|
|
|
3d17f4 |
+ 'rule service name="ftp" audit limit value="1/m" accept'
|
|
|
3d17f4 |
+ 'rule protocol value="ah" reject'
|
|
|
3d17f4 |
+ 'rule protocol value="esp" accept'
|
|
|
3d17f4 |
+ 'rule protocol value="sctp" log'
|
|
|
3d17f4 |
+ 'rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept'
|
|
|
3d17f4 |
+# disable this test as the chenge is not backported yet 'rule family="ipv4" source not address="192.168.0.0/24" service name="dns" log prefix="dns" level="info" limit value="2/m" drop'
|
|
|
3d17f4 |
+ 'rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns" level="info" limit value="3/m" reject type="icmp6-addr-unreachable" limit value="20/m"'
|
|
|
3d17f4 |
+ 'rule family="ipv6" source address="1:2:3:4:6::" port port="4011" protocol="tcp" log prefix="port 4011/tcp" level="info" limit value="4/m" drop'
|
|
|
3d17f4 |
+ 'rule family="ipv6" source address="1:2:3:4:6::" forward-port port="4011" protocol="tcp" to-port="4012" to-addr="1::2:3:4:7"'
|
|
|
3d17f4 |
+ 'rule family="ipv4" destination address="1.2.3.4" forward-port port="4011" protocol="tcp" to-port="4012" to-addr="9.8.7.6"'
|
|
|
3d17f4 |
+ 'rule family="ipv4" source address="192.168.0.0/24" icmp-block name="source-quench" log prefix="source-quench" level="info" limit value="4/m"'
|
|
|
3d17f4 |
+ 'rule family="ipv6" source address="1:2:3:4:6::" icmp-block name="redirect" log prefix="redirect" level="info" limit value="4/m"'
|
|
|
3d17f4 |
+ 'rule family="ipv4" source address="192.168.1.0/24" masquerade'
|
|
|
3d17f4 |
+ 'rule family="ipv6" masquerade'
|
|
|
3d17f4 |
+ 'rule forward-port port="2222" to-port="22" to-addr="192.168.100.2" protocol="tcp" family="ipv4" source address="192.168.2.100"')
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+for (( i=0;i<${#good_rules[@]};i++)); do
|
|
|
3d17f4 |
+ rule=${good_rules[${i}]}
|
|
|
3d17f4 |
+ assert_rich_good "add" "${rule}"
|
|
|
3d17f4 |
+ assert_rich_good "query" "${rule}"
|
|
|
3d17f4 |
+ assert_rich_good "remove" "${rule}"
|
|
|
3d17f4 |
+ assert_rich_bad "query" "${rule}"
|
|
|
3d17f4 |
+done
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+for (( i=0;i<${#good_rules[@]};i++)); do
|
|
|
3d17f4 |
+ rule=${good_rules[${i}]}
|
|
|
3d17f4 |
+ assert_rich_good "permanent add" "${rule}"
|
|
|
3d17f4 |
+ assert_rich_good "permanent query" "${rule}"
|
|
|
3d17f4 |
+ assert_rich_good "permanent remove" "${rule}"
|
|
|
3d17f4 |
+ assert_rich_bad "permanent query" "${rule}"
|
|
|
3d17f4 |
+done
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+echo "----------------------------------------------------------------------"
|
|
|
3d17f4 |
+if [[ "${failures}" -eq 0 ]]; then
|
|
|
3d17f4 |
+ echo "Everything's OK, you rock :-)"
|
|
|
3d17f4 |
+ exit 0
|
|
|
3d17f4 |
+else
|
|
|
3d17f4 |
+ echo "FAILED (failures=${failures})"
|
|
|
3d17f4 |
+ exit 2
|
|
|
3d17f4 |
+fi
|