FWD_START_TEST([--set-log-denied does not zero config])
AT_KEYWORDS(log_denied rhbz1514043)
FWD_CHECK([-q --set-log-denied=all])
FWD_CHECK([-q --permanent --zone=public --add-service=samba])
FWD_RELOAD
FWD_CHECK([--zone=public --list-all | TRIM | grep ^services], 0, [dnl
services: dhcpv6-client samba ssh
])
dnl check that log denied actually took effect
NFT_LIST_RULES([inet], [filter_INPUT], 0, [dnl
table inet firewalld {
chain filter_INPUT {
ct state established,related accept
ct status dnat accept
iifname "lo" accept
jump filter_INPUT_ZONES
ct state invalid log prefix "STATE_INVALID_DROP: "
ct state invalid drop
log prefix "FINAL_REJECT: "
reject with icmpx type admin-prohibited
}
}
])
NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
table inet firewalld {
chain filter_FORWARD {
ct state established,related accept
ct status dnat accept
iifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 type addr-unreachable
jump filter_FORWARD_IN_ZONES
jump filter_FORWARD_OUT_ZONES
ct state invalid log prefix "STATE_INVALID_DROP: "
ct state invalid drop
log prefix "FINAL_REJECT: "
reject with icmpx type admin-prohibited
}
}
])
IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
])
IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
])
IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl
ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
ACCEPT all ::/0 ::/0
INPUT_direct all ::/0 ::/0
INPUT_ZONES all ::/0 ::/0
LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
DROP all ::/0 ::/0 ctstate INVALID
LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
])
IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
ACCEPT all ::/0 ::/0
FORWARD_direct all ::/0 ::/0
RFC3964_IPv4 all ::/0 ::/0
FORWARD_IN_ZONES all ::/0 ::/0
FORWARD_OUT_ZONES all ::/0 ::/0
LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
DROP all ::/0 ::/0 ctstate INVALID
LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
])
FWD_END_TEST