tests: add firewalld default ruleset from fedora 27

author Florian Westphal <fw@strlen.de>

Wed, 27 Jun 2018 21:35:21 +0000 (23:35 +0200)

committer Florian Westphal <fw@strlen.de>

Wed, 27 Jun 2018 21:44:04 +0000 (23:44 +0200)
author Florian Westphal <fw@strlen.de>
Wed, 27 Jun 2018 21:35:21 +0000 (23:35 +0200)
committer Florian Westphal <fw@strlen.de>
Wed, 27 Jun 2018 21:44:04 +0000 (23:44 +0200)
diff --git a/iptables/tests/shell/testcases/ipt-save/0002load-fedora27-firewalld_0 b/iptables/tests/shell/testcases/ipt-save/0002load-fedora27-firewalld_0

new file mode 100755 (executable)

index 0000000..2ab08b7
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-save/0002load-fedora27-firewalld_0
@@ -0,0 +1,59 @@
+#!/bin/bash
+
+RET=0
+tmpfile=""
+
+clean_tmpfile()
+{
+        if [ ! -z "$tmpfile" ];then
+                rm -f "$tmpfile"
+        fi
+}
+
+trap clean_tmpfile EXIT
+
+do_diff()
+{
+       A="$1"
+       B="$2"
+
+       AT=$(mktemp)
+       grep -v "^#" "$A" > "$AT"
+
+       diff -u "$AT" "$B"
+       x=$?
+       rm -f "$AT"
+
+       return $x
+}
+
+tmpfile=$(mktemp) || exit 1
+do_simple()
+{
+       iptables="$1"
+       dumpfile="$2"
+       opt="$3"
+
+       $XT_MULTI ${iptables}-restore $opt < "$dumpfile"
+       if [ $? -ne 0 ]; then
+               echo "$XT_MULTI ${iptables}-restore $opt $dumpfile failed" 1>&2
+               exit 1
+       fi
+
+       :> "$tmpfile"
+
+       for table in mangle raw filter; do
+               $XT_MULTI ${iptables}-save -t $table $opt | grep -v "^#" >> "$tmpfile"
+       done
+
+       do_diff $dumpfile "$tmpfile"
+
+       if [ $? -ne 0 ]; then
+               RET=1
+       fi
+}
+# fedora27-iptables dump contains chain counters to test counter restore/save
+do_simple "iptables" $(dirname "$0")/dumps/fedora27-iptables "-c"
+do_simple "ip6tables" $(dirname "$0")/dumps/fedora27-ip6tables
+
+exit $RET
diff --git a/iptables/tests/shell/testcases/ipt-save/dumps/fedora27-ip6tables b/iptables/tests/shell/testcases/ipt-save/dumps/fedora27-ip6tables

new file mode 100644 (file)

index 0000000..6c426a7
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-save/dumps/fedora27-ip6tables
@@ -0,0 +1,125 @@
+# Generated by ip6tables-save v1.6.1 on Sat Feb 17 10:51:39 2018
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:FORWARD_direct - [0:0]
+:INPUT_direct - [0:0]
+:OUTPUT_direct - [0:0]
+:POSTROUTING_direct - [0:0]
+:PREROUTING_ZONES - [0:0]
+:PREROUTING_ZONES_SOURCE - [0:0]
+:PREROUTING_direct - [0:0]
+:PRE_FedoraWorkstation - [0:0]
+:PRE_FedoraWorkstation_allow - [0:0]
+:PRE_FedoraWorkstation_deny - [0:0]
+:PRE_FedoraWorkstation_log - [0:0]
+-A PREROUTING -j PREROUTING_direct
+-A PREROUTING -j PREROUTING_ZONES_SOURCE
+-A PREROUTING -j PREROUTING_ZONES
+-A INPUT -j INPUT_direct
+-A FORWARD -j FORWARD_direct
+-A OUTPUT -j OUTPUT_direct
+-A POSTROUTING -j POSTROUTING_direct
+-A PREROUTING_ZONES -i wlp58s0 -g PRE_FedoraWorkstation
+-A PREROUTING_ZONES -g PRE_FedoraWorkstation
+-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_log
+-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_deny
+-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_allow
+COMMIT
+# Completed on Sat Feb 17 10:51:39 2018
+# Generated by ip6tables-save v1.6.1 on Sat Feb 17 10:51:39 2018
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:OUTPUT_direct - [0:0]
+:PREROUTING_ZONES - [0:0]
+:PREROUTING_ZONES_SOURCE - [0:0]
+:PREROUTING_direct - [0:0]
+:PRE_FedoraWorkstation - [0:0]
+:PRE_FedoraWorkstation_allow - [0:0]
+:PRE_FedoraWorkstation_deny - [0:0]
+:PRE_FedoraWorkstation_log - [0:0]
+-A PREROUTING -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
+-A PREROUTING -j PREROUTING_direct
+-A PREROUTING -j PREROUTING_ZONES_SOURCE
+-A PREROUTING -j PREROUTING_ZONES
+-A OUTPUT -j OUTPUT_direct
+-A PREROUTING_ZONES -i wlp58s0 -g PRE_FedoraWorkstation
+-A PREROUTING_ZONES -g PRE_FedoraWorkstation
+-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_log
+-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_deny
+-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_allow
+COMMIT
+# Completed on Sat Feb 17 10:51:39 2018
+# Generated by ip6tables-save v1.6.1 on Sat Feb 17 10:51:39 2018
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:FORWARD_IN_ZONES - [0:0]
+:FORWARD_IN_ZONES_SOURCE - [0:0]
+:FORWARD_OUT_ZONES - [0:0]
+:FORWARD_OUT_ZONES_SOURCE - [0:0]
+:FORWARD_direct - [0:0]
+:FWDI_FedoraWorkstation - [0:0]
+:FWDI_FedoraWorkstation_allow - [0:0]
+:FWDI_FedoraWorkstation_deny - [0:0]
+:FWDI_FedoraWorkstation_log - [0:0]
+:FWDO_FedoraWorkstation - [0:0]
+:FWDO_FedoraWorkstation_allow - [0:0]
+:FWDO_FedoraWorkstation_deny - [0:0]
+:FWDO_FedoraWorkstation_log - [0:0]
+:INPUT_ZONES - [0:0]
+:INPUT_ZONES_SOURCE - [0:0]
+:INPUT_direct - [0:0]
+:IN_FedoraWorkstation - [0:0]
+:IN_FedoraWorkstation_allow - [0:0]
+:IN_FedoraWorkstation_deny - [0:0]
+:IN_FedoraWorkstation_log - [0:0]
+:OUTPUT_direct - [0:0]
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -j INPUT_direct
+-A INPUT -j INPUT_ZONES_SOURCE
+-A INPUT -j INPUT_ZONES
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i lo -j ACCEPT
+-A FORWARD -j FORWARD_direct
+-A FORWARD -j FORWARD_IN_ZONES_SOURCE
+-A FORWARD -j FORWARD_IN_ZONES
+-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
+-A FORWARD -j FORWARD_OUT_ZONES
+-A FORWARD -m conntrack --ctstate INVALID -j DROP
+-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
+-A OUTPUT -j OUTPUT_direct
+-A FORWARD_IN_ZONES -i wlp58s0 -g FWDI_FedoraWorkstation
+-A FORWARD_IN_ZONES -g FWDI_FedoraWorkstation
+-A FORWARD_OUT_ZONES -o wlp58s0 -g FWDO_FedoraWorkstation
+-A FORWARD_OUT_ZONES -g FWDO_FedoraWorkstation
+-A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_log
+-A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_deny
+-A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_allow
+-A FWDI_FedoraWorkstation -p ipv6-icmp -j ACCEPT
+-A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_log
+-A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_deny
+-A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_allow
+-A INPUT_ZONES -i wlp58s0 -g IN_FedoraWorkstation
+-A INPUT_ZONES -g IN_FedoraWorkstation
+-A IN_FedoraWorkstation -j IN_FedoraWorkstation_log
+-A IN_FedoraWorkstation -j IN_FedoraWorkstation_deny
+-A IN_FedoraWorkstation -j IN_FedoraWorkstation_allow
+-A IN_FedoraWorkstation -p ipv6-icmp -j ACCEPT
+-A IN_FedoraWorkstation_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT
+-A IN_FedoraWorkstation_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT
+-A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
+-A IN_FedoraWorkstation_allow -d ff02::fb/128 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
+-A IN_FedoraWorkstation_allow -d fe80::/64 -p udp -m udp --dport 546 -m conntrack --ctstate NEW -j ACCEPT
+-A IN_FedoraWorkstation_allow -p udp -m udp --dport 1025:65535 -m conntrack --ctstate NEW -j ACCEPT
+-A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 1025:65535 -m conntrack --ctstate NEW -j ACCEPT
+COMMIT
+# Completed on Sat Feb 17 10:51:39 2018
diff --git a/iptables/tests/shell/testcases/ipt-save/dumps/fedora27-iptables b/iptables/tests/shell/testcases/ipt-save/dumps/fedora27-iptables

new file mode 100644 (file)

index 0000000..89a05fc
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-save/dumps/fedora27-iptables
@@ -0,0 +1,136 @@
+# Completed on Sat Feb 17 10:50:33 2018
+# Generated by iptables-save v1.6.1 on Sat Feb 17 10:50:33 2018
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:FORWARD_direct - [0:0]
+:INPUT_direct - [0:0]
+:OUTPUT_direct - [0:0]
+:POSTROUTING_direct - [0:0]
+:PREROUTING_ZONES - [0:0]
+:PREROUTING_ZONES_SOURCE - [0:0]
+:PREROUTING_direct - [0:0]
+:PRE_FedoraWorkstation - [0:0]
+:PRE_FedoraWorkstation_allow - [0:0]
+:PRE_FedoraWorkstation_deny - [0:0]
+:PRE_FedoraWorkstation_log - [0:0]
+[1:2] -A PREROUTING -j PREROUTING_direct
+[3:4] -A PREROUTING -j PREROUTING_ZONES_SOURCE
+[0:0] -A PREROUTING -j PREROUTING_ZONES
+[0:0] -A INPUT -j INPUT_direct
+[0:0] -A FORWARD -j FORWARD_direct
+[0:0] -A OUTPUT -j OUTPUT_direct
+[0:0] -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+[0:0] -A POSTROUTING -j POSTROUTING_direct
+[0:0] -A PREROUTING_ZONES -i wlp58s0 -g PRE_FedoraWorkstation
+[0:0] -A PREROUTING_ZONES -g PRE_FedoraWorkstation
+[0:0] -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_log
+[0:0] -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_deny
+[0:0] -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_allow
+COMMIT
+# Completed on Sat Feb 17 10:50:33 2018
+# Generated by iptables-save v1.6.1 on Sat Feb 17 10:50:33 2018
+*raw
+:PREROUTING ACCEPT [1681:2620433]
+:OUTPUT ACCEPT [1619:171281]
+:OUTPUT_direct - [0:0]
+:PREROUTING_ZONES - [0:0]
+:PREROUTING_ZONES_SOURCE - [0:0]
+:PREROUTING_direct - [0:0]
+:PRE_FedoraWorkstation - [0:0]
+:PRE_FedoraWorkstation_allow - [0:0]
+:PRE_FedoraWorkstation_deny - [0:0]
+:PRE_FedoraWorkstation_log - [0:0]
+[0:0] -A PREROUTING -j PREROUTING_direct
+[0:0] -A PREROUTING -j PREROUTING_ZONES_SOURCE
+[0:0] -A PREROUTING -j PREROUTING_ZONES
+[0:0] -A OUTPUT -j OUTPUT_direct
+[0:0] -A PREROUTING_ZONES -i wlp58s0 -g PRE_FedoraWorkstation
+[0:0] -A PREROUTING_ZONES -g PRE_FedoraWorkstation
+[0:0] -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_log
+[0:0] -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_deny
+[0:0] -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_allow
+[0:0] -A PRE_FedoraWorkstation_allow -p udp -m udp --dport 137 -j CT --helper netbios-ns
+COMMIT
+# Completed on Sat Feb 17 10:50:33 2018
+# Generated by iptables-save v1.6.1 on Sat Feb 17 10:50:33 2018
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [1619:171281]
+:FORWARD_IN_ZONES - [0:0]
+:FORWARD_IN_ZONES_SOURCE - [0:0]
+:FORWARD_OUT_ZONES - [0:0]
+:FORWARD_OUT_ZONES_SOURCE - [0:0]
+:FORWARD_direct - [0:0]
+:FWDI_FedoraWorkstation - [0:0]
+:FWDI_FedoraWorkstation_allow - [0:0]
+:FWDI_FedoraWorkstation_deny - [0:0]
+:FWDI_FedoraWorkstation_log - [0:0]
+:FWDO_FedoraWorkstation - [0:0]
+:FWDO_FedoraWorkstation_allow - [0:0]
+:FWDO_FedoraWorkstation_deny - [0:0]
+:FWDO_FedoraWorkstation_log - [0:0]
+:INPUT_ZONES - [0:0]
+:INPUT_ZONES_SOURCE - [0:0]
+:INPUT_direct - [0:0]
+:IN_FedoraWorkstation - [0:0]
+:IN_FedoraWorkstation_allow - [0:0]
+:IN_FedoraWorkstation_deny - [0:0]
+:IN_FedoraWorkstation_log - [0:0]
+:OUTPUT_direct - [0:0]
+[5:6] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
+[0:123456789] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
