Tree - source-git/firewalld - CentOS Git server

source-git / firewalld

Files

Commit: 4d91e9682ac6eb278f2f7548854d79a86822cc94
Blob Blame History Raw
FWD_START_TEST([RFC3964_IPv4])
AT_KEYWORDS(rfc3964_ipv4)

dnl Expected test results assume this is set to "no"
AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
FWD_RELOAD

AT_CHECK([sed -i 's/^LogDenied.*/LogDenied=all/' ./firewalld.conf])
AT_CHECK([sed -i 's/^RFC3964_IPv4.*/RFC3964_IPv4=yes/' ./firewalld.conf])
FWD_RELOAD

NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
    table inet firewalld {
    chain filter_FORWARD {
    ct state established,related accept
    ct status dnat accept
    iifname "lo" accept
    ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 type addr-unreachable
    jump filter_FORWARD_IN_ZONES
    jump filter_FORWARD_OUT_ZONES
    ct state invalid log prefix "STATE_INVALID_DROP: "
    ct state invalid drop
    log prefix "FINAL_REJECT: "
    reject with icmpx type admin-prohibited
    }
    }
])
NFT_LIST_RULES([inet], [filter_OUTPUT], 0, [dnl
    table inet firewalld {
    chain filter_OUTPUT {
    oifname "lo" accept
    ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 type addr-unreachable
    }
    }
])
IP6TABLES_LIST_RULES([filter], [RFC3964_IPv4], 0, [dnl
    LOG all ::/0 2002:e000::/19 LOG flags 0 level 4 prefix "RFC3964_IPv4_REJECT: "
    REJECT all ::/0 2002:e000::/19 reject-with icmp6-addr-unreachable
    LOG all ::/0 2002:a9fe::/32 LOG flags 0 level 4 prefix "RFC3964_IPv4_REJECT: "
    REJECT all ::/0 2002:a9fe::/32 reject-with icmp6-addr-unreachable
    LOG all ::/0 2002:c0a8::/32 LOG flags 0 level 4 prefix "RFC3964_IPv4_REJECT: "
    REJECT all ::/0 2002:c0a8::/32 reject-with icmp6-addr-unreachable
    LOG all ::/0 2002:ac10::/28 LOG flags 0 level 4 prefix "RFC3964_IPv4_REJECT: "
    REJECT all ::/0 2002:ac10::/28 reject-with icmp6-addr-unreachable
    LOG all ::/0 2002:7f00::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_REJECT: "
    REJECT all ::/0 2002:7f00::/24 reject-with icmp6-addr-unreachable
    LOG all ::/0 2002:a00::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_REJECT: "
    REJECT all ::/0 2002:a00::/24 reject-with icmp6-addr-unreachable
    LOG all ::/0 2002::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_REJECT: "
    REJECT all ::/0 2002::/24 reject-with icmp6-addr-unreachable
    LOG all ::/0 ::ffff:0.0.0.0/96 LOG flags 0 level 4 prefix "RFC3964_IPv4_REJECT: "
    REJECT all ::/0 ::ffff:0.0.0.0/96 reject-with icmp6-addr-unreachable
    LOG all ::/0 ::/96 LOG flags 0 level 4 prefix "RFC3964_IPv4_REJECT: "
    REJECT all ::/0 ::/96 reject-with icmp6-addr-unreachable
])
IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
    ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
    ACCEPT all ::/0 ::/0
    FORWARD_direct all ::/0 ::/0
    RFC3964_IPv4 all ::/0 ::/0
    FORWARD_IN_ZONES all ::/0 ::/0
    FORWARD_OUT_ZONES all ::/0 ::/0
    LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
    DROP all ::/0 ::/0 ctstate INVALID
    LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
    REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
])
IP6TABLES_LIST_RULES([filter], [OUTPUT], 0, [dnl
    ACCEPT all ::/0 ::/0
    OUTPUT_direct all ::/0 ::/0
    RFC3964_IPv4 all ::/0 ::/0
])

AT_CHECK([sed -i 's/^RFC3964_IPv4.*/RFC3964_IPv4=no/' ./firewalld.conf])
FWD_RELOAD

NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
    table inet firewalld {
    chain filter_FORWARD {
    ct state established,related accept
    ct status dnat accept
    iifname "lo" accept
    jump filter_FORWARD_IN_ZONES
    jump filter_FORWARD_OUT_ZONES
    ct state invalid log prefix "STATE_INVALID_DROP: "
    ct state invalid drop
    log prefix "FINAL_REJECT: "
    reject with icmpx type admin-prohibited
    }
    }
])
NFT_LIST_RULES([inet], [filter_OUTPUT], 0, [dnl
    table inet firewalld {
    chain filter_OUTPUT {
    oifname "lo" accept
    }
    }
])

IP6TABLES_LIST_RULES([filter], [RFC3964_IPv4], 1, [ignore], [ignore])
IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
    ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
    ACCEPT all ::/0 ::/0
    FORWARD_direct all ::/0 ::/0
    FORWARD_IN_ZONES all ::/0 ::/0
    FORWARD_OUT_ZONES all ::/0 ::/0
    LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
    DROP all ::/0 ::/0 ctstate INVALID
    LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
    REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
])
IP6TABLES_LIST_RULES([filter], [OUTPUT], 0, [dnl
    ACCEPT all ::/0 ::/0
    OUTPUT_direct all ::/0 ::/0
])

FWD_END_TEST
source-git / firewalld

Source Code

Files
