FWD_START_TEST([RFC3964_IPv4])
AT_KEYWORDS(rfc3964_ipv4)
dnl Expected test results assume this is set to "no"
AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
FWD_RELOAD
AT_CHECK([sed -i 's/^LogDenied.*/LogDenied=all/' ./firewalld.conf])
AT_CHECK([sed -i 's/^RFC3964_IPv4.*/RFC3964_IPv4=yes/' ./firewalld.conf])
FWD_RELOAD
NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
table inet firewalld {
chain filter_FORWARD {
ct state established,related accept
ct status dnat accept
iifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 type addr-unreachable
jump filter_FORWARD_IN_ZONES
jump filter_FORWARD_OUT_ZONES
ct state invalid log prefix "STATE_INVALID_DROP: "
ct state invalid drop
log prefix "FINAL_REJECT: "
reject with icmpx type admin-prohibited
}
}
])
NFT_LIST_RULES([inet], [filter_OUTPUT], 0, [dnl
table inet firewalld {
chain filter_OUTPUT {
oifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 type addr-unreachable
}
}
])
IP6TABLES_LIST_RULES([filter], [RFC3964_IPv4], 0, [dnl
LOG all ::/0 2002:e000::/19 LOG flags 0 level 4 prefix "RFC3964_IPv4_REJECT: "
REJECT all ::/0 2002:e000::/19 reject-with icmp6-addr-unreachable
LOG all ::/0 2002:a9fe::/32 LOG flags 0 level 4 prefix "RFC3964_IPv4_REJECT: "
REJECT all ::/0 2002:a9fe::/32 reject-with icmp6-addr-unreachable
LOG all ::/0 2002:c0a8::/32 LOG flags 0 level 4 prefix "RFC3964_IPv4_REJECT: "
REJECT all ::/0 2002:c0a8::/32 reject-with icmp6-addr-unreachable
LOG all ::/0 2002:ac10::/28 LOG flags 0 level 4 prefix "RFC3964_IPv4_REJECT: "
REJECT all ::/0 2002:ac10::/28 reject-with icmp6-addr-unreachable
LOG all ::/0 2002:7f00::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_REJECT: "
REJECT all ::/0 2002:7f00::/24 reject-with icmp6-addr-unreachable
LOG all ::/0 2002:a00::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_REJECT: "
REJECT all ::/0 2002:a00::/24 reject-with icmp6-addr-unreachable
LOG all ::/0 2002::/24 LOG flags 0 level 4 prefix "RFC3964_IPv4_REJECT: "
REJECT all ::/0 2002::/24 reject-with icmp6-addr-unreachable
LOG all ::/0 ::ffff:0.0.0.0/96 LOG flags 0 level 4 prefix "RFC3964_IPv4_REJECT: "
REJECT all ::/0 ::ffff:0.0.0.0/96 reject-with icmp6-addr-unreachable
LOG all ::/0 ::/96 LOG flags 0 level 4 prefix "RFC3964_IPv4_REJECT: "
REJECT all ::/0 ::/96 reject-with icmp6-addr-unreachable
])
IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
ACCEPT all ::/0 ::/0
FORWARD_direct all ::/0 ::/0
RFC3964_IPv4 all ::/0 ::/0
FORWARD_IN_ZONES all ::/0 ::/0
FORWARD_OUT_ZONES all ::/0 ::/0
LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
DROP all ::/0 ::/0 ctstate INVALID
LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
])
IP6TABLES_LIST_RULES([filter], [OUTPUT], 0, [dnl
ACCEPT all ::/0 ::/0
OUTPUT_direct all ::/0 ::/0
RFC3964_IPv4 all ::/0 ::/0
])
AT_CHECK([sed -i 's/^RFC3964_IPv4.*/RFC3964_IPv4=no/' ./firewalld.conf])
FWD_RELOAD
NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
table inet firewalld {
chain filter_FORWARD {
ct state established,related accept
ct status dnat accept
iifname "lo" accept
jump filter_FORWARD_IN_ZONES
jump filter_FORWARD_OUT_ZONES
ct state invalid log prefix "STATE_INVALID_DROP: "
ct state invalid drop
log prefix "FINAL_REJECT: "
reject with icmpx type admin-prohibited
}
}
])
NFT_LIST_RULES([inet], [filter_OUTPUT], 0, [dnl
table inet firewalld {
chain filter_OUTPUT {
oifname "lo" accept
}
}
])
IP6TABLES_LIST_RULES([filter], [RFC3964_IPv4], 1, [ignore], [ignore])
IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
ACCEPT all ::/0 ::/0
FORWARD_direct all ::/0 ::/0
FORWARD_IN_ZONES all ::/0 ::/0
FORWARD_OUT_ZONES all ::/0 ::/0
LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
DROP all ::/0 ::/0 ctstate INVALID
LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
])
IP6TABLES_LIST_RULES([filter], [OUTPUT], 0, [dnl
ACCEPT all ::/0 ::/0
OUTPUT_direct all ::/0 ::/0
])
FWD_END_TEST