+[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
+[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
+[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+[0:0] -A INPUT -i lo -j ACCEPT
+[0:0] -A INPUT -j INPUT_direct
+[0:0] -A INPUT -j INPUT_ZONES_SOURCE
+[0:0] -A INPUT -j INPUT_ZONES
+[0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
+[0:0] -A INPUT -j REJECT --reject-with icmp-host-prohibited
+[0:0] -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+[0:0] -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
+[0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
+[0:0] -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
+[0:0] -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
+[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+[0:0] -A FORWARD -i lo -j ACCEPT
+[0:0] -A FORWARD -j FORWARD_direct
+[0:0] -A FORWARD -j FORWARD_IN_ZONES_SOURCE
+[0:0] -A FORWARD -j FORWARD_IN_ZONES
+[0:0] -A FORWARD -j FORWARD_OUT_ZONES_SOURCE
+[0:0] -A FORWARD -j FORWARD_OUT_ZONES
+[0:0] -A FORWARD -m conntrack --ctstate INVALID -j DROP
+[0:0] -A FORWARD -j REJECT --reject-with icmp-host-prohibited
+[0:0] -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
+[0:0] -A OUTPUT -j OUTPUT_direct
+[0:0] -A FORWARD_IN_ZONES -i wlp58s0 -g FWDI_FedoraWorkstation
+[0:0] -A FORWARD_IN_ZONES -g FWDI_FedoraWorkstation
+[0:0] -A FORWARD_OUT_ZONES -o wlp58s0 -g FWDO_FedoraWorkstation
+[0:0] -A FORWARD_OUT_ZONES -g FWDO_FedoraWorkstation
+[0:0] -A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_log
+[0:0] -A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_deny
+[0:0] -A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_allow
+[0:0] -A FWDI_FedoraWorkstation -p icmp -j ACCEPT
+[0:0] -A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_log
+[0:0] -A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_deny
+[0:0] -A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_allow
+[0:0] -A INPUT_ZONES -i wlp58s0 -g IN_FedoraWorkstation
+[0:0] -A INPUT_ZONES -g IN_FedoraWorkstation
+[0:0] -A IN_FedoraWorkstation -j IN_FedoraWorkstation_log
+[0:0] -A IN_FedoraWorkstation -j IN_FedoraWorkstation_deny
+[0:0] -A IN_FedoraWorkstation -j IN_FedoraWorkstation_allow
+[0:0] -A IN_FedoraWorkstation -p icmp -j ACCEPT
+[0:0] -A IN_FedoraWorkstation_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT
+[0:0] -A IN_FedoraWorkstation_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT
+[0:0] -A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
+[0:0] -A IN_FedoraWorkstation_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
+[0:0] -A IN_FedoraWorkstation_allow -p udp -m udp --dport 1025:65535 -m conntrack --ctstate NEW -j ACCEPT
+[7:8] -A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 1025:65535 -m conntrack --ctstate NEW -j ACCEPT
+COMMIT
+# Completed on Sat Feb 17 10:50:33 2018
author	Florian Westphal <fw@strlen.de>
	Wed, 27 Jun 2018 21:35:21 +0000 (23:35 +0200)
committer	Florian Westphal <fw@strlen.de>
	Wed, 27 Jun 2018 21:44:04 +0000 (23:44 +0200)
iptables/tests/shell/testcases/ipt-save/0002load-fedora27-firewalld_0	[new file with mode: 0755]	patch \| blob
iptables/tests/shell/testcases/ipt-save/dumps/fedora27-ip6tables	[new file with mode: 0644]	patch \| blob
iptables/tests/shell/testcases/ipt-save/dumps/fedora27-iptables	[new file with mode: 0644]	patch \| blob