rpms / firewalld

Clone
Source Code
GIT

Blame SOURCES/firewalld-0.7-0032-tests-firewall-cmd-add-test-coverage-for-rich-rules-.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   21c891623aedfc93c402340bdbb20138c7b6dcba
  2.   SOURCES
  3.   firewalld-0.7-0032-tests-firewall-cmd-add-test-coverage-for-rich-rules-.patch
Blob History Raw
21c891 
From 255ba3e5ef7f5662251b73da1d9c906ee4082fb8 Mon Sep 17 00:00:00 2001
21c891 
From: Eric Garver <e@erig.me>
21c891 
Date: Fri, 2 Nov 2018 14:46:17 -0400
21c891 
Subject: [PATCH 32/34] tests/firewall-cmd: add test coverage for rich rules
21c891 
 priorities
21c891
21c891 
(cherry picked from commit d1bea40c157c06439e0ebd54f9f00a5385ad505d)
21c891 
---
21c891 
 src/tests/firewall-cmd.at | 633 ++++++++++++++++++++++++++++++++++++++
21c891 
 1 file changed, 633 insertions(+)
21c891
21c891 
diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
21c891 
index 3cb3e8a96ca7..0c74a2d087cc 100644
21c891 
--- a/src/tests/firewall-cmd.at
21c891 
+++ b/src/tests/firewall-cmd.at
21c891 
@@ -863,6 +863,639 @@ FWD_START_TEST([rich rules audit])
21c891 
 FWD_END_TEST
21c891 
 m4_undefine([rich_rule_test])
21c891
21c891 
+FWD_START_TEST([rich rules priority])
21c891 
+    CHECK_LOG_AUDIT
21c891 
+
21c891 
+    dnl Verify generic layout of zone
21c891 
+    m4_if(nftables, FIREWALL_BACKEND, [
21c891 
+    NFT_LIST_RULES([inet], [filter_IN_public], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_IN_public {
21c891 
+        jump filter_IN_public_rich_rule_pre
21c891 
+        jump filter_IN_public_log
21c891 
+        jump filter_IN_public_deny
21c891 
+        jump filter_IN_public_allow
21c891 
+        jump filter_IN_public_rich_rule_post
21c891 
+        meta l4proto { icmp, ipv6-icmp } accept
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([inet], [filter_FWDI_public], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_FWDI_public {
21c891 
+        jump filter_FWDI_public_rich_rule_pre
21c891 
+        jump filter_FWDI_public_log
21c891 
+        jump filter_FWDI_public_deny
21c891 
+        jump filter_FWDI_public_allow
21c891 
+        jump filter_FWDI_public_rich_rule_post
21c891 
+        meta l4proto { icmp, ipv6-icmp } accept
21c891 
+        }
21c891 
+        }
21c891 
+    ])], [
21c891 
+    IPTABLES_LIST_RULES([filter], [IN_public], 0, [dnl
21c891 
+        IN_public_rich_rule_pre all -- 0.0.0.0/0 0.0.0.0/0
21c891 
+        IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
21c891 
+        IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
21c891 
+        IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0
21c891 
+        IN_public_rich_rule_post all -- 0.0.0.0/0 0.0.0.0/0
21c891 
+        ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([filter], [FWDI_public], 0, [dnl
21c891 
+        FWDI_public_rich_rule_pre all -- 0.0.0.0/0 0.0.0.0/0
21c891 
+        FWDI_public_log all -- 0.0.0.0/0 0.0.0.0/0
21c891 
+        FWDI_public_deny all -- 0.0.0.0/0 0.0.0.0/0
21c891 
+        FWDI_public_allow all -- 0.0.0.0/0 0.0.0.0/0
21c891 
+        FWDI_public_rich_rule_post all -- 0.0.0.0/0 0.0.0.0/0
21c891 
+        ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([filter], [IN_public], 0, [dnl
21c891 
+        IN_public_rich_rule_pre all ::/0 ::/0
21c891 
+        IN_public_log all ::/0 ::/0
21c891 
+        IN_public_deny all ::/0 ::/0
21c891 
+        IN_public_allow all ::/0 ::/0
21c891 
+        IN_public_rich_rule_post all ::/0 ::/0
21c891 
+        ACCEPT icmpv6 ::/0 ::/0
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([filter], [FWDI_public], 0, [dnl
21c891 
+        FWDI_public_rich_rule_pre all ::/0 ::/0
21c891 
+        FWDI_public_log all ::/0 ::/0
21c891 
+        FWDI_public_deny all ::/0 ::/0
21c891 
+        FWDI_public_allow all ::/0 ::/0
21c891 
+        FWDI_public_rich_rule_post all ::/0 ::/0
21c891 
+        ACCEPT icmpv6 ::/0 ::/0
21c891 
+    ])])
21c891 
+
21c891 
+    dnl priority 0 (or not specified) is special:
21c891 
+    dnl     accept goes to _allow chain
21c891 
+    dnl     drop   goes to _deny chain
21c891 
+    dnl     log    goes to _log chain
21c891 
+    dnl     audit  goes to _log chain
21c891 
+    FWD_CHECK([--add-rich-rule='rule port port="1111" protocol="tcp" log'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=0 port port="1122" protocol="tcp" audit accept'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule port port="2222" protocol="tcp" drop'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule port port="3333" protocol="tcp" accept'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=0 port port="4444" protocol="tcp" accept'], 0, ignore)
21c891 
+    m4_if(nftables, FIREWALL_BACKEND, [
21c891 
+    NFT_LIST_RULES([inet], [filter_IN_public_log], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_IN_public_log {
21c891 
+        tcp dport 1111 ct state new,untracked log
21c891 
+        tcp dport 1122 ct state new,untracked log level audit
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([inet], [filter_IN_public_deny], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_IN_public_deny {
21c891 
+        tcp dport 2222 ct state new,untracked drop
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_IN_public_allow {
21c891 
+        tcp dport 22 ct state new,untracked accept
21c891 
+        ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
21c891 
+        tcp dport 1122 ct state new,untracked accept
21c891 
+        tcp dport 3333 ct state new,untracked accept
21c891 
+        tcp dport 4444 ct state new,untracked accept
21c891 
+        }
21c891 
+        }
21c891 
+    ])], [
21c891 
+    IPTABLES_LIST_RULES([filter], [IN_public_log], 0, [dnl
21c891 
+        LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1111 ctstate NEW,UNTRACKED LOG flags 0 level 4
21c891 
+        AUDIT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1122 ctstate NEW,UNTRACKED AUDIT accept
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
21c891 
+        DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 ctstate NEW,UNTRACKED
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
21c891 
+        ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
21c891 
+        ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1122 ctstate NEW,UNTRACKED
21c891 
+        ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3333 ctstate NEW,UNTRACKED
21c891 
+        ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4444 ctstate NEW,UNTRACKED
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([filter], [IN_public_log], 0, [dnl
21c891 
+        LOG tcp ::/0 ::/0 tcp dpt:1111 ctstate NEW,UNTRACKED LOG flags 0 level 4
21c891 
+        AUDIT tcp ::/0 ::/0 tcp dpt:1122 ctstate NEW,UNTRACKED AUDIT accept
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
21c891 
+        DROP tcp ::/0 ::/0 tcp dpt:2222 ctstate NEW,UNTRACKED
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
21c891 
+        ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
21c891 
+        ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
21c891 
+        ACCEPT tcp ::/0 ::/0 tcp dpt:1122 ctstate NEW,UNTRACKED
21c891 
+        ACCEPT tcp ::/0 ::/0 tcp dpt:3333 ctstate NEW,UNTRACKED
21c891 
+        ACCEPT tcp ::/0 ::/0 tcp dpt:4444 ctstate NEW,UNTRACKED
21c891 
+    ])
21c891 
+    ])
21c891 
+    FWD_RELOAD
21c891 
+
21c891 
+    dnl verify priority range
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=-32768 port port="1234" protocol="tcp" accept'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=32767 port port="1234" protocol="tcp" accept'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=-32769 port port="1234" protocol="tcp" accept'], 139, ignore, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=32768 port port="1234" protocol="tcp" accept'], 139, ignore, ignore)
21c891 
+    FWD_RELOAD
21c891 
+
21c891 
+    dnl Special catch-all rule
21c891 
+    m4_define([rich_rule_str], ['rule priority=127 drop'])
21c891 
+    FWD_CHECK([--add-rich-rule=rich_rule_str], 0, ignore)
21c891 
+    FWD_CHECK([--query-rich-rule=rich_rule_str], 0, ignore)
21c891 
+    m4_if(nftables, FIREWALL_BACKEND, [
21c891 
+    NFT_LIST_RULES([inet], [filter_IN_public_rich_rule_post], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_IN_public_rich_rule_post {
21c891 
+        drop
21c891 
+        }
21c891 
+        }
21c891 
+    ])], [
21c891 
+    IPTABLES_LIST_RULES([filter], [IN_public_rich_rule_post], 0, [dnl
21c891 
+        DROP all -- 0.0.0.0/0 0.0.0.0/0
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([filter], [IN_public_rich_rule_post], 0, [dnl
21c891 
+        DROP all ::/0 ::/0
21c891 
+    ])])
21c891 
+    FWD_CHECK([--remove-rich-rule=rich_rule_str], 0, ignore)
21c891 
+    FWD_CHECK([--query-rich-rule=rich_rule_str], 1, ignore)
21c891 
+    FWD_CHECK([--permanent --add-rich-rule=rich_rule_str], 0, ignore)
21c891 
+    FWD_CHECK([--permanent --query-rich-rule=rich_rule_str], 0, ignore)
21c891 
+    FWD_CHECK([--permanent --remove-rich-rule=rich_rule_str], 0, ignore)
21c891 
+    FWD_CHECK([--permanent --query-rich-rule=rich_rule_str], 1, ignore)
21c891 
+    m4_undefine([rich_rule_str])
21c891 
+    dnl special catch-all should be denied if priority not specified
21c891 
+    FWD_CHECK([--add-rich-rule='rule drop'], 122, ignore, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=0 drop'], 122, ignore, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule log prefix="foobar: "'], 122, ignore, ignore)
21c891 
+    FWD_RELOAD
21c891 
+
21c891 
+    dnl masquerade and forward-ports are special because they use nat and mangle.
21c891 
+    FWD_CHECK([--add-rich-rule='rule family="ipv4" source address="10.10.0.0/16" masquerade'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule family="ipv4" priority=-10 source address="10.1.1.0/24" masquerade'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule family="ipv4" priority=-1  source address="10.1.0.0/16" drop'], 0, ignore)
21c891 
+    dnl
21c891 
+    FWD_CHECK([--add-rich-rule='rule family="ipv4" priority=0 forward-port port="222"  protocol="tcp" to-port="22"'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule family="ipv4" priority=0 forward-port port="2222" protocol="tcp" to-port="22" to-addr="10.1.1.1"'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule family="ipv4" priority=-10 forward-port port="8888" protocol="tcp" to-port="80"'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule family="ipv4" priority=-10 forward-port port="8080" protocol="tcp" to-port="80" to-addr="10.1.1.1"'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule family="ipv6" priority=0 forward-port port="9090" protocol="tcp" to-port="90"'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule family="ipv6" priority=-123 forward-port port="999" protocol="tcp" to-port="99"'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule family="ipv6" priority=-123 forward-port port="9999" protocol="tcp" to-port="9999" to-addr="1234::4321"'], 0, ignore)
21c891 
+    m4_if(nftables, FIREWALL_BACKEND, [
21c891 
+    NFT_LIST_RULES([inet], [filter_IN_public_rich_rule_pre], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_IN_public_rich_rule_pre {
21c891 
+        ct state new,untracked meta mark 0x00000069 accept
21c891 
+        ct state new,untracked meta mark 0x00000066 accept
21c891 
+        ip saddr 10.1.0.0/16 drop
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_IN_public_allow {
21c891 
+        tcp dport 22 ct state new,untracked accept
21c891 
+        ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
21c891 
+        ct state new,untracked meta mark 0x00000064 accept
21c891 
+        ct state new,untracked meta mark 0x00000068 accept
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([inet], [filter_FWDI_public_rich_rule_pre], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_FWDI_public_rich_rule_pre {
21c891 
+        ct state new,untracked meta mark 0x0000006a accept
21c891 
+        ct state new,untracked meta mark 0x00000067 accept
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([inet], [filter_FWDI_public_allow], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_FWDI_public_allow {
21c891 
+        ct state new,untracked meta mark 0x00000065 accept
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([inet], [filter_FWDO_public_rich_rule_pre], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_FWDO_public_rich_rule_pre {
21c891 
+        ip saddr 10.1.1.0/24 ct state new,untracked accept
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([inet], [filter_FWDO_public_allow], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_FWDO_public_allow {
21c891 
+        ip saddr 10.10.0.0/16 ct state new,untracked accept
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([ip], [nat_PRE_public_rich_rule_pre], 0, [dnl
21c891 
+        table ip firewalld {
21c891 
+        chain nat_PRE_public_rich_rule_pre {
21c891 
+        meta l4proto tcp meta mark 0x00000066 redirect to :80
21c891 
+        meta l4proto tcp meta mark 0x00000067 dnat to 10.1.1.1:80
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([ip], [nat_PRE_public_allow], 0, [dnl
21c891 
+        table ip firewalld {
21c891 
+        chain nat_PRE_public_allow {
21c891 
+        meta l4proto tcp meta mark 0x00000064 redirect to :22
21c891 
+        meta l4proto tcp meta mark 0x00000065 dnat to 10.1.1.1:22
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([ip], [nat_POST_public_rich_rule_pre], 0, [dnl
21c891 
+        table ip firewalld {
21c891 
+        chain nat_POST_public_rich_rule_pre {
21c891 
+        ip saddr 10.1.1.0/24 oifname != "lo" masquerade
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([ip], [nat_POST_public_allow], 0, [dnl
21c891 
+        table ip firewalld {
21c891 
+        chain nat_POST_public_allow {
21c891 
+        ip saddr 10.10.0.0/16 oifname != "lo" masquerade
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([ip6], [nat_PRE_public_rich_rule_pre], 0,
21c891 
+        [[table ip6 firewalld {
21c891 
+        chain nat_PRE_public_rich_rule_pre {
21c891 
+        meta l4proto tcp meta mark 0x00000069 redirect to :99
21c891 
+        meta l4proto tcp meta mark 0x0000006a dnat to [1234::4321]:9999
21c891 
+        }
21c891 
+        }
21c891 
+    ]])
21c891 
+    NFT_LIST_RULES([ip6], [nat_PRE_public_allow], 0, [dnl
21c891 
+        table ip6 firewalld {
21c891 
+        chain nat_PRE_public_allow {
21c891 
+        meta l4proto tcp meta mark 0x00000068 redirect to :90
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([ip6], [nat_POST_public_rich_rule_pre], 0, [dnl
21c891 
+        table ip6 firewalld {
21c891 
+        chain nat_POST_public_rich_rule_pre {
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([ip6], [nat_POST_public_allow], 0, [dnl
21c891 
+        table ip6 firewalld {
21c891 
+        chain nat_POST_public_allow {
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([inet], [mangle_PRE_public_rich_rule_pre], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain mangle_PRE_public_rich_rule_pre {
21c891 
+        meta nfproto ipv6 tcp dport 999 meta mark set 0x00000069
21c891 
+        meta nfproto ipv6 tcp dport 9999 meta mark set 0x0000006a
21c891 
+        meta nfproto ipv4 tcp dport 8888 meta mark set 0x00000066
21c891 
+        meta nfproto ipv4 tcp dport 8080 meta mark set 0x00000067
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([inet], [mangle_PRE_public_allow], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain mangle_PRE_public_allow {
21c891 
+        meta nfproto ipv4 tcp dport 222 meta mark set 0x00000064
21c891 
+        meta nfproto ipv4 tcp dport 2222 meta mark set 0x00000065
21c891 
+        meta nfproto ipv6 tcp dport 9090 meta mark set 0x00000068
21c891 
+        }
21c891 
+        }
21c891 
+    ])], [
21c891 
+    IPTABLES_LIST_RULES([filter], [IN_public_rich_rule_pre], 0, [dnl
21c891 
+        ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED mark match 0x66
21c891 
+        DROP all -- 10.1.0.0/16 0.0.0.0/0
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
21c891 
+        ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
21c891 
+        ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED mark match 0x64
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([filter], [FWDI_public_rich_rule_pre], 0, [dnl
21c891 
+        ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED mark match 0x67
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([filter], [FWDI_public_allow], 0, [dnl
21c891 
+        ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED mark match 0x65
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([filter], [FWDO_public_rich_rule_pre], 0, [dnl
21c891 
+        ACCEPT all -- 10.1.1.0/24 0.0.0.0/0 ctstate NEW,UNTRACKED
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([filter], [FWDO_public_allow], 0, [dnl
21c891 
+        ACCEPT all -- 10.10.0.0/16 0.0.0.0/0 ctstate NEW,UNTRACKED
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([nat], [PRE_public_rich_rule_pre], 0, [dnl
21c891 
+        DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 mark match 0x66 to::80
21c891 
+        DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 mark match 0x67 to:10.1.1.1:80
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([nat], [PRE_public_allow], 0, [dnl
21c891 
+        DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 mark match 0x64 to::22
21c891 
+        DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 mark match 0x65 to:10.1.1.1:22
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([nat], [POST_public_rich_rule_pre], 0, [dnl
21c891 
+        MASQUERADE all -- 10.1.1.0/24 0.0.0.0/0
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([nat], [POST_public_allow], 0, [dnl
21c891 
+        MASQUERADE all -- 10.10.0.0/16 0.0.0.0/0
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([mangle], [PRE_public_rich_rule_pre], 0, [dnl
21c891 
+        MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8888 MARK set 0x66
21c891 
+        MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 MARK set 0x67
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([mangle], [PRE_public_allow], 0, [dnl
21c891 
+        MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:222 MARK set 0x64
21c891 
+        MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 MARK set 0x65
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([filter], [IN_public_rich_rule_pre], 0, [dnl
21c891 
+        ACCEPT all ::/0 ::/0 ctstate NEW,UNTRACKED mark match 0x69
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
21c891 
+        ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
21c891 
+        ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
21c891 
+        ACCEPT all ::/0 ::/0 ctstate NEW,UNTRACKED mark match 0x68
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([filter], [FWDI_public_rich_rule_pre], 0, [dnl
21c891 
+        ACCEPT all ::/0 ::/0 ctstate NEW,UNTRACKED mark match 0x6a
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([filter], [FWDI_public_allow], 0, [dnl
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([nat], [PRE_public_rich_rule_pre], 0,
21c891 
+        [[DNAT tcp ::/0 ::/0 mark match 0x69 to::99
21c891 
+        DNAT tcp ::/0 ::/0 mark match 0x6a to:[1234::4321]:9999
21c891 
+    ]])
21c891 
+    IP6TABLES_LIST_RULES([nat], [PRE_public_allow], 0, [dnl
21c891 
+        DNAT tcp ::/0 ::/0 mark match 0x68 to::90
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([mangle], [PRE_public_rich_rule_pre], 0, [dnl
21c891 
+        MARK tcp ::/0 ::/0 tcp dpt:999 MARK set 0x69
21c891 
+        MARK tcp ::/0 ::/0 tcp dpt:9999 MARK set 0x6a
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([mangle], [PRE_public_allow], 0, [dnl
21c891 
+        MARK tcp ::/0 ::/0 tcp dpt:9090 MARK set 0x68
21c891 
+    ])])
21c891 
+    FWD_RELOAD
21c891 
+
21c891 
+    dnl icmp-block and icmp-type coverage
21c891 
+    FWD_CHECK([--add-rich-rule='rule icmp-block name="destination-unreachable"'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=-10 icmp-block name="destination-unreachable"'], 0, ignore)
21c891 
+    dnl
21c891 
+    FWD_CHECK([--add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=-10 icmp-type name="echo-request" accept'], 0, ignore)
21c891 
+    m4_if(nftables, FIREWALL_BACKEND, [
21c891 
+    NFT_LIST_RULES([inet], [filter_IN_public_rich_rule_pre], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_IN_public_rich_rule_pre {
21c891 
+        icmp type destination-unreachable reject with icmp type admin-prohibited
21c891 
+        icmpv6 type destination-unreachable reject with icmpv6 type admin-prohibited
21c891 
+        icmp type echo-request accept
21c891 
+        icmpv6 type echo-request accept
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([inet], [filter_IN_public_deny], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_IN_public_deny {
21c891 
+        icmp type destination-unreachable reject with icmp type admin-prohibited
21c891 
+        icmpv6 type destination-unreachable reject with icmpv6 type admin-prohibited
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_IN_public_allow {
21c891 
+        tcp dport 22 ct state new,untracked accept
21c891 
+        ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
21c891 
+        icmp type echo-request accept
21c891 
+        icmpv6 type echo-request accept
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([inet], [filter_FWDI_public_rich_rule_pre], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_FWDI_public_rich_rule_pre {
21c891 
+        icmp type destination-unreachable reject with icmp type admin-prohibited
21c891 
+        icmpv6 type destination-unreachable reject with icmpv6 type admin-prohibited
21c891 
+        icmp type echo-request accept
21c891 
+        icmpv6 type echo-request accept
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([inet], [filter_FWDI_public_deny], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_FWDI_public_deny {
21c891 
+        icmp type destination-unreachable reject with icmp type admin-prohibited
21c891 
+        icmpv6 type destination-unreachable reject with icmpv6 type admin-prohibited
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([inet], [filter_FWDI_public_allow], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_FWDI_public_allow {
21c891 
+        icmp type echo-request accept
21c891 
+        icmpv6 type echo-request accept
21c891 
+        }
21c891 
+        }
21c891 
+    ])], [
21c891 
+    IPTABLES_LIST_RULES([filter], [IN_public_rich_rule_pre], 0, [dnl
21c891 
+        REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 reject-with icmp-host-prohibited
21c891 
+        ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
21c891 
+        REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 reject-with icmp-host-prohibited
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
21c891 
+        ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
21c891 
+        ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([filter], [FWDI_public_rich_rule_pre], 0, [dnl
21c891 
+        REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 reject-with icmp-host-prohibited
21c891 
+        ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([filter], [FWDI_public_deny], 0, [dnl
21c891 
+        REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 reject-with icmp-host-prohibited
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([filter], [FWDI_public_allow], 0, [dnl
21c891 
+        ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([filter], [IN_public_rich_rule_pre], 0, [dnl
21c891 
+        REJECT icmpv6 ::/0 ::/0 ipv6-icmptype 1 reject-with icmp6-adm-prohibited
21c891 
+        ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
21c891 
+        REJECT icmpv6 ::/0 ::/0 ipv6-icmptype 1 reject-with icmp6-adm-prohibited
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
21c891 
+        ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
21c891 
+        ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
21c891 
+        ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([filter], [FWDI_public_rich_rule_pre], 0, [dnl
21c891 
+        REJECT icmpv6 ::/0 ::/0 ipv6-icmptype 1 reject-with icmp6-adm-prohibited
21c891 
+        ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([filter], [FWDI_public_deny], 0, [dnl
21c891 
+        REJECT icmpv6 ::/0 ::/0 ipv6-icmptype 1 reject-with icmp6-adm-prohibited
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([filter], [FWDI_public_allow], 0, [dnl
21c891 
+        ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128
21c891 
+    ])])
21c891 
+    FWD_RELOAD
21c891 
+
21c891 
+    dnl add many negative/positive priorities and make sure they're in the right order
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=70   service name="smtps" accept'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=-111 service name="ntp" accept'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=-10  port port="1111" protocol="tcp" drop'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=-100 port port="1111" protocol="tcp" log'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority="-77"    service name="smtp" accept'], 0, ignore)
21c891 
+    FWD_CHECK([--remove-rich-rule='rule priority=-111 service name="ntp" accept'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule family="ipv4" priority=-32768 source address="10.0.0.0/8" log'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule family="ipv4" priority=-2 source address="10.0.0.0/8" log'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule family="ipv4" priority=-1 source address="10.0.0.0/8" drop'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule family="ipv4" priority=-5 source address="10.10.10.0/24" accept'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule family="ipv4" priority=-3 source address="10.100.100.0/24" drop'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=127  drop'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=125 service name="imap" accept'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=126 log prefix="DROPPED: "'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=10  service name="ssh" accept'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=1   service name="http" accept'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=100 service name="https" accept'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=5   service name="https" accept'], 0, ignore)
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=66  service name="smtp" accept'], 0, ignore)
21c891 
+    FWD_CHECK([--remove-rich-rule='rule priority=66    service name="smtp" accept'], 0, ignore)
21c891 
+    FWD_CHECK([--remove-rich-rule='rule priority=70    service name="smtps" accept'], 0, ignore)
21c891 
+    FWD_CHECK([--remove-rich-rule='rule priority=5     service name="https" accept'], 0, ignore)
21c891 
+    FWD_CHECK([--remove-rich-rule='rule priority="-77" service name="smtp" accept'], 0, ignore)
21c891 
+    FWD_CHECK([--remove-rich-rule='rule family="ipv4" priority=-3 source address="10.100.100.0/24" drop'], 0, ignore)
21c891 
+    m4_if(nftables, FIREWALL_BACKEND, [
21c891 
+    NFT_LIST_RULES([inet], [filter_IN_public_rich_rule_pre], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_IN_public_rich_rule_pre {
21c891 
+        ip saddr 10.0.0.0/8 log
21c891 
+        tcp dport 1111 ct state new,untracked log
21c891 
+        tcp dport 1111 ct state new,untracked drop
21c891 
+        ip saddr 10.10.10.0/24 accept
21c891 
+        ip saddr 10.0.0.0/8 log
21c891 
+        ip saddr 10.0.0.0/8 drop
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_IN_public_allow {
21c891 
+        tcp dport 22 ct state new,untracked accept
21c891 
+        ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([inet], [filter_IN_public_deny], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_IN_public_deny {
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([inet], [filter_IN_public_log], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_IN_public_log {
21c891 
+        }
21c891 
+        }
21c891 
+    ])
21c891 
+    NFT_LIST_RULES([inet], [filter_IN_public_rich_rule_post], 0, [dnl
21c891 
+        table inet firewalld {
21c891 
+        chain filter_IN_public_rich_rule_post {
21c891 
+        tcp dport 80 ct state new,untracked accept
21c891 
+        tcp dport 22 ct state new,untracked accept
21c891 
+        tcp dport 443 ct state new,untracked accept
21c891 
+        tcp dport 143 ct state new,untracked accept
21c891 
+        log prefix "DROPPED: "
21c891 
+        drop
21c891 
+        }
21c891 
+        }
21c891 
+    ])], [
21c891 
+    IPTABLES_LIST_RULES([filter], [IN_public_rich_rule_pre], 0, [dnl
21c891 
+        LOG all -- 10.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4
21c891 
+        LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1111 ctstate NEW,UNTRACKED LOG flags 0 level 4
21c891 
+        DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1111 ctstate NEW,UNTRACKED
21c891 
+        ACCEPT all -- 10.10.10.0/24 0.0.0.0/0
21c891 
+        LOG all -- 10.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4
21c891 
+        DROP all -- 10.0.0.0/8 0.0.0.0/0
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
21c891 
+        ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([filter], [IN_public_log], 0, [dnl
21c891 
+    ])
21c891 
+    IPTABLES_LIST_RULES([filter], [IN_public_rich_rule_post], 0, [dnl
21c891 
+        ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW,UNTRACKED
21c891 
+        ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
21c891 
+        ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW,UNTRACKED
21c891 
+        ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 ctstate NEW,UNTRACKED
21c891 
+        LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "'DROPPED: '"
21c891 
+        DROP all -- 0.0.0.0/0 0.0.0.0/0
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([filter], [IN_public_rich_rule_pre], 0, [dnl
21c891 
+        LOG tcp ::/0 ::/0 tcp dpt:1111 ctstate NEW,UNTRACKED LOG flags 0 level 4
21c891 
+        DROP tcp ::/0 ::/0 tcp dpt:1111 ctstate NEW,UNTRACKED
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
21c891 
+        ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
21c891 
+        ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([filter], [IN_public_log], 0, [dnl
21c891 
+    ])
21c891 
+    IP6TABLES_LIST_RULES([filter], [IN_public_rich_rule_post], 0, [dnl
21c891 
+        ACCEPT tcp ::/0 ::/0 tcp dpt:80 ctstate NEW,UNTRACKED
21c891 
+        ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
21c891 
+        ACCEPT tcp ::/0 ::/0 tcp dpt:443 ctstate NEW,UNTRACKED
21c891 
+        ACCEPT tcp ::/0 ::/0 tcp dpt:143 ctstate NEW,UNTRACKED
21c891 
+        LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "'DROPPED: '"
21c891 
+        DROP all ::/0 ::/0
21c891 
+    ])])
21c891 
+    FWD_CHECK([-q --runtime-to-permanent])
21c891 
+    FWD_RELOAD
21c891 
+
21c891 
+    dnl Verify the rules are displayed in order of priority, not by when they
21c891 
+    dnl were added.
21c891 
+    FWD_CHECK([--add-rich-rule='rule priority=0 service name="http" accept'], 0, ignore)
21c891 
+    FWD_CHECK([--list-all | TRIM_WHITESPACE], 0, [m4_strip([dnl
21c891 
+        public
21c891 
+        target: default
21c891 
+        icmp-block-inversion: no
21c891 
+        interfaces:
21c891 
+        sources:
21c891 
+        services: dhcpv6-client ssh
21c891 
+        ports:
21c891 
+        protocols:
21c891 
+        masquerade: no
21c891 
+        forward-ports:
21c891 
+        source-ports:
21c891 
+        icmp-blocks:
21c891 
+        rich rules:
21c891 
+        rule priority="-32768" family="ipv4" source address="10.0.0.0/8" log
21c891 
+        rule priority="-100" port port="1111" protocol="tcp" log
21c891 
+        rule priority="-10" port port="1111" protocol="tcp" drop
21c891 
+        rule priority="-5" family="ipv4" source address="10.10.10.0/24" accept
21c891 
+        rule priority="-2" family="ipv4" source address="10.0.0.0/8" log
21c891 
+        rule priority="-1" family="ipv4" source address="10.0.0.0/8" drop
21c891 
+        rule service name="http" accept
21c891 
+        rule priority="1" service name="http" accept
21c891 
+        rule priority="10" service name="ssh" accept
21c891 
+        rule priority="100" service name="https" accept
21c891 
+        rule priority="125" service name="imap" accept
21c891 
+        rule priority="126" log prefix="DROPPED: "
21c891 
+        rule priority="127" drop
21c891 
+    ])])
21c891 
+
21c891 
+FWD_END_TEST([-e '/INVALID_RULE: no element, no source, no destination/d'dnl
21c891 
+              -e '/INVALID_RULE: no element, no action/d'dnl
21c891 
+              -e '/ERROR: INVALID_PRIORITY: /d'])
21c891 
+
21c891 
 FWD_START_TEST([rich rules bad])
21c891 
     m4_define([rich_rule_test], [
21c891 
         FWD_CHECK([--add-rich-rule='$1'], $2, ignore, ignore)
21c891 
--
21c891 
2.18.0
21c891

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation