From 790997675c0fc7eea08bfa6b8790111423f023ff Mon Sep 17 00:00:00 2001 From: Tomas Dolezal Date: Mon, 4 Nov 2019 16:08:20 +0100 Subject: [PATCH] add tmt plan --- .fmf/version | 1 + ci/ci-plan.fmf | 14 + ci/packages.yml | 6 + tests/Library/main/TODO.md | 36 -- tests/Library/main/lib.sh | 466 ------------------ tests/Library/main/runtest.sh | 141 ------ tests/Regression/broute-table-support/PURPOSE | 5 - .../broute-table-support/runtest.sh | 74 --- tests/Regression/nftables-backend/PURPOSE | 5 - tests/Regression/nftables-backend/main.fmf | 6 - tests/Regression/nftables-backend/runtest.sh | 184 ------- tests/main.fmf | 7 - 12 files changed, 21 insertions(+), 924 deletions(-) create mode 100644 .fmf/version create mode 100644 ci/ci-plan.fmf create mode 100644 ci/packages.yml delete mode 100644 tests/Library/main/TODO.md delete mode 100644 tests/Library/main/lib.sh delete mode 100755 tests/Library/main/runtest.sh delete mode 100644 tests/Regression/broute-table-support/PURPOSE delete mode 100755 tests/Regression/broute-table-support/runtest.sh delete mode 100644 tests/Regression/nftables-backend/PURPOSE delete mode 100644 tests/Regression/nftables-backend/main.fmf delete mode 100755 tests/Regression/nftables-backend/runtest.sh delete mode 100644 tests/main.fmf diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 000000000..d00491fd7 --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/ci/ci-plan.fmf b/ci/ci-plan.fmf new file mode 100644 index 000000000..9a0137697 --- /dev/null +++ b/ci/ci-plan.fmf @@ -0,0 +1,14 @@ +summary: + Essential command line features +discover: + how: fmf + repository: https://github.com/todoleza/firewalld-tests + revision: master + #filter: 'tier: 1' +provision: + how: local +prepare: + how: ansible + playbooks: ci/provision.yml +execute: + how: beakerlib diff --git a/ci/packages.yml b/ci/packages.yml new file mode 100644 index 000000000..f2ee3cc9d --- /dev/null +++ b/ci/packages.yml @@ -0,0 +1,6 @@ +- hosts: all + tasks: + - name: Install necessary dependencies + dnf: + state: present + name: fmf diff --git a/tests/Library/main/TODO.md b/tests/Library/main/TODO.md deleted file mode 100644 index 099b2a644..000000000 --- a/tests/Library/main/TODO.md +++ /dev/null @@ -1,36 +0,0 @@ -firewalld BeakerLib TODOs -========================= - -# Setup - * init library - * Assert system state - - important system packages - - verify configuration is clean, warn/fail if not (prametrizable via TESTPARAM) - * configuration/logs backup and pre-cleaning - * set important parameters - * backend - - emit log messages - - restart firewalld ? - * debug level (for systemd in sysconfig) - -# Procedures - * match rule in ruleset - * generic matching applicable for nft/ipt - - make use of `jq`, for iptables verify both families or select via parameter [-4|-6] - * specific rule type match usable for nft/ipt - * add file to logs bundle -## NAMESPACES ( for functional tests ) - * consider putting them into a separate library - * get inspiration from tests/kernel/networking - * ns management - - create/delete multiple namespaces - * start/stop/restart firewalld in [arg] namespace - - e.g. `startfwd --netns mynetns` - * wrap arg as command for namespace - -# Finalization - * get rid of own running namespaces - * bundle and submit logs - * restore backed up files and service states - - vim: filetype=markdown diff --git a/tests/Library/main/lib.sh b/tests/Library/main/lib.sh deleted file mode 100644 index e146618cc..000000000 --- a/tests/Library/main/lib.sh +++ /dev/null @@ -1,466 +0,0 @@ -#!/bin/bash -# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# lib.sh of /CoreOS/firewalld/Library/main -# Description: Manages firewalld configuration, restoration and other stuff -# Author: Tomas Dolezal -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2018 Red Hat, Inc. -# -# This program is free software: you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation, either version 2 of -# the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see http://www.gnu.org/licenses/. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# library-prefix = fwd -# library-version = 0.1 -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -: <<'=cut' -=pod - -=head1 NAME - -firewalld/main - Manages firewalld configuration, state and cleanup - -=head1 DESCRIPTION - -firewalld BeakerLib library to aid basic and advanced setup workflows. - -=cut - -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# Variables -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -: <<'=cut' -=pod - -=head1 VARIABLES - -Below is the list of global variables. - -=over - -=item fwd_IGNORE_CONFIG - -Makes fwdSetup not drop existing config nor assert default configuration -state. - -=item fwd_VERIFY_RPM - -Makes fwdSetup assert integrity of installed files by RPM. - -=back - -=cut - -__fwdPACKAGES=( - firewalld - selinux-policy - nftables - libnftnl - libmnl - iptables - ipset - NetworkManager - ) -__fwd_CONF_FILE="/etc/firewalld/firewalld.conf" - -__fwd_SETUP_DONE=false - -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# Functions -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -: <<'=cut' -=pod - -=head1 FUNCTIONS - -=cut - -__fwdStart() { - #should capture service state by issuing rlService command (consumed by Cleanup) - rlServiceStart firewalld - # a blocking command is used - rlRun "firewall-cmd --state" 0 "firewalld started" -} -__fwdStop() { - rlServiceStop firewalld - firewall-cmd --state -q - if [[ $? -ne 252 ]]; then - rlFail "Could not stop firewalld daemon" - else - return 0 - fi -} - -__fwdCleanConfig() { - local fwconfdir - local ret=0 - for fwconfdir in /etc/firewalld/*/; do - if [[ -z $(find "$fwconfdir" -type d -empty) ]]; then - rm -vf -- $fwconfdir/* - ret=1 - fi - done - return $ret -} - -__fwdCleanDebugLog() { - local logfile="/var/log/firewalld" - truncate -s 0 "$logfile" || \ - rlFail "failed to remove debug log data" - restorecon "$logfile" -} - -__fwdSubmitLog() { - # call me just once, else I'll probably overwrite output by last invocation - rlFileSubmit /var/log/firewalld firewalld.log -} - -__fwdSetDebug() { - local LEVEL=${1:-10} - echo "FIREWALLD_ARGS=--debug=$LEVEL" >> /etc/sysconfig/firewalld || \ - rlFail "failed to enable debug flag" -} - -__fwdLogFunctionEnter() { - rlLogInfo "${FUNCNAME[1]} called" -} - -__fwdAssertSetup() { - if ! $__fwd_SETUP_DONE; then - rlDie "${FUNCNAME[1]} called without calling fwdSetup first" - fi -} - -: <<'=cut' -=pod - -=head2 fwdSetup - -Asserts environment and starts firewalld. Configuration cleanup is attempted -and default state is verified. - - fwdSetup [-n|--no-start] - -=over - -=item -n|--no-start - -Do not start service after setup. - -=back - -=cut - -fwdSetup() { - local NOSTART=false - local ret=0 - - __fwdLogFunctionEnter - if $__fwd_SETUP_DONE; then - rlDie "${FUNCNAME[0]} has already been called" - fi - __fwd_SETUP_DONE=true - - while [[ $# -gt 0 ]]; do - case $1 in - -n|--no-start) - NOSTART=true - shift - ;; - *) - rlLogError "wrong parameter '$1' to ${FUNCNAME[0]}" - ret=1 - shift - ;; - esac - done - rlFileBackup --namespace fwdlib --clean /etc/firewalld/ /etc/sysconfig/firewalld \ - /etc/sysconfig/network-scripts/ - if [[ -z $fwd_IGNORE_CONFIG ]]; then - __fwdCleanConfig || rlLogWarning "default config directory was not clean" - if [[ -z $fwd_VERIFY_RPM ]]; then - rlRun "rpm -V firewalld" 0,1 "check firewalld configuration non-changed default state" - if [[ $? -ne 0 ]]; then - rlLogWarning "firewalld system configuration is not in default state" - #rlLogWarning "accepted because fwd_VERIFY_RPM is not set" - fi - else - rlRun "rpm -V firewalld" 0 "firewalld configuration is in non-changed default" - fi - fi - __fwdSetDebug - __fwdCleanDebugLog - rlFileBackup --namespace fwdlib_setup --clean /etc/firewalld/ /etc/sysconfig/firewalld \ - /etc/sysconfig/network-scripts/ - if ! $NOSTART ; then - __fwdStart - else - __fwdStop - fi -} - -: <<'=cut' -=pod - -=head2 fwdCleanup - -Restores configuration and service state before fwdSetup was called. - -=cut - -fwdCleanup() { - __fwdAssertSetup - __fwdLogFunctionEnter - __fwdSubmitLog - rlServiceStop firewalld - rlRun "firewall-cmd --state" 252 "firewalld stopped" - __fwdCleanDebugLog - rlFileRestore --namespace fwdlib - # make sure no configuration of firewall is left behind - if iptables --version | grep -q "nf_tables"; then - rlRun "nft flush ruleset" 0 "resetting system firewall configuration (nft / iptables-nft)" - else - rlLogInfo "not resetting system firewall configuration on behalf of firewalld (iptables-compat)" -# for prefix in ip ip6; do -# for table in $(cat /proc/net/${prefix}_tables_names); do -# ${prefix}tables -t $table -F -# ${prefix}tables -t $table -X -# ${prefix}tables -t $table -Z -# #todo: reset policies -# #todo: ebtables cleanup -# case $table in -# nat) -# ;; -# mangle) -# ;; -# security) -# ;; -# raw) -# ;; -# filter) -# ;; -# esac -# done -# done - fi - __fwd_SETUP_DONE=false - rlServiceRestore firewalld -} - -: <<'=cut' -=pod - -=head2 fwdRestart - -Restarts firewalld service. - -=cut - -fwdRestart() { - __fwdStart -} - -: <<'=cut' -=pod - -=head2 fwdResetConfig - -Resets config to state after fwdSetup was called and drops runtime firewall config. - - fwdResetConfig [-n|--no-restart] - -=over - -=item -n|--no-restart - -Do not restart firewalld after reseting permanent config. - -=back - -=cut -fwdResetConfig() { - local NORESTART=false - local ret=0 - - __fwdAssertSetup - while [[ $# -gt 0 ]]; do - case $1 in - -n|--no-restart) - NORESTART=true - shift - ;; - *) - rlLogError "wrong parameter '$1' to ${FUNCNAME[0]}" - ret=1 - shift - ;; - esac - done - - rlFileRestore --namespace fwdlib_setup - if ! $NORESTART ; then - __fwdStart - fi - return $ret -} - -: <<'=cut' -=pod - -=head2 fwdSetBackend - -Sets firewalld backend to one of `nftables` or `iptables`. Attempt to -backend when the option is not available will cause Error and return 1. -If backend is not specified, it is set to nftables by default. - - fwdSetBackend [nftables|iptables] - -=cut -fwdSetBackend() { - local NEW_BACKEND="${1:-nftables}" - - if ! grep -q "FirewallBackend=" $__fwd_CONF_FILE; then - rlLogError "${FUNCNAME[0]}: failed to set to $NEW_BACKEND, option not available" - return 1 - fi - - if ! [[ $NEW_BACKEND =~ ^(iptables|nftables)$ ]]; then - rlLogError "${FUNCNAME[0]}: wrong backend '$NEW_BACKEND' specified" - return 1 - fi - rlRun "sed -ie '/FirewallBackend=/ s/=.*/=$NEW_BACKEND/' $__fwd_CONF_FILE" 0 \ - "Set firewalld backend to $NEW_BACKEND" -} - -: <<'=cut' -=pod - -=head2 fwdGetBackend - -Returns name of firewalld backend as one of `nftables` or `iptables`. - - fwdGetBackend - -=cut -fwdGetBackend() { - local backend_name - local firewalld_module_inits - if ! grep -q "FirewallBackend=" $__fwd_CONF_FILE; then - #rlLogError "${FUNCNAME[0]}: failed to set to $NEW_BACKEND, option not available" - #return 1 - - # for safety, check that nftables are not supported - firewalld_module_inits=$(rpm -qa 'python*-firewall' -l | grep '__init__.py$') - [[ $? -ne 0 ]] && rlFail "could not query firewalld python modules" - if ! grep -q "nftables" $firewalld_module_inits; then - # no nftables references, FALLBACK_FIREWALL_BACKEND not used - echo "iptables" - else - rlLogErorr "configuration option missing, refusing call of ${FUNCNAME[0]}" - return 1 - fi - return - fi - - rlRun "backend_name=\$(sed -rne '/FirewallBackend=/ s/.*=(.+)$/\\1/p' $__fwd_CONF_FILE)" 0 \ - "Getting firewalld backend" - - if ! [[ $backend_name =~ ^(iptables|nftables)$ ]]; then - rlLogError "${FUNCNAME[0]}: wrong backend '$backend_name' detected" - return 1 - fi - echo "$backend_name" -} - -# TODO: verify a rule is present in system firewall configuration -# TODO: abstract over iptables & nftables (using json output) - -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# Execution -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -#: <<'=cut' -#=pod -# -#=head1 EXECUTION -# -#This library supports direct execution. When run as a task, phases -#provided in the PHASE environment variable will be executed. -#Supported phases are: -# -#=over -# -#=item Create -# -#Create a new empty file. Use FILENAME to provide the desired file -#name. By default 'foo' is