|
Packit Service |
84cb3c |
m4_define([FWD_STOP_FIREWALLD], [
|
|
Packit Service |
84cb3c |
pid=$(< firewalld.pid)
|
|
Packit Service |
84cb3c |
kill $pid
|
|
Packit Service |
84cb3c |
for I in 1 2 3 4 5 6 7 8 9 0; do
|
|
Packit Service |
84cb3c |
ps --pid $pid >/dev/null || { pid=0; break; }
|
|
Packit Service |
84cb3c |
sleep 1
|
|
Packit Service |
84cb3c |
done
|
|
Packit Service |
84cb3c |
test $pid -eq 0 || { kill -9 $pid; sleep 3; }
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([FWD_START_FIREWALLD], [
|
|
Packit Service |
84cb3c |
FIREWALLD_ARGS="--nofork --nopid --log-file ./firewalld.log --system-config ./"
|
|
Packit Service |
84cb3c |
dnl if testsuite ran with debug flag, add debug output
|
|
Packit Service |
84cb3c |
${at_debug_p} && FIREWALLD_ARGS="--debug=3 ${FIREWALLD_ARGS}"
|
|
Packit Service |
84cb3c |
if test "x${FIREWALLD_DEFAULT_CONFIG}" != x ; then
|
|
Packit Service |
84cb3c |
FIREWALLD_ARGS+=" --default-config ${FIREWALLD_DEFAULT_CONFIG}"
|
|
Packit Service |
84cb3c |
fi
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
NS_CMD([firewalld $FIREWALLD_ARGS &])
|
|
Packit Service |
84cb3c |
if test $? -ne 0; then
|
|
Packit Service |
84cb3c |
AT_FAIL_IF([:])
|
|
Packit Service |
84cb3c |
fi
|
|
Packit Service |
84cb3c |
echo "$!" > firewalld.pid
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
dnl Give it some time for the dbus interface to come up
|
|
Packit Service |
84cb3c |
up=0
|
|
Packit Service |
84cb3c |
for I in 1 2 3 4 5 6 7 8 9 0; do
|
|
Packit Service |
84cb3c |
if NS_CMD([firewall-cmd --state]); then
|
|
Packit Service |
84cb3c |
up=1
|
|
Packit Service |
84cb3c |
break
|
|
Packit Service |
84cb3c |
fi
|
|
Packit Service |
84cb3c |
sleep 1
|
|
Packit Service |
84cb3c |
done
|
|
Packit Service |
84cb3c |
AT_FAIL_IF([test $up -ne 1])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([START_NETWORKMANAGER], [
|
|
Packit Service |
84cb3c |
AT_SKIP_IF([! NS_CMD([which NetworkManager >/dev/null 2>&1])])
|
|
Packit Service |
84cb3c |
AT_SKIP_IF([! NS_CMD([which nmcli >/dev/null 2>&1])])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
AT_DATA([./NetworkManager.conf], [dnl
|
|
Packit Service |
84cb3c |
[[main]]
|
|
Packit Service |
84cb3c |
plugins=
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
[[logging]]
|
|
Packit Service |
84cb3c |
#level=DEBUG
|
|
Packit Service |
84cb3c |
#domains=ALL
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
NM_ARGS="--no-daemon --config ./NetworkManager.conf"
|
|
Packit Service |
84cb3c |
NS_CMD([NetworkManager $NM_ARGS &])
|
|
Packit Service |
84cb3c |
if test $? -ne 0; then
|
|
Packit Service |
84cb3c |
AT_FAIL_IF([:])
|
|
Packit Service |
84cb3c |
fi
|
|
Packit Service |
84cb3c |
echo "$!" > networkmanager.pid
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
dnl Give it some time for the dbus interface to come up
|
|
Packit Service |
84cb3c |
up=0
|
|
Packit Service |
84cb3c |
for I in 1 2 3 4 5 6 7 8 9 0; do
|
|
Packit Service |
84cb3c |
if NS_CMD([nmcli general status >/dev/null 2>&1]); then
|
|
Packit Service |
84cb3c |
up=1
|
|
Packit Service |
84cb3c |
break
|
|
Packit Service |
84cb3c |
fi
|
|
Packit Service |
84cb3c |
sleep 1
|
|
Packit Service |
84cb3c |
done
|
|
Packit Service |
84cb3c |
AT_FAIL_IF([test $up -ne 1])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([STOP_NETWORKMANAGER], [
|
|
Packit Service |
84cb3c |
pid=$(< networkmanager.pid)
|
|
Packit Service |
84cb3c |
kill $pid
|
|
Packit Service |
84cb3c |
for I in 1 2 3 4 5 6 7 8 9 0; do
|
|
Packit Service |
84cb3c |
ps --pid $pid >/dev/null || { pid=0; break; }
|
|
Packit Service |
84cb3c |
sleep 1
|
|
Packit Service |
84cb3c |
done
|
|
Packit Service |
84cb3c |
test $pid -eq 0 || { kill -9 $pid; sleep 3; }
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([FWD_RELOAD], [
|
|
Packit Service |
84cb3c |
FWD_CHECK([-q --reload], [$1], [$2], [$3])
|
|
Packit Service |
84cb3c |
FWD_CHECK([-q --state], [$4], [$5], [$6])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([FWD_RESTART], [
|
|
Packit Service |
84cb3c |
FWD_STOP_FIREWALLD
|
|
Packit Service |
84cb3c |
FWD_START_FIREWALLD
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([FWD_START_TEST], [
|
|
Packit Service |
84cb3c |
AT_SETUP([$1])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
dnl We test some unicode strings and autotest overrides LC_ALL=C, so set it
|
|
Packit Service |
84cb3c |
dnl again for every test.
|
|
Packit Service |
84cb3c |
if locale -a |grep "^C.utf8" >/dev/null; then
|
|
Packit Service |
84cb3c |
LC_ALL="C.UTF-8"
|
|
Packit Service |
84cb3c |
export LC_ALL
|
|
Packit Service |
84cb3c |
fi
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
dnl start every test with the default config
|
|
Packit Service |
84cb3c |
if test "x${FIREWALLD_DEFAULT_CONFIG}" != x ; then
|
|
Packit Service |
84cb3c |
AT_CHECK([if ! cp "${FIREWALLD_DEFAULT_CONFIG}/firewalld.conf" ./firewalld.conf; then exit 77; fi])
|
|
Packit Service |
84cb3c |
else
|
|
Packit Service |
84cb3c |
AT_CHECK([if ! cp /etc/firewalld/firewalld.conf ./firewalld.conf; then exit 77; fi])
|
|
Packit Service |
84cb3c |
fi
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [
|
|
Packit Service |
84cb3c |
AT_KEYWORDS(offline)
|
|
Packit Service |
84cb3c |
], [
|
|
Packit Service |
84cb3c |
m4_define_default([FIREWALL_BACKEND], [nftables])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
AT_KEYWORDS(FIREWALL_BACKEND)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
dnl don't unload modules or bother cleaning up, the namespace will be deleted
|
|
Packit Service |
84cb3c |
AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
dnl set the appropriate backend
|
|
Packit Service |
84cb3c |
AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
dnl fib matching is pretty new in nftables. Don't use rpfilter on older
|
|
Packit Service |
84cb3c |
dnl kernels.
|
|
Packit Service |
84cb3c |
m4_if(nftables, FIREWALL_BACKEND, [
|
|
Packit Service |
84cb3c |
IF_HOST_SUPPORTS_NFT_FIB([], [
|
|
Packit Service |
84cb3c |
sed -i 's/^IPv6_rpfilter.*/IPv6_rpfilter=no/' ./firewalld.conf
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
dnl dummy wrapper for trap syntax
|
|
Packit Service |
84cb3c |
function kill_firewalld() {
|
|
Packit Service |
84cb3c |
FWD_STOP_FIREWALLD
|
|
Packit Service |
84cb3c |
}
|
|
Packit Service |
84cb3c |
function kill_networkmanager() {
|
|
Packit Service |
84cb3c |
if test -f networkmanager.pid; then
|
|
Packit Service |
84cb3c |
STOP_NETWORKMANAGER
|
|
Packit Service |
84cb3c |
fi
|
|
Packit Service |
84cb3c |
}
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
dnl run cleanup commands on test exit
|
|
Packit Service |
84cb3c |
echo "" > cleanup
|
|
Packit Service |
84cb3c |
echo "" > cleanup_late
|
|
Packit Service |
84cb3c |
trap ". ./cleanup; kill_firewalld; kill_networkmanager; . ./cleanup_late" EXIT
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
dnl create a namespace and dbus-daemon
|
|
Packit Service |
84cb3c |
m4_define([CURRENT_DBUS_ADDRESS], [unix:abstract=firewalld-testsuite-dbus-system-socket-${at_group_normalized}])
|
|
Packit Service |
84cb3c |
m4_define([CURRENT_TEST_NS], [fwd-test-${at_group_normalized}])
|
|
Packit Service |
84cb3c |
echo "ip netns delete CURRENT_TEST_NS" >> ./cleanup_late
|
|
Packit Service |
84cb3c |
AT_CHECK([ip netns add CURRENT_TEST_NS])
|
|
Packit Service |
84cb3c |
AT_DATA([./dbus.conf], [
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
|
|
Packit Service |
84cb3c |
<busconfig>
|
|
Packit Service |
84cb3c |
<fork />
|
|
Packit Service |
84cb3c |
<auth>EXTERNAL</auth>
|
|
Packit Service |
84cb3c |
<listen>unix:path=/tmp/dummy</listen>
|
|
Packit Service |
84cb3c |
<policy context="default">
|
|
Packit Service |
84cb3c |
<allow user="*"/>
|
|
Packit Service |
84cb3c |
<allow send_type="signal"/>
|
|
Packit Service |
84cb3c |
<allow send_requested_reply="true" send_type="method_return"/>
|
|
Packit Service |
84cb3c |
<allow send_requested_reply="true" send_type="error"/>
|
|
Packit Service |
84cb3c |
<allow receive_type="method_call"/>
|
|
Packit Service |
84cb3c |
<allow receive_type="method_return"/>
|
|
Packit Service |
84cb3c |
<allow receive_type="error"/>
|
|
Packit Service |
84cb3c |
<allow receive_type="signal"/>
|
|
Packit Service |
84cb3c |
<allow send_destination="org.freedesktop.DBus"/>
|
|
Packit Service |
84cb3c |
</policy>
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
<policy user="root">
|
|
Packit Service |
84cb3c |
<allow own="org.fedoraproject.FirewallD1"/>
|
|
Packit Service |
84cb3c |
<allow own="org.fedoraproject.FirewallD1.config"/>
|
|
Packit Service |
84cb3c |
<allow send_destination="org.fedoraproject.FirewallD1"/>
|
|
Packit Service |
84cb3c |
<allow send_destination="org.fedoraproject.FirewallD1.config"/>
|
|
Packit Service |
84cb3c |
</policy>
|
|
Packit Service |
84cb3c |
<policy context="default">
|
|
Packit Service |
84cb3c |
<allow send_destination="org.fedoraproject.FirewallD1"/>
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
send_interface="org.freedesktop.DBus.Introspectable"/>
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
send_interface="org.freedesktop.DBus.Properties"/>
|
|
Packit Service |
84cb3c |
<allow send_destination="org.fedoraproject.FirewallD1.config"/>
|
|
Packit Service |
84cb3c |
</policy>
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
<policy user="root">
|
|
Packit Service |
84cb3c |
<allow own="org.freedesktop.NetworkManager"/>
|
|
Packit Service |
84cb3c |
<allow send_destination="org.freedesktop.NetworkManager"/>
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
send_interface="org.freedesktop.NetworkManager.PPP"/>
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
<allow send_interface="org.freedesktop.NetworkManager.SecretAgent"/>
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
<deny send_interface="..." /> (see dbus-daemon(8) for details).
|
|
Packit Service |
84cb3c |
This seems to override that for the known VPN plugins.
|
|
Packit Service |
84cb3c |
-->
|
|
Packit Service |
84cb3c |
<allow send_destination="org.freedesktop.NetworkManager.openconnect"/>
|
|
Packit Service |
84cb3c |
<allow send_destination="org.freedesktop.NetworkManager.openswan"/>
|
|
Packit Service |
84cb3c |
<allow send_destination="org.freedesktop.NetworkManager.openvpn"/>
|
|
Packit Service |
84cb3c |
<allow send_destination="org.freedesktop.NetworkManager.pptp"/>
|
|
Packit Service |
84cb3c |
<allow send_destination="org.freedesktop.NetworkManager.vpnc"/>
|
|
Packit Service |
84cb3c |
<allow send_destination="org.freedesktop.NetworkManager.ssh"/>
|
|
Packit Service |
84cb3c |
<allow send_destination="org.freedesktop.NetworkManager.iodine"/>
|
|
Packit Service |
84cb3c |
<allow send_destination="org.freedesktop.NetworkManager.l2tp"/>
|
|
Packit Service |
84cb3c |
<allow send_destination="org.freedesktop.NetworkManager.libreswan"/>
|
|
Packit Service |
84cb3c |
<allow send_destination="org.freedesktop.NetworkManager.fortisslvpn"/>
|
|
Packit Service |
84cb3c |
<allow send_destination="org.freedesktop.NetworkManager.strongswan"/>
|
|
Packit Service |
84cb3c |
<allow send_interface="org.freedesktop.NetworkManager.VPN.Plugin"/>
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
<allow send_destination="org.fedoraproject.FirewallD1"/>
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
from the dns dnsmasq plugin to own it's dbus name, and for
|
|
Packit Service |
84cb3c |
messages to be sent to it.
|
|
Packit Service |
84cb3c |
-->
|
|
Packit Service |
84cb3c |
<allow own="org.freedesktop.NetworkManager.dnsmasq"/>
|
|
Packit Service |
84cb3c |
<allow send_destination="org.freedesktop.NetworkManager.dnsmasq"/>
|
|
Packit Service |
84cb3c |
</policy>
|
|
Packit Service |
84cb3c |
</busconfig>
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
DBUS_PID=`NS_CMD([dbus-daemon --address="CURRENT_DBUS_ADDRESS" --print-pid --config-file="./dbus.conf"])`
|
|
Packit Service |
84cb3c |
if test $? -ne 0; then
|
|
Packit Service |
84cb3c |
AT_FAIL_IF([:])
|
|
Packit Service |
84cb3c |
fi
|
|
Packit Service |
84cb3c |
echo "kill $DBUS_PID" >> ./cleanup_late
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
FWD_START_FIREWALLD
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([FWD_END_TEST], [
|
|
Packit Service |
84cb3c |
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
|
|
Packit Service |
84cb3c |
IF_HOST_SUPPORTS_IP6TABLES([], [
|
|
Packit Service |
84cb3c |
sed -i "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" ./firewalld.log
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
33c06b |
sed -i "/WARNING: AllowZoneDrifting is enabled./d" ./firewalld.log
|
|
Packit Service |
84cb3c |
if test x"$1" != x"ignore"; then
|
|
Packit Service |
84cb3c |
if test -n "$1"; then
|
|
Packit Service |
84cb3c |
sed -i $1 ./firewalld.log
|
|
Packit Service |
84cb3c |
fi
|
|
Packit Service |
84cb3c |
AT_FAIL_IF([[grep '^[0-9-]*[ ]\+[0-9:]*[ ]\+\(ERROR\|WARNING\)' ./firewalld.log]])
|
|
Packit Service |
84cb3c |
fi
|
|
Packit Service |
84cb3c |
m4_undefine([CURRENT_DBUS_ADDRESS])
|
|
Packit Service |
84cb3c |
m4_undefine([CURRENT_TEST_NS])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
AT_CLEANUP
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([FWD_OFFLINE_CHECK], [
|
|
Packit Service |
84cb3c |
FIREWALL_OFFLINE_CMD_ARGS="--system-config ./"
|
|
Packit Service |
84cb3c |
if test "x${FIREWALLD_DEFAULT_CONFIG}" != x ; then
|
|
Packit Service |
84cb3c |
FIREWALL_OFFLINE_CMD_ARGS+=" --default-config ${FIREWALLD_DEFAULT_CONFIG}"
|
|
Packit Service |
84cb3c |
fi
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
AT_CHECK([firewall-offline-cmd $FIREWALL_OFFLINE_CMD_ARGS $1], [$2], [$3], [$4], [$5], [$6])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([FWD_CHECK], [
|
|
Packit Service |
84cb3c |
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [
|
|
Packit Service |
84cb3c |
dnl Silently skip tests that don't affect permanent config or other
|
|
Packit Service |
84cb3c |
dnl flags we're interested in.
|
|
Packit Service |
84cb3c |
dnl
|
|
Packit Service |
84cb3c |
dnl if TESTING_FIREWALL_OFFLINE_CMD_PASSTHROUGH
|
|
Packit Service |
84cb3c |
dnl firewall-offline-cmd ...
|
|
Packit Service |
84cb3c |
dnl else
|
|
Packit Service |
84cb3c |
dnl if ! --permanent
|
|
Packit Service |
84cb3c |
dnl if -default-zone
|
|
Packit Service |
84cb3c |
dnl firewall-offline-cmd ...
|
|
Packit Service |
84cb3c |
dnl else
|
|
Packit Service |
84cb3c |
dnl if ! --timeout
|
|
Packit Service |
84cb3c |
dnl firewall-offline-cmd ...
|
|
Packit Service |
84cb3c |
dnl
|
|
Packit Service |
84cb3c |
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD_PASSTHROUGH], [
|
|
Packit Service |
84cb3c |
m4_define([FWD_CHECK_RUN_FIREWALL_OFFLINE_CMD])
|
|
Packit Service |
84cb3c |
], [
|
|
Packit Service |
84cb3c |
m4_if(-1, m4_index([$1], [--permanent]), [
|
|
Packit Service |
84cb3c |
m4_if(-1, m4_index([$1], [-default-zone]), [], [
|
|
Packit Service |
84cb3c |
m4_define([FWD_CHECK_RUN_FIREWALL_OFFLINE_CMD])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
m4_if(-1, m4_index([$1], [--check-config]), [], [
|
|
Packit Service |
84cb3c |
m4_define([FWD_CHECK_RUN_FIREWALL_OFFLINE_CMD])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
], [
|
|
Packit Service |
84cb3c |
m4_if(-1, m4_index([$1], [--timeout]), [
|
|
Packit Service |
84cb3c |
m4_define([FWD_CHECK_RUN_FIREWALL_OFFLINE_CMD])
|
|
Packit Service |
84cb3c |
], [])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_ifdef([FWD_CHECK_RUN_FIREWALL_OFFLINE_CMD], [
|
|
Packit Service |
84cb3c |
m4_undefine([FWD_CHECK_RUN_FIREWALL_OFFLINE_CMD])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
FWD_OFFLINE_CHECK([dnl
|
|
Packit Service |
84cb3c |
dnl This m4 mess is all about stripping --permanent
|
|
Packit Service |
84cb3c |
dnl flag if it exists, otherwise we pass arg 1 verbatim.
|
|
Packit Service |
84cb3c |
m4_if(-1, m4_index([$1], [--permanent]), [$1], [ dnl
|
|
Packit Service |
84cb3c |
m4_substr([$1],0,m4_index([$1], [--permanent])) dnl before --permanent
|
|
Packit Service |
84cb3c |
m4_substr([$1],m4_eval(m4_index([$1], [--permanent])+11),m4_eval(m4_len([$1])-11)) dnl after --permanent
|
|
Packit Service |
84cb3c |
])], [$2], [$3], [$4], [$5], [$6])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
], [
|
|
Packit Service |
84cb3c |
NS_CHECK([firewall-cmd $1], [$2], [$3], [$4], [$5], [$6])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([FWD_GREP_LOG], [
|
|
Packit Service |
84cb3c |
AT_CHECK([grep "$1" ./firewalld.log], 0, [ignore], [ignore])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([TRIM], [[sed -e 's/^[ \t]*//' -e 's/[ \t]*$//']])
|
|
Packit Service |
84cb3c |
m4_define([TRIMV], [[sed -e '/^[ \t]*$/d']])
|
|
Packit Service |
84cb3c |
m4_define([TRIM_INTERNAL], [[sed -e 's/[ \t]\+/ /g']])
|
|
Packit Service |
84cb3c |
m4_define([CHOMP], [printf "%s" "$(cat /dev/stdin)"])
|
|
Packit Service |
84cb3c |
m4_define([TRIM_WHITESPACE], [TRIM | TRIMV | TRIM_INTERNAL | { CHOMP; echo; }])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
dnl m4sugar's m4_strip has a bug that causes it to print a space after
|
|
Packit Service |
84cb3c |
dnl newlines. So implement our own suck-less version.
|
|
Packit Service |
84cb3c |
m4_define([m4_strip],
|
|
Packit Service |
84cb3c |
[m4_bpatsubsts([$1], [[ ]+], [ ],
|
|
Packit Service |
84cb3c |
[^ ?\(.*\) ?$], [\1])])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([NS_CMD], [dnl
|
|
Packit Service |
84cb3c |
env DBUS_SYSTEM_BUS_ADDRESS="CURRENT_DBUS_ADDRESS" ip netns exec CURRENT_TEST_NS $1 dnl
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([NS_CHECK], [
|
|
Packit Service |
84cb3c |
AT_CHECK([NS_CMD([$1])], [$2], [$3], [$4], [$5], [$6])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
dnl implement PIPESTATUS[0] in a portable way
|
|
Packit Service |
84cb3c |
dnl
|
|
Packit Service |
84cb3c |
m4_define([PIPESTATUS0], [dnl
|
|
Packit Service |
84cb3c |
sh <<-"HERE"
|
|
Packit Service |
84cb3c |
{ { { { $1; echo $? >&3; } | $2 >&4; } 3>&1; } | { read RC; exit $RC; } } 4>&1
|
|
Packit Service |
84cb3c |
HERE
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([EBTABLES_LIST_RULES_NORMALIZE], [dnl
|
|
Packit Service |
84cb3c |
TRIM_WHITESPACE | dnl
|
|
Packit Service |
84cb3c |
grep -v "^Bridge" | dnl
|
|
Packit Service |
84cb3c |
[sed -e 's/\([-][-][-a-zA-Z0-9]\+\)[ ]\+[!]/! \1/g'] dnl
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([EBTABLES_LIST_RULES], [
|
|
Packit Service |
84cb3c |
dnl ebtables commit 5f508b76a0ce change list output for inversion.
|
|
Packit Service |
84cb3c |
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
|
|
Packit Service |
84cb3c |
NS_CHECK([PIPESTATUS0([ebtables --concurrent -t $1 -L $2], [EBTABLES_LIST_RULES_NORMALIZE])],
|
|
Packit Service |
84cb3c |
[$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([IPTABLES_LIST_RULES_NORMALIZE], [dnl
|
|
Packit Service |
84cb3c |
TRIM_WHITESPACE | dnl
|
|
Packit Service |
84cb3c |
tail -n +3 dnl
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([IPTABLES_LIST_RULES_ALWAYS], [
|
|
Packit Service |
84cb3c |
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
|
|
Packit Service |
84cb3c |
NS_CHECK([PIPESTATUS0([$IPTABLES -w -n -t $1 -L $2], [IPTABLES_LIST_RULES_NORMALIZE])],
|
|
Packit Service |
84cb3c |
[$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([IPTABLES_LIST_RULES], [
|
|
Packit Service |
84cb3c |
m4_if(iptables, FIREWALL_BACKEND, [
|
|
Packit Service |
84cb3c |
IPTABLES_LIST_RULES_ALWAYS([$1], [$2], [$3], [$4], [$5], [$6], [$7])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([IP6TABLES_LIST_RULES_NORMALIZE], [dnl
|
|
Packit Service |
84cb3c |
TRIM_WHITESPACE | dnl
|
|
Packit Service |
84cb3c |
tail -n +3 dnl
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([IP6TABLES_LIST_RULES_ALWAYS], [
|
|
Packit Service |
84cb3c |
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
|
|
Packit Service |
84cb3c |
IF_HOST_SUPPORTS_IP6TABLES([
|
|
Packit Service |
84cb3c |
NS_CHECK([PIPESTATUS0([$IP6TABLES -w -n -t $1 -L $2], [IP6TABLES_LIST_RULES_NORMALIZE])],
|
|
Packit Service |
84cb3c |
[$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([IP6TABLES_LIST_RULES], [
|
|
Packit Service |
84cb3c |
m4_if(iptables, FIREWALL_BACKEND, [
|
|
Packit Service |
84cb3c |
IP6TABLES_LIST_RULES_ALWAYS([$1], [$2], [$3], [$4], [$5], [$6], [$7])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([NFT_LIST_RULES_NORMALIZE], [dnl
|
|
Packit Service |
84cb3c |
TRIM_WHITESPACE | dnl
|
|
Packit Service |
84cb3c |
dnl nftables commit 6dd848339444 change list output to show "meta mark"
|
|
Packit Service |
84cb3c |
dnl instead of just "mark".
|
|
Packit Service |
84cb3c |
sed -e 's/meta mark/mark/g'dnl
|
|
Packit Service |
84cb3c |
-e '/type.*hook.*priority.*policy.*/d'dnl
|
|
Packit Service |
84cb3c |
dnl tranform ct state { established,related } to ct state established,related
|
|
Packit Service |
84cb3c |
-e '/ct \(state\|status\)/{s/\(ct \(state\|status\)\) {/\1/g; s/ }//; s/\(@<:@a-z@:>@*\), /\1,/g;}' dnl
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([NFT_LIST_RULES_ALWAYS], [
|
|
Packit Service |
84cb3c |
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
|
|
Packit Service |
84cb3c |
NS_CHECK([PIPESTATUS0([nft $NFT_NUMERIC_ARGS list chain $1 firewalld $2], [NFT_LIST_RULES_NORMALIZE])],
|
|
Packit Service |
84cb3c |
[$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([NFT_LIST_RULES], [
|
|
Packit Service |
84cb3c |
m4_if(nftables, FIREWALL_BACKEND, [
|
|
Packit Service |
84cb3c |
NFT_LIST_RULES_ALWAYS([$1], [$2], [$3], [$4], [$5], [$6], [$7])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([IPSET_LIST_SET_NORMALIZE], [dnl
|
|
Packit Service |
84cb3c |
TRIM_WHITESPACE |dnl
|
|
Packit Service |
84cb3c |
grep -v "^\(Revision\|Header\|Size\|References\|Number\)" |dnl
|
|
Packit Service |
84cb3c |
awk 'NR <= 3; NR > 3 {print | "sort"}' dnl
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([IPSET_LIST_SET], [
|
|
Packit Service |
84cb3c |
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
|
|
Packit Service |
84cb3c |
NS_CHECK([PIPESTATUS0([ipset list $1], [IPSET_LIST_SET_NORMALIZE])],
|
|
Packit Service |
84cb3c |
[$2], [m4_strip([$3])], [m4_strip([$4])], [$5], [$6])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([NFT_LIST_SET_NORMALIZE], [dnl
|
|
Packit Service |
84cb3c |
TRIM_WHITESPACE dnl
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([NFT_LIST_SET_ALWAYS], [
|
|
Packit Service |
84cb3c |
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
|
|
Packit Service |
84cb3c |
NS_CHECK([PIPESTATUS0([nft $NFT_NUMERIC_ARGS list set inet firewalld $1], [NFT_LIST_SET_NORMALIZE])],
|
|
Packit Service |
84cb3c |
[$2], [m4_strip([$3])], [m4_strip([$4])], [$5], [$6])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([NFT_LIST_SET], [
|
|
Packit Service |
84cb3c |
m4_if(nftables, FIREWALL_BACKEND, [
|
|
Packit Service |
84cb3c |
NFT_LIST_SET_ALWAYS([$1], [$2], [$3], [$4], [$5], [$6])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([DBUS_INTROSPECT], [
|
|
Packit Service |
84cb3c |
AT_SKIP_IF([! NS_CMD([which gdbus >/dev/null 2>&1])])
|
|
Packit Service |
84cb3c |
AT_SKIP_IF([! NS_CMD([which xmllint >/dev/null 2>&1])])
|
|
Packit Service |
84cb3c |
NS_CHECK([PIPESTATUS0([gdbus introspect --xml --system --dest=org.fedoraproject.FirewallD1 dnl
|
|
Packit Service |
84cb3c |
m4_ifblank([$1], [--object-path /org/fedoraproject/FirewallD1],
|
|
Packit Service |
84cb3c |
[--object-path /org/fedoraproject/FirewallD1/$1])], dnl
|
|
Packit Service |
84cb3c |
[m4_ifnblank([$2], [xmllint --xpath '$2' - |]) xmllint --c14n - | TRIM_WHITESPACE])],
|
|
Packit Service |
84cb3c |
[$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([DBUS_CHECK_NORMALIZE], [dnl
|
|
Packit Service |
84cb3c |
[sed -e 's/^({//' -e 's/},)$//' -e 's/>,/>\n/g'] | dnl truncate dictionary output
|
|
Packit Service |
84cb3c |
TRIM_WHITESPACE | dnl
|
|
Packit Service |
84cb3c |
sort dnl sort dictionaries by keys
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([DBUS_CHECK], [
|
|
Packit Service |
84cb3c |
AT_SKIP_IF([! NS_CMD([which gdbus >/dev/null 2>&1])])
|
|
Packit Service |
84cb3c |
NS_CHECK([PIPESTATUS0([gdbus call --system --dest=org.fedoraproject.FirewallD1 dnl
|
|
Packit Service |
84cb3c |
m4_ifblank([$1], [--object-path /org/fedoraproject/FirewallD1],
|
|
Packit Service |
84cb3c |
[--object-path /org/fedoraproject/FirewallD1/$1]) dnl
|
|
Packit Service |
84cb3c |
--method org.fedoraproject.FirewallD1.$2 $3],
|
|
Packit Service |
84cb3c |
[DBUS_CHECK_NORMALIZE])],
|
|
Packit Service |
84cb3c |
[$4], [m4_strip([$5])], [m4_strip([$6])], [$7], [$8])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([DBUS_GETALL_NORMALIZE], dnl
|
|
Packit Service |
84cb3c |
m4_escape([awk 'BEGIN{line_mark=-99; line=0} {line++; if (line == line_mark + 1) {buffer = $0}; if (line == line_mark + 2) {print buffer " : " $0} } /^dict entry/{line_mark=line}' | sort])dnl
|
|
Packit Service |
84cb3c |
)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([DBUS_GETALL], [
|
|
Packit Service |
84cb3c |
NS_CHECK([dbus-send --system --print-reply --dest=org.fedoraproject.FirewallD1 dnl
|
|
Packit Service |
84cb3c |
/org/fedoraproject/FirewallD1/$1 dnl
|
|
Packit Service |
84cb3c |
org.freedesktop.DBus.Properties.GetAll string:"org.fedoraproject.FirewallD1.$2" dnl
|
|
Packit Service |
84cb3c |
| TRIM_WHITESPACE | DBUS_GETALL_NORMALIZE],
|
|
Packit Service |
84cb3c |
[$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([DBUS_GET], [
|
|
Packit Service |
84cb3c |
NS_CHECK([dbus-send --system --print-reply --dest=org.fedoraproject.FirewallD1 dnl
|
|
Packit Service |
84cb3c |
/org/fedoraproject/FirewallD1/$1 dnl
|
|
Packit Service |
84cb3c |
org.freedesktop.DBus.Properties.Get string:"org.fedoraproject.FirewallD1.$2" $3 dnl
|
|
Packit Service |
84cb3c |
| tail -n +2 | TRIM_WHITESPACE],
|
|
Packit Service |
84cb3c |
[$4], [m4_strip([$5])], [m4_strip([$6])], [$7], [$8])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([DBUS_SET], [
|
|
Packit Service |
84cb3c |
NS_CHECK([dbus-send --system --print-reply --dest=org.fedoraproject.FirewallD1 dnl
|
|
Packit Service |
84cb3c |
/org/fedoraproject/FirewallD1/$1 dnl
|
|
Packit Service |
84cb3c |
org.freedesktop.DBus.Properties.Set string:"org.fedoraproject.FirewallD1.$2" $3],
|
|
Packit Service |
84cb3c |
[$4], [$5], [$6], [$7], [$8])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([CHECK_IPSET], [
|
|
Packit Service |
84cb3c |
m4_if(nftables, FIREWALL_BACKEND, [
|
|
Packit Service |
84cb3c |
dnl If our nft binary has buggy flush set, then skip the test
|
|
Packit Service |
84cb3c |
NS_CHECK([nft add table inet firewalld_check_ipset])
|
|
Packit Service |
84cb3c |
NS_CHECK([nft add set inet firewalld_check_ipset foobar { type ipv4_addr \; }])
|
|
Packit Service |
84cb3c |
AT_SKIP_IF([! NS_CMD([nft flush set inet firewalld_check_ipset foobar >/dev/null 2>&1])])
|
|
Packit Service |
84cb3c |
dnl If nft set has has no timeout support, then skip the test
|
|
Packit Service |
84cb3c |
AT_SKIP_IF([! NS_CMD([nft add set inet firewalld_check_ipset foobar_timeout { type ipv4_addr \; timeout 600s \; } >/dev/null 2>&1])])
|
|
Packit Service |
84cb3c |
dnl If nft set has has no size support, then skip the test
|
|
Packit Service |
84cb3c |
AT_SKIP_IF([! NS_CMD([nft add set inet firewalld_check_ipset foobar_size { type ipv4_addr \; size 100000 \; } >/dev/null 2>&1])])
|
|
Packit Service |
84cb3c |
AT_SKIP_IF([! NS_CMD([nft add set inet firewalld_check_ipset foobar_timeout_size { type ipv4_addr \; timeout 600s \; size 100000 \; } >/dev/null 2>&1])])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
dnl If nft set doesn't allow interval + concat, then skip the test
|
|
Packit Service |
84cb3c |
AT_SKIP_IF([! NS_CMD([nft add set inet firewalld_check_ipset foobar_interval_concat { type ipv4_addr . inet_service \; flags interval \; } >/dev/null 2>&1])])
|
|
Packit Service |
84cb3c |
dnl use JSON to verify a JSON parser bug is also fixed
|
|
Packit Service |
84cb3c |
AT_SKIP_IF([! NS_CMD([[nft -j '{"nftables": [{"add": {"element": {"family": "inet", "table": "firewalld_check_ipset", "name": "foobar_interval_concat", "elem": [{"concat": [{"prefix": {"addr": "10.10.10.0", "len": 24}}, {"range": ["1234", "2000"]}]}]}}}]}' >/dev/null 2>&1]])])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
NS_CHECK([nft delete table inet firewalld_check_ipset])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([CHECK_IPSET_HASH_MAC], [
|
|
Packit Service |
84cb3c |
dnl skip if ipset hash:mac support is there
|
|
Packit Service |
84cb3c |
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
|
|
Packit Service |
84cb3c |
AT_SKIP_IF([! ipset --help | grep "hash:mac"])
|
|
Packit Service |
84cb3c |
AT_SKIP_IF([! NS_CMD([ipset create foobar hash:mac >/dev/null 2>&1])])
|
|
Packit Service |
84cb3c |
NS_CHECK([ipset destroy foobar])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([CHECK_NAT_COEXISTENCE], [
|
|
Packit Service |
84cb3c |
dnl verify the host can support simultaneous iptables and nftables NAT
|
|
Packit Service |
84cb3c |
m4_if(nftables, FIREWALL_BACKEND, [
|
|
Packit Service |
84cb3c |
KERNEL_MAJOR=`uname -r | cut -d. -f1`
|
|
Packit Service |
84cb3c |
KERNEL_MINOR=`uname -r | cut -d. -f2`
|
|
Packit Service |
84cb3c |
if test ${KERNEL_MAJOR} -eq 4 && test ${KERNEL_MINOR} -ge 18 || test ${KERNEL_MAJOR} -gt 4; then
|
|
Packit Service |
84cb3c |
:
|
|
Packit Service |
84cb3c |
else
|
|
Packit Service |
84cb3c |
AT_SKIP_IF([true])
|
|
Packit Service |
84cb3c |
fi
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([CHECK_LOG_AUDIT], [
|
|
Packit Service |
84cb3c |
m4_if(nftables, FIREWALL_BACKEND, [
|
|
Packit Service |
84cb3c |
NS_CHECK([nft add table inet firewalld_check_log_audit])
|
|
Packit Service |
84cb3c |
NS_CHECK([nft add chain inet firewalld_check_log_audit foobar { type filter hook input priority 0 \; } ])
|
|
Packit Service |
84cb3c |
AT_SKIP_IF([! NS_CMD([nft add rule inet firewalld_check_log_audit foobar log level audit >/dev/null 2>&1])])
|
|
Packit Service |
84cb3c |
NS_CHECK([nft delete table inet firewalld_check_log_audit])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([CHECK_NFT_CT_HELPER], [
|
|
Packit Service |
84cb3c |
m4_if(nftables, FIREWALL_BACKEND, [
|
|
Packit Service |
84cb3c |
NS_CHECK([nft add table inet firewalld_check_ct_helper])
|
|
Packit Service |
84cb3c |
AT_SKIP_IF([! NS_CMD([nft add ct helper inet firewalld helper-ftp-tcp { type \"ftp\" protocol tcp \; } >/dev/null 2>&1])])
|
|
Packit Service |
84cb3c |
NS_CHECK([nft delete table inet firewalld_check_ct_helper])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([CHECK_MODULE_PROTO_GRE], [
|
|
Packit Service |
84cb3c |
AT_SKIP_IF([! NS_CMD([modinfo nf_conntrack_proto_gre])])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([IF_HOST_SUPPORTS_NFT_FIB], [
|
|
Packit Service |
84cb3c |
KERNEL_MAJOR=`uname -r | cut -d. -f1`
|
|
Packit Service |
84cb3c |
KERNEL_MINOR=`uname -r | cut -d. -f2`
|
|
Packit Service |
84cb3c |
if test ${KERNEL_MAJOR} -eq 4 && test ${KERNEL_MINOR} -ge 10 || test ${KERNEL_MAJOR} -gt 4; then
|
|
Packit Service |
84cb3c |
:
|
|
Packit Service |
84cb3c |
$1
|
|
Packit Service |
84cb3c |
else
|
|
Packit Service |
84cb3c |
:
|
|
Packit Service |
84cb3c |
$2
|
|
Packit Service |
84cb3c |
fi
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([IF_HOST_SUPPORTS_IP6TABLES], [
|
|
Packit Service |
84cb3c |
if $IP6TABLES -L >/dev/null 2>&1; then
|
|
Packit Service |
84cb3c |
:
|
|
Packit Service |
84cb3c |
$1
|
|
Packit Service |
84cb3c |
else
|
|
Packit Service |
84cb3c |
:
|
|
Packit Service |
84cb3c |
$2
|
|
Packit Service |
84cb3c |
fi
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([IF_HOST_SUPPORTS_IPV6], [
|
|
Packit Service |
84cb3c |
if sysctl -a |grep -F "net.ipv6" >/dev/null 2>&1; then
|
|
Packit Service |
84cb3c |
:
|
|
Packit Service |
84cb3c |
$1
|
|
Packit Service |
84cb3c |
else
|
|
Packit Service |
84cb3c |
:
|
|
Packit Service |
84cb3c |
$2
|
|
Packit Service |
84cb3c |
fi
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([IF_HOST_SUPPORTS_IPV6_RULES], [
|
|
Packit Service |
84cb3c |
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [$1], [
|
|
Packit Service |
84cb3c |
m4_if(nftables, FIREWALL_BACKEND, [$1], [
|
|
Packit Service |
84cb3c |
IF_HOST_SUPPORTS_IP6TABLES([$1], [$2])
|
|
Packit Service |
84cb3c |
])])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
m4_define([NMCLI_CHECK], [
|
|
Packit Service |
84cb3c |
AT_SKIP_IF([! NS_CMD([nmcli connection show >/dev/null 2>&1])])
|
|
Packit Service |
84cb3c |
NS_CHECK([PIPESTATUS0([nmcli $1], [TRIM_WHITESPACE])],
|
|
Packit Service |
84cb3c |
[$2], [m4_strip([$3])], [m4_strip([$4])], [$5], [$6])
|
|
Packit Service |
84cb3c |
])
|
|
Packit Service |
ca2825 |
|
|
Packit Service |
ca2825 |
m4_define([IF_HOST_SUPPORTS_NFT_RULE_INDEX], [
|
|
Packit Service |
ca2825 |
m4_if(nftables, FIREWALL_BACKEND, [
|
|
Packit Service |
ca2825 |
AT_DATA([./nft_rule_index.nft], [
|
|
Packit Service |
ca2825 |
add table inet firewalld_check_rule_index
|
|
Packit Service |
ca2825 |
add chain inet firewalld_check_rule_index foobar { type filter hook input priority 0 ; }
|
|
Packit Service |
ca2825 |
add rule inet firewalld_check_rule_index foobar tcp dport 1234 accept
|
|
Packit Service |
ca2825 |
add rule inet firewalld_check_rule_index foobar accept
|
|
Packit Service |
ca2825 |
insert rule inet firewalld_check_rule_index foobar index 1 udp dport 4321 accept
|
|
Packit Service |
ca2825 |
])
|
|
Packit Service |
ca2825 |
NS_CHECK([nft -f ./nft_rule_index.nft])
|
|
Packit Service |
ca2825 |
|
|
Packit Service |
ca2825 |
if test "$( NS_CMD([nft list chain inet firewalld_check_rule_index foobar | head -n 5 |tail -n 1 | TRIM_WHITESPACE]) )" = "udp dport 4321 accept"; then
|
|
Packit Service |
ca2825 |
:
|
|
Packit Service |
ca2825 |
$1
|
|
Packit Service |
ca2825 |
else
|
|
Packit Service |
ca2825 |
:
|
|
Packit Service |
ca2825 |
$2
|
|
Packit Service |
ca2825 |
fi
|
|
Packit Service |
ca2825 |
|
|
Packit Service |
ca2825 |
NS_CHECK([rm ./nft_rule_index.nft])
|
|
Packit Service |
ca2825 |
NS_CHECK([nft delete table inet firewalld_check_rule_index])
|
|
Packit Service |
ca2825 |
], [$1])
|
|
Packit Service |
ca2825 |
])
|