From a698ca94c40b6edf058995f9f2b1fc197a16efe4 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Thu, 16 Jan 2020 09:02:28 -0500 Subject: [PATCH 27/37] test: enhance test for rhbz1729097 (cherry picked from commit c2b8059559c210e586b03b44eaf189370b976770) (cherry picked from commit 47368842f5519b43cb02cb4f2cca59b9049e5268) --- src/tests/regression/rhbz1715977.at | 107 +++++++++++++++++++++++++++- 1 file changed, 105 insertions(+), 2 deletions(-) diff --git a/src/tests/regression/rhbz1715977.at b/src/tests/regression/rhbz1715977.at index ce6dd075c2b5..5de9b5679023 100644 --- a/src/tests/regression/rhbz1715977.at +++ b/src/tests/regression/rhbz1715977.at @@ -1,9 +1,112 @@ -FWD_START_TEST([rich rule destination with service destination]) -AT_KEYWORDS(rich service rhbz1715977) +FWD_START_TEST([rich rule source/destination with service destination]) +AT_KEYWORDS(rich service rhbz1715977 rhbz1729097 rhbz1791783) FWD_CHECK([-q --permanent --zone=internal --add-interface=foobar0]) FWD_CHECK([-q --permanent --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="ssh" accept']) FWD_RELOAD +NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl + table inet firewalld { + chain filter_IN_internal_allow { + tcp dport 22 ct state new,untracked accept + ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept + ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept + udp dport 137 ct helper set "helper-netbios-ns-udp" + udp dport 137 ct state new,untracked accept + udp dport 138 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept + tcp dport 9090 ct state new,untracked accept + ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept + } + } +]) +IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED +]) +IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED + ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED +]) + +FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.111.222/32" source address="10.10.10.0/24" service name="ssh" accept']) +NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl + table inet firewalld { + chain filter_IN_internal_allow { + tcp dport 22 ct state new,untracked accept + ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept + ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept + udp dport 137 ct helper set "helper-netbios-ns-udp" + udp dport 137 ct state new,untracked accept + udp dport 138 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept + tcp dport 9090 ct state new,untracked accept + ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept + ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept + } + } +]) +IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED +]) +IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED + ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED +]) + +FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 service name="ssdp" accept']) +NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl + table inet firewalld { + chain filter_IN_internal_allow { + tcp dport 22 ct state new,untracked accept + ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept + ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept + udp dport 137 ct helper set "helper-netbios-ns-udp" + udp dport 137 ct state new,untracked accept + udp dport 138 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept + tcp dport 9090 ct state new,untracked accept + ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept + ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept + ip daddr 239.255.255.250 udp dport 1900 ct state new,untracked accept + } + } +]) +IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900 ctstate NEW,UNTRACKED +]) +IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED + ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED +]) FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="mdns" accept'], 122, [ignore], [ignore]) FWD_CHECK([-q --permanent --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="mdns" accept']) -- 2.23.0