created in the current directory. -# -#=item Test -# -#Run the self test suite. -# -#=back -# -#=cut - -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# Verification -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# This is a verification callback which will be called by -# rlImport after sourcing the library to make sure everything is -# all right. It makes sense to perform a basic sanity test and -# check that all required packages are installed. The function -# should return 0 only when the library is ready to serve. - -fwdLibraryLoaded() { - if rpm=$(rpm -q ${__fwdPACKAGES[0]}); then - sepol=$(rpm -q selinux-policy) - rlLogInfo "Library firewalld/main running with $rpm on $sepol in $(getenforce) mode" - - for pkg in ${__fwdPACKAGES[@]} kernel-$(uname -r); do - rlAssertRpm $pkg - done - - return 0 - else - rlLogError "firewalld not installed" - return 1 - fi -} - -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# Authors -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -: <<'=cut' -=pod - -=head1 AUTHORS - -=over - -=item * - -Tomas Dolezal - -=back - -=cut diff --git a/tests/Library/main/runtest.sh b/tests/Library/main/runtest.sh deleted file mode 100755 index c445e656b..000000000 --- a/tests/Library/main/runtest.sh +++ /dev/null @@ -1,141 +0,0 @@ -#!/bin/bash -# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# runtest.sh of /CoreOS/firewalld/Library/main -# Description: Manages firewalld configuration, restoration and other stuff -# Author: Tomas Dolezal -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2018 Red Hat, Inc. -# -# This program is free software: you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation, either version 2 of -# the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see http://www.gnu.org/licenses/. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -# Include Beaker environment -. /usr/bin/rhts-environment.sh || exit 1 -. /usr/share/beakerlib/beakerlib.sh || exit 1 - -PACKAGE="firewalld" -PHASE=${PHASE:-Test} - -rlJournalStart - rlPhaseStartSetup - rlRun "rlImport firewalld/main" - rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" - rlRun "pushd $TmpDir" - rlPhaseEnd - -# # Create file -# if [[ "$PHASE" =~ "Create" ]]; then -# rlPhaseStartTest "Create" -# fileCreate -# rlPhaseEnd -# fi - - # Self test - if [[ "$PHASE" =~ "Test" ]]; then - rlPhaseStartTest "firewalld Setup and Cleanup" - rlRun "systemctl stop firewalld" - rlRun "firewall-cmd --state" 252 "firewalld is not running" - rlAssertGrep "DefaultZone=public" /etc/firewalld/firewalld.conf - - rlRun "fwdSetup -n" - rlRun "firewall-cmd --state" 252 "firewalld is not runnig" - rlRun "fwdCleanup" - rlRun "fwdSetup" - rlRun "firewall-cmd --state" 0 "firewalld is runnig" - rlRun "ps -ef | grep firewalld | grep debug=10" 0 "debug level is set to 10" - - rlRun "firewall-cmd --set-default-zone work" - rlRun "firewall-cmd --add-service tftp --permanent" - rlRun "firewall-cmd --reload" - rlAssertGrep "DefaultZone=work" /etc/firewalld/firewalld.conf - rlAssertGrep "tftp" /etc/firewalld/zones/work.xml - - rlRun "fwdCleanup" - rlRun "firewall-cmd --state" 252 "firewalld is not running" - rlAssertGrep "DefaultZone=public" /etc/firewalld/firewalld.conf - rlAssertNotExists /etc/firewalld/zones/work.xml - rlFileBackup --clean /etc/firewalld /etc/sysconfig/firewalld - rlRun "echo FOO=BAR >> /etc/sysconfig/firewalld" - rlRun "fwdSetup" 0 "fwdSetup - run through check of modified firewalld sysconfig file" - rlRun "fwdCleanup" - # following cannot be run while having this test phase to pass (it must fail) - #rlRun "fwd_VERIFY_RPM=1 fwdSetup" - #rlRun "fwdCleanup" - rlFileRestore - rlPhaseEnd - - rlPhaseStartTest "ResetConfig" - rlRun "fwdSetup" - rlRun "firewall-cmd --set-default-zone work" - rlRun "firewall-cmd --add-service tftp --permanent" - rlRun "firewall-cmd --reload" - rlAssertGrep "DefaultZone=work" /etc/firewalld/firewalld.conf - rlAssertGrep "tftp" /etc/firewalld/zones/work.xml - - rlRun "fwdResetConfig" - #rlRun "fwdRestart" # included in ResetConfig unless --no-restart is given - rlRun "ps -ef