FWD_START_TEST([rich rules])
AT_KEYWORDS(policy rich)
dnl
dnl This is basic rich rule coverage. Each feature has its own coverage which
dnl should include rich rules as well.
FWD_CHECK([--permanent --new-policy=foobar], 0, [ignore])
FWD_CHECK([--permanent --policy=foobar --add-ingress-zone ANY], 0, [ignore])
FWD_CHECK([--permanent --policy=foobar --add-egress-zone HOST], 0, [ignore])
FWD_RELOAD
dnl basic layout
dnl
NFT_LIST_RULES([inet], [filter_IN_policy_foobar], 0, [dnl
table inet firewalld {
chain filter_IN_policy_foobar {
jump filter_IN_policy_foobar_pre
jump filter_IN_policy_foobar_log
jump filter_IN_policy_foobar_deny
jump filter_IN_policy_foobar_allow
jump filter_IN_policy_foobar_post
}
}
])
IPTABLES_LIST_RULES([filter], [IN_foobar], 0, [dnl
IN_foobar_pre all -- 0.0.0.0/0 0.0.0.0/0
IN_foobar_log all -- 0.0.0.0/0 0.0.0.0/0
IN_foobar_deny all -- 0.0.0.0/0 0.0.0.0/0
IN_foobar_allow all -- 0.0.0.0/0 0.0.0.0/0
IN_foobar_post all -- 0.0.0.0/0 0.0.0.0/0
])
IP6TABLES_LIST_RULES([filter], [IN_foobar], 0, [dnl
IN_foobar_pre all ::/0 ::/0
IN_foobar_log all ::/0 ::/0
IN_foobar_deny all ::/0 ::/0
IN_foobar_allow all ::/0 ::/0
IN_foobar_post all ::/0 ::/0
])
dnl priority
dnl
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 source address=10.10.10.10 accept'], 0, ignore)
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=0 source address=10.10.10.11 log accept'], 0, ignore)
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=0 source address=10.10.10.11 audit accept'], 0, ignore)
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=0 source address=10.10.10.12 reject'], 0, ignore)
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=0 source address=10.10.10.13 drop'], 0, ignore)
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=-1 source address=10.10.10.14 accept'], 0, ignore)
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=1 source address=10.10.10.15 accept'], 0, ignore)
FWD_RELOAD
NFT_LIST_RULES([inet], [filter_IN_policy_foobar_pre], 0, [dnl
table inet firewalld {
chain filter_IN_policy_foobar_pre {
ip saddr 10.10.10.14 accept
}
}
])
IPTABLES_LIST_RULES([filter], [IN_foobar_pre], 0, [dnl
ACCEPT all -- 10.10.10.14 0.0.0.0/0
])
NFT_LIST_RULES([inet], [filter_IN_policy_foobar_log], 0, [dnl
table inet firewalld {
chain filter_IN_policy_foobar_log {
ip saddr 10.10.10.11 log
ip saddr 10.10.10.11 log level audit
}
}
])
IPTABLES_LIST_RULES([filter], [IN_foobar_log], 0, [dnl
LOG all -- 10.10.10.11 0.0.0.0/0 LOG flags 0 level 4
AUDIT all -- 10.10.10.11 0.0.0.0/0 AUDIT accept
])
NFT_LIST_RULES([inet], [filter_IN_policy_foobar_deny], 0, [dnl
table inet firewalld {
chain filter_IN_policy_foobar_deny {
ip saddr 10.10.10.12 reject
ip saddr 10.10.10.13 drop
}
}
])
IPTABLES_LIST_RULES([filter], [IN_foobar_deny], 0, [dnl
REJECT all -- 10.10.10.12 0.0.0.0/0 reject-with icmp-port-unreachable
DROP all -- 10.10.10.13 0.0.0.0/0
])
NFT_LIST_RULES([inet], [filter_IN_policy_foobar_allow], 0, [dnl
table inet firewalld {
chain filter_IN_policy_foobar_allow {
ip saddr 10.10.10.10 accept
ip saddr 10.10.10.11 accept
}
}
])
IPTABLES_LIST_RULES([filter], [IN_foobar_allow], 0, [dnl
ACCEPT all -- 10.10.10.10 0.0.0.0/0
ACCEPT all -- 10.10.10.11 0.0.0.0/0
ACCEPT all -- 10.10.10.11 0.0.0.0/0
])
NFT_LIST_RULES([inet], [filter_IN_policy_foobar_post], 0, [dnl
table inet firewalld {
chain filter_IN_policy_foobar_post {
ip saddr 10.10.10.15 accept
}
}
])
IPTABLES_LIST_RULES([filter], [IN_foobar_post], 0, [dnl
ACCEPT all -- 10.10.10.15 0.0.0.0/0
])
dnl source/destination
dnl
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=-1 source address=10.20.20.20 accept'], 0, ignore)
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=-2 destination address=10.20.20.21 accept'], 0, ignore)
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=-3 source address=10.20.20.22 destination address=10.20.20.23 drop'], 0, ignore)
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv6 priority=-4 source address=1234::4321 destination address=1234::4444 drop'], 0, ignore)
FWD_RELOAD
NFT_LIST_RULES([inet], [filter_IN_policy_foobar_pre], 0, [dnl
table inet firewalld {
chain filter_IN_policy_foobar_pre {
ip6 daddr 1234::4444 ip6 saddr 1234::4321 drop
ip daddr 10.20.20.23 ip saddr 10.20.20.22 drop
ip daddr 10.20.20.21 accept
ip saddr 10.10.10.14 accept
ip saddr 10.20.20.20 accept
}
}
])
IPTABLES_LIST_RULES([filter], [IN_foobar_pre], 0, [dnl
DROP all -- 10.20.20.22 10.20.20.23
ACCEPT all -- 0.0.0.0/0 10.20.20.21
ACCEPT all -- 10.10.10.14 0.0.0.0/0
ACCEPT all -- 10.20.20.20 0.0.0.0/0
])
IP6TABLES_LIST_RULES([filter], [IN_foobar_pre], 0, [dnl
DROP all 1234::4321 1234::4444
])
dnl icmp-type
dnl
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule priority=-1 icmp-type name="neighbour-advertisement" accept'], 0, ignore)
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule priority=-2 icmp-type name="echo-request" accept'], 0, ignore)
FWD_RELOAD
NFT_LIST_RULES([inet], [filter_IN_policy_foobar_pre], 0, [dnl
table inet firewalld {
chain filter_IN_policy_foobar_pre {
ip6 daddr 1234::4444 ip6 saddr 1234::4321 drop
ip daddr 10.20.20.23 ip saddr 10.20.20.22 drop
ip daddr 10.20.20.21 accept
icmp type echo-request accept
icmpv6 type echo-request accept
ip saddr 10.10.10.14 accept
ip saddr 10.20.20.20 accept
icmpv6 type nd-neighbor-advert accept
}
}
])
IPTABLES_LIST_RULES([filter], [IN_foobar_pre], 0, [dnl
DROP all -- 10.20.20.22 10.20.20.23
ACCEPT all -- 0.0.0.0/0 10.20.20.21
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT all -- 10.10.10.14 0.0.0.0/0
ACCEPT all -- 10.20.20.20 0.0.0.0/0
])
IP6TABLES_LIST_RULES([filter], [IN_foobar_pre], 0, [dnl
DROP all 1234::4321 1234::4444
ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128
ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 136
])
FWD_CHECK([--permanent --policy=foobar --remove-egress-zone HOST], 0, [ignore])
dnl mark action
dnl valid if egress zone is HOST
dnl
FWD_CHECK([--permanent --policy=foobar --add-egress-zone HOST], 0, [ignore])
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule priority=-1 mark set=1234'], 0, ignore)
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule priority=-2 mark set=0x6600/0xFF00'], 0, ignore)
FWD_RELOAD
NFT_LIST_RULES([inet], [mangle_PRE_policy_foobar_pre], 0, [dnl
table inet firewalld {
chain mangle_PRE_policy_foobar_pre {
mark set mark & 0x0000ff00 ^ 0x00006600
mark set 0x000004d2
}
}
])
IPTABLES_LIST_RULES([mangle], [PRE_foobar_pre], 0, [dnl
MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x6600/0xff00
MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK set 0x4d2
])
IP6TABLES_LIST_RULES([mangle], [PRE_foobar_pre], 0, [dnl
MARK all ::/0 ::/0 MARK xset 0x6600/0xff00
MARK all ::/0 ::/0 MARK set 0x4d2
])
FWD_CHECK([--permanent --policy=foobar --remove-egress-zone HOST], 0, [ignore])
dnl mark action
dnl valid if egress zone is ANY
dnl
FWD_CHECK([--permanent --policy=foobar --add-egress-zone ANY], 0, [ignore])
FWD_RELOAD
NFT_LIST_RULES([inet], [mangle_PRE_policy_foobar_pre], 0, [dnl
table inet firewalld {
chain mangle_PRE_policy_foobar_pre {
mark set mark & 0x0000ff00 ^ 0x00006600
mark set 0x000004d2
}
}
])
IPTABLES_LIST_RULES([mangle], [PRE_foobar_pre], 0, [dnl
MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x6600/0xff00
MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK set 0x4d2
])
IP6TABLES_LIST_RULES([mangle], [PRE_foobar_pre], 0, [dnl
MARK all ::/0 ::/0 MARK xset 0x6600/0xff00
MARK all ::/0 ::/0 MARK set 0x4d2
])
FWD_CHECK([--permanent --policy=foobar --remove-egress-zone ANY], 0, [ignore])
dnl mark action
dnl valid if egress zone is source-based
dnl
FWD_CHECK([--permanent --zone=public --add-source 10.10.10.0/24], 0, [ignore])
FWD_CHECK([--permanent --policy=foobar --add-egress-zone public], 0, [ignore])
FWD_RELOAD
NFT_LIST_RULES([inet], [mangle_PRE_policy_foobar_pre], 0, [dnl
table inet firewalld {
chain mangle_PRE_policy_foobar_pre {
mark set mark & 0x0000ff00 ^ 0x00006600
mark set 0x000004d2
}
}
])
IPTABLES_LIST_RULES([mangle], [PRE_foobar_pre], 0, [dnl
MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK xset 0x6600/0xff00
MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK set 0x4d2
])
IP6TABLES_LIST_RULES([mangle], [PRE_foobar_pre], 0, [dnl
MARK all ::/0 ::/0 MARK xset 0x6600/0xff00
MARK all ::/0 ::/0 MARK set 0x4d2
])
FWD_CHECK([--permanent --policy=foobar --remove-egress-zone public], 0, [ignore])
FWD_CHECK([--permanent --zone=public --remove-source 10.10.10.0/24], 0, [ignore])
FWD_CHECK([ --policy=foobar --remove-egress-zone public], 0, [ignore])
FWD_CHECK([ --zone=public --remove-source 10.10.10.0/24], 0, [ignore])
FWD_CHECK([--permanent --policy foobar --remove-rich-rule='rule priority=-1 mark set=1234'], 0, ignore)
FWD_CHECK([ --policy foobar --remove-rich-rule='rule priority=-1 mark set=1234'], 0, ignore)
FWD_CHECK([--permanent --policy foobar --remove-rich-rule='rule priority=-2 mark set=0x6600/0xFF00'], 0, ignore)
FWD_CHECK([ --policy foobar --remove-rich-rule='rule priority=-2 mark set=0x6600/0xFF00'], 0, ignore)
dnl mark action
dnl invalid if egress zone is interface-based
dnl
FWD_CHECK([--permanent --zone=public --add-interface foobar0], 0, [ignore])
FWD_CHECK([--permanent --policy=foobar --add-egress-zone public], 0, [ignore])
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule priority=-1 mark set=1234'], 112, [ignore], [ignore])
FWD_CHECK([--permanent --zone=public --remove-interface foobar0], 0, [ignore])
FWD_CHECK([--permanent --policy=foobar --remove-egress-zone public], 0, [ignore])
FWD_CHECK([ --zone=public --add-interface foobar0], 0, [ignore])
FWD_CHECK([ --policy=foobar --add-egress-zone public], 0, [ignore])
FWD_CHECK([ --policy foobar --add-rich-rule='rule priority=-1 mark set=1234'], 112, [ignore], [ignore])
FWD_CHECK([ --zone=public --remove-interface foobar0], 0, [ignore])
FWD_CHECK([ --policy=foobar --remove-egress-zone public], 0, [ignore])
FWD_CHECK([--permanent --policy=foobar --add-egress-zone HOST], 0, [ignore])
dnl log/audit action
dnl
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule priority=32000 log prefix="LOG: " level="warning"'], 0, ignore)
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule priority=32001 audit accept'], 0, ignore)
FWD_RELOAD
NFT_LIST_RULES([inet], [filter_IN_policy_foobar_post], 0, [dnl
table inet firewalld {
chain filter_IN_policy_foobar_post {
ip saddr 10.10.10.15 accept
log prefix "LOG: "
log level audit
accept
}
}
])
IPTABLES_LIST_RULES([filter], [IN_foobar_post], 0, [dnl
ACCEPT all -- 10.10.10.15 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "'LOG: '"
AUDIT all -- 0.0.0.0/0 0.0.0.0/0 AUDIT accept
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
])
IP6TABLES_LIST_RULES([filter], [IN_foobar_post], 0, [dnl
LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "'LOG: '"
AUDIT all ::/0 ::/0 AUDIT accept
ACCEPT all ::/0 ::/0
])
FWD_END_TEST([-e '/ERROR: INVALID_ZONE:/d'])