FWD_START_TEST([customer helpers])
AT_KEYWORDS(helpers rhbz1733066 gh514 rhbz1769520)
FWD_CHECK([-q --permanent --new-helper="ftptest" --module="nf_conntrack_ftp"])
FWD_CHECK([-q --permanent --helper=ftptest --add-port="2121/tcp"])
FWD_CHECK([-q --permanent --new-service="ftptest"])
FWD_CHECK([-q --permanent --service=ftptest --add-module="ftptest"])
FWD_CHECK([-q --permanent --service=ftptest --query-module="ftptest"])
FWD_CHECK([-q --permanent --service=ftptest --add-port="2121/tcp"])
FWD_CHECK([--permanent --info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl
ftptest
ports: 2121/tcp
protocols:
source-ports:
modules: ftptest
destination:
includes:
helpers:
])])
FWD_RELOAD
FWD_CHECK([--info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl
ftptest
ports: 2121/tcp
protocols:
source-ports:
modules: ftptest
destination:
includes:
helpers:
])])
FWD_CHECK([-q --add-service=ftptest])
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
table inet firewalld {
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
tcp dport 9090 ct state new,untracked accept
tcp dport 2121 ct helper set "helper-ftptest-tcp"
tcp dport 2121 ct state new,untracked accept
}
}
])
IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
CT tcp ::/0 ::/0 tcp dpt:2121 CT helper ftp
])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
dnl Same thing as above, but with the new "helper" in service.
FWD_CHECK([-q --permanent --service=ftptest --remove-module="ftptest"])
FWD_CHECK([-q --permanent --service=ftptest --query-module="ftptest"], 1)
FWD_CHECK([-q --permanent --service=ftptest --add-helper="ftptest"])
FWD_CHECK([--permanent --info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl
ftptest
ports: 2121/tcp
protocols:
source-ports:
modules:
destination:
includes:
helpers: ftptest
])])
FWD_RELOAD
FWD_CHECK([--info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl
ftptest
ports: 2121/tcp
protocols:
source-ports:
modules:
destination:
includes:
helpers: ftptest
])])
FWD_CHECK([-q --add-service=ftptest])
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
table inet firewalld {
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
tcp dport 9090 ct state new,untracked accept
tcp dport 2121 ct helper set "helper-ftptest-tcp"
tcp dport 2121 ct state new,untracked accept
}
}
])
IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
CT tcp ::/0 ::/0 tcp dpt:2121 CT helper ftp
])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
dnl again, but with both "module" and "helper"
FWD_CHECK([-q --permanent --service=ftptest --add-module="ftptest"])
FWD_CHECK([-q --permanent --service=ftptest --remove-helper="ftptest"])
FWD_CHECK([-q --permanent --service=ftptest --add-helper="ftp"])
FWD_CHECK([-q --permanent --service=ftptest --add-port="21/tcp"])
FWD_RELOAD
FWD_CHECK([-q --add-service=ftptest])
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
table inet firewalld {
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
tcp dport 9090 ct state new,untracked accept
tcp dport 21 ct helper set "helper-ftp-tcp"
tcp dport 2121 ct helper set "helper-ftptest-tcp"
tcp dport 2121 ct state new,untracked accept
tcp dport 21 ct state new,untracked accept
}
}
])
IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 CT helper ftp
CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
CT tcp ::/0 ::/0 tcp dpt:21 CT helper ftp
CT tcp ::/0 ::/0 tcp dpt:2121 CT helper ftp
])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:21 ctstate NEW,UNTRACKED
])
FWD_END_TEST