source-git / firewalld

Clone
Source Code
GIT

Files

  1.   4d91e9682ac6eb278f2f7548854d79a86822cc94
  2.   src
  3.   tests
  4.   features
  5.   service_include.at
Blob Blame History Raw 
FWD_START_TEST([service include])
AT_KEYWORDS(service xml gh273 rhbz1720300)

AT_CHECK([mkdir -p ./services])
AT_CHECK([cat <<HERE > ./services/my-service-with-include.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>my-service-with-include</short>
  <description>This service includes other services</description>
  <port protocol="tcp" port="12345"/>
  <include service="ssdp"/>
  <include service="mdns"/>
  <include service="recursive-service"/>
</service>
HERE
])
AT_CHECK([cat <<HERE > ./services/recursive-service.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>recursive-service</short>
  <description>Include a service that included us</description>
  <include service="my-service-with-include"/>
</service>
HERE
])
FWD_RELOAD

FWD_CHECK([-q --zone=drop --add-interface=foobar0])
FWD_CHECK([-q --zone=drop --add-service=my-service-with-include])
FWD_CHECK([--zone=drop --list-services], 0, [dnl
my-service-with-include
])

dnl check recursive includes
FWD_CHECK([-q --zone=drop --add-service=recursive-service])
FWD_CHECK([-q --zone=drop --remove-service=recursive-service])

NFT_LIST_RULES([inet], [filter_IN_drop_allow], 0, [dnl
    table inet firewalld {
    chain filter_IN_drop_allow {
    ip daddr 239.255.255.250 udp dport 1900 ct state new,untracked accept
    ip6 daddr ff02::c udp dport 1900 ct state new,untracked accept
    ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept
    ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept
    tcp dport 12345 ct state new,untracked accept
    }
    }
])
IPTABLES_LIST_RULES([filter], [IN_drop_allow], 0, [dnl
    ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900 ctstate NEW,UNTRACKED
    ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:12345 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([filter], [IN_drop_allow], 0, [dnl
    ACCEPT udp ::/0 ff02::c udp dpt:1900 ctstate NEW,UNTRACKED
    ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED
    ACCEPT tcp ::/0 ::/0 tcp dpt:12345 ctstate NEW,UNTRACKED
])

dnl firewall-cmd
FWD_CHECK([--permanent --service=my-service-with-include --query-include=recursive-service], 0, [ignore], [ignore])
FWD_CHECK([-q --permanent --service=my-service-with-include --add-include=ssh])
FWD_CHECK([--permanent --service=my-service-with-include --query-include=ssh], 0, [ignore], [ignore])
AT_CHECK([grep '<include service="ssh"/>' ./services/my-service-with-include.xml ], 0, [ignore], [ignore])
FWD_CHECK([-q --permanent --service=my-service-with-include --remove-include=ssh])
FWD_CHECK([--permanent --service=my-service-with-include --query-include=ssh], 1, [ignore], [ignore])
AT_CHECK([grep '<include service="ssh"/>' ./services/my-service-with-include.xml ], 1, [ignore], [ignore])
FWD_CHECK([--permanent --service=my-service-with-include --get-includes], 0, [dnl
mdns recursive-service ssdp
])
FWD_CHECK([--permanent --info-service=my-service-with-include | TRIM_WHITESPACE], 0, [m4_strip([dnl
my-service-with-include
  ports: 12345/tcp
  protocols:
  source-ports:
  modules:
  destination:
  includes: mdns recursive-service ssdp
  helpers:
])])
FWD_CHECK([--info-service=my-service-with-include | TRIM_WHITESPACE], 0, [m4_strip([dnl
my-service-with-include
  ports: 12345/tcp
  protocols:
  source-ports:
  modules:
  destination:
  includes: mdns recursive-service ssdp
  helpers:
])])

dnl firewall-offline-cmd
FWD_OFFLINE_CHECK([--service=my-service-with-include --query-include=recursive-service], 0, [ignore], [ignore])
FWD_OFFLINE_CHECK([-q --service=my-service-with-include --add-include=ssh])
FWD_OFFLINE_CHECK([--service=my-service-with-include --query-include=ssh], 0, [ignore], [ignore])
AT_CHECK([grep '<include service="ssh"/>' ./services/my-service-with-include.xml ], 0, [ignore], [ignore])
FWD_OFFLINE_CHECK([-q --service=my-service-with-include --remove-include=ssh])
FWD_OFFLINE_CHECK([--service=my-service-with-include --query-include=ssh], 1, [ignore], [ignore])
AT_CHECK([grep '<include service="ssh"/>' ./services/my-service-with-include.xml ], 1, [ignore], [ignore])
FWD_OFFLINE_CHECK([--service=my-service-with-include --get-includes], 0, [dnl
mdns recursive-service ssdp
])
FWD_OFFLINE_CHECK([--info-service=my-service-with-include | TRIM_WHITESPACE], 0, [m4_strip([dnl
my-service-with-include
  ports: 12345/tcp
  protocols:
  source-ports:
  modules:
  destination:
  includes: mdns recursive-service ssdp
  helpers:
])])

dnl negative test for including service that doesn't exist
FWD_CHECK([-q --permanent --zone=drop --add-interface=foobar0])
FWD_CHECK([-q --permanent --zone=drop --add-service=my-service-with-include])
FWD_CHECK([-q --permanent --service=my-service-with-include --add-include=does-not-exist])
FWD_RELOAD(101, [ignore], [ignore], 251)
FWD_CHECK([--zone=drop --list-services], 0, [dnl

])
FWD_CHECK([--zone=public --list-services], 0, [dnl
cockpit dhcpv6-client ssh
])
FWD_CHECK([-q --permanent --service=my-service-with-include --remove-include=does-not-exist])
FWD_RELOAD

FWD_END_TEST([-e '/ERROR: INVALID_SERVICE: does-not-exist/d'])

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation