source-git / firewalld

Clone
Source Code
GIT

Files

c8 c8s master
  1.   c8s
  2.   src
  3.   tests
  4.   features
  5.   icmp_blocks.at
Blob Blame History Raw 
FWD_START_TEST([ICMP blocks])
AT_KEYWORDS(policy icmp_block)

FWD_CHECK([--permanent --new-policy=foobar], 0, [ignore])
FWD_CHECK([--permanent --policy=foobar --add-ingress-zone ANY], 0, [ignore])
FWD_CHECK([--permanent --policy=foobar --add-egress-zone HOST], 0, [ignore])

dnl permanent --> runtime
FWD_CHECK([--permanent --policy=foobar --add-icmp-block echo-request], 0, [ignore])
FWD_CHECK([--permanent --policy=foobar --add-icmp-block echo-reply], 0, [ignore])
FWD_CHECK([--permanent --policy=foobar --add-icmp-block redirect], 0, [ignore])
IF_HOST_SUPPORTS_IPV6_RULES([
FWD_CHECK([--permanent --policy=foobar --add-rich-rule='rule family=ipv6 source address=1234:5678::/64 icmp-block name="redirect"'], 0, [ignore])
])
FWD_CHECK([--permanent --policy foobar --query-icmp-block echo-request], 0, ignore)
FWD_CHECK([--permanent --policy foobar --query-icmp-block echo-reply], 0, ignore)
FWD_CHECK([--permanent --policy foobar --query-icmp-block redirect], 0, ignore)
IF_HOST_SUPPORTS_IPV6_RULES([
FWD_CHECK([--permanent --policy=foobar --query-rich-rule='rule family=ipv6 source address=1234:5678::/64 icmp-block name="redirect"'], 0, [ignore])
])
FWD_RELOAD
FWD_CHECK([--policy foobar --query-icmp-block echo-request], 0, ignore)
FWD_CHECK([--policy foobar --query-icmp-block echo-reply], 0, ignore)
FWD_CHECK([--policy foobar --query-icmp-block redirect], 0, ignore)
IF_HOST_SUPPORTS_IPV6_RULES([
FWD_CHECK([--policy=foobar --query-rich-rule='rule family=ipv6 source address=1234:5678::/64 icmp-block name="redirect"'], 0, [ignore])
])
NFT_LIST_RULES([inet], [filter_IN_policy_foobar_allow], 0, [dnl
    table inet firewalld {
        chain filter_IN_policy_foobar_allow {
        }
    }
])
NFT_LIST_RULES([inet], [filter_IN_policy_foobar_deny], 0, [dnl
    table inet firewalld {
        chain filter_IN_policy_foobar_deny {
            icmp type echo-request reject with icmpx type admin-prohibited
            icmpv6 type echo-request reject with icmpx type admin-prohibited
            icmp type echo-reply reject with icmpx type admin-prohibited
            icmpv6 type echo-reply reject with icmpx type admin-prohibited
            icmp type redirect reject with icmpx type admin-prohibited
            icmpv6 type nd-redirect reject with icmpx type admin-prohibited
            ip6 saddr 1234:5678::/64 icmpv6 type nd-redirect reject with icmpx type admin-prohibited
        }
    }
])
IPTABLES_LIST_RULES([filter], [IN_foobar_allow], 0, [dnl
])
IP6TABLES_LIST_RULES([filter], [IN_foobar_allow], 0, [dnl
])
IPTABLES_LIST_RULES([filter], [IN_foobar_deny], 0, [dnl
    REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 reject-with icmp-host-prohibited
    REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 0 reject-with icmp-host-prohibited
    REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 5 reject-with icmp-host-prohibited
])
IP6TABLES_LIST_RULES([filter], [IN_foobar_deny], 0, [dnl
    REJECT icmpv6 ::/0 ::/0 ipv6-icmptype 128 reject-with icmp6-adm-prohibited
    REJECT icmpv6 ::/0 ::/0 ipv6-icmptype 129 reject-with icmp6-adm-prohibited
    REJECT icmpv6 ::/0 ::/0 ipv6-icmptype 137 reject-with icmp6-adm-prohibited
    REJECT icmpv6 1234:5678::/64 ::/0 ipv6-icmptype 137 reject-with icmp6-adm-prohibited
])
FWD_CHECK([--permanent --policy=foobar --remove-icmp-block echo-request], 0, [ignore])
FWD_CHECK([--permanent --policy foobar --query-icmp-block echo-request], 1, [ignore])
FWD_CHECK([--permanent --policy foobar --query-icmp-block echo-reply], 0, [ignore])
FWD_CHECK([--permanent --policy=foobar --remove-icmp-block echo-reply], 0, [ignore])
FWD_CHECK([--permanent --policy=foobar --remove-icmp-block redirect], 0, [ignore])
IF_HOST_SUPPORTS_IPV6_RULES([
FWD_CHECK([--permanent --policy=foobar --remove-rich-rule='rule family=ipv6 source address=1234:5678::/64 icmp-block name="redirect"'], 0, [ignore])
FWD_CHECK([--permanent --policy=foobar --query-rich-rule='rule family=ipv6 source address=1234:5678::/64 icmp-block name="redirect"'], 1, [ignore])
])
FWD_CHECK([--policy=foobar --remove-icmp-block echo-request], 0, [ignore])
FWD_CHECK([--policy foobar --query-icmp-block echo-request], 1, [ignore])
FWD_CHECK([--policy foobar --query-icmp-block echo-reply], 0, [ignore])
FWD_CHECK([--policy=foobar --remove-icmp-block echo-reply], 0, [ignore])
FWD_CHECK([--policy=foobar --remove-icmp-block redirect], 0, [ignore])
IF_HOST_SUPPORTS_IPV6_RULES([
FWD_CHECK([--policy=foobar --remove-rich-rule='rule family=ipv6 source address=1234:5678::/64 icmp-block name="redirect"'], 0, [ignore])
FWD_CHECK([--policy=foobar --query-rich-rule='rule family=ipv6 source address=1234:5678::/64 icmp-block name="redirect"'], 1, [ignore])
])

dnl runtime --> permanent
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
FWD_CHECK([--policy=foobar --add-icmp-block echo-request], 0, [ignore])
IF_HOST_SUPPORTS_IPV6_RULES([
FWD_CHECK([--policy=foobar --add-rich-rule='rule family=ipv6 source address=1234:5678::/64 icmp-block name="redirect"'], 0, [ignore])
])
FWD_CHECK([--policy foobar --query-icmp-block echo-request], 0, [ignore])
IF_HOST_SUPPORTS_IPV6_RULES([
FWD_CHECK([--policy=foobar --query-rich-rule='rule family=ipv6 source address=1234:5678::/64 icmp-block name="redirect"'], 0, [ignore])
])
FWD_CHECK([--runtime-to-permanent], 0, [ignore])
FWD_CHECK([--permanent --policy foobar --query-icmp-block echo-request], 0, [ignore])
IF_HOST_SUPPORTS_IPV6_RULES([
FWD_CHECK([--permanent --policy=foobar --query-rich-rule='rule family=ipv6 source address=1234:5678::/64 icmp-block name="redirect"'], 0, [ignore])
])
NFT_LIST_RULES([inet], [filter_IN_policy_foobar_allow], 0, [dnl
    table inet firewalld {
        chain filter_IN_policy_foobar_allow {
        }
    }
])
NFT_LIST_RULES([inet], [filter_IN_policy_foobar_deny], 0, [dnl
    table inet firewalld {
        chain filter_IN_policy_foobar_deny {
            icmp type echo-request reject with icmpx type admin-prohibited
            icmpv6 type echo-request reject with icmpx type admin-prohibited
            ip6 saddr 1234:5678::/64 icmpv6 type nd-redirect reject with icmpx type admin-prohibited
        }
    }
])
IPTABLES_LIST_RULES([filter], [IN_foobar_allow], 0, [dnl
])
IP6TABLES_LIST_RULES([filter], [IN_foobar_allow], 0, [dnl
])
IPTABLES_LIST_RULES([filter], [IN_foobar_deny], 0, [dnl
    REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 reject-with icmp-host-prohibited
])
IP6TABLES_LIST_RULES([filter], [IN_foobar_deny], 0, [dnl
    REJECT icmpv6 ::/0 ::/0 ipv6-icmptype 128 reject-with icmp6-adm-prohibited
    REJECT icmpv6 1234:5678::/64 ::/0 ipv6-icmptype 137 reject-with icmp6-adm-prohibited
])
FWD_CHECK([--permanent --policy=foobar --remove-icmp-block echo-request], 0, [ignore])
IF_HOST_SUPPORTS_IPV6_RULES([
FWD_CHECK([--permanent --policy=foobar --remove-rich-rule='rule family=ipv6 source address=1234:5678::/64 icmp-block name="redirect"'], 0, [ignore])
])
FWD_CHECK([--permanent --policy foobar --query-icmp-block echo-request], 1, [ignore])
IF_HOST_SUPPORTS_IPV6_RULES([
FWD_CHECK([--permanent --policy=foobar --query-rich-rule='rule family=ipv6 source address=1234:5678::/64 icmp-block name="redirect"'], 1, [ignore])
])
FWD_CHECK([--policy=foobar --remove-icmp-block echo-request], 0, [ignore])
IF_HOST_SUPPORTS_IPV6_RULES([
FWD_CHECK([--policy=foobar --remove-rich-rule='rule family=ipv6 source address=1234:5678::/64 icmp-block name="redirect"'], 0, [ignore])
])
FWD_CHECK([--policy foobar --query-icmp-block echo-request], 1, [ignore])
IF_HOST_SUPPORTS_IPV6_RULES([
FWD_CHECK([--policy=foobar --query-rich-rule='rule family=ipv6 source address=1234:5678::/64 icmp-block name="redirect"'], 1, [ignore])
])
])

dnl invalid icmp blocks
FWD_CHECK([--permanent --policy=foobar --add-icmp-block dummy], 107, [ignore], [ignore])
FWD_CHECK([--policy=foobar --add-icmp-block dummy], 107, [ignore], [ignore])
IF_HOST_SUPPORTS_IPV6_RULES([
FWD_CHECK([--permanent --policy=foobar --add-rich-rule='rule family=ipv6 source address=1234:5678::/64 icmp-block name="dummy"'], 107, [ignore], [ignore])
FWD_CHECK([--policy=foobar --add-rich-rule='rule family=ipv6 source address=1234:5678::/64 icmp-block name="dummy"'], 107, [ignore], [ignore])
])

FWD_END_TEST([-e '/ERROR: INVALID_ICMPTYPE:/d'])

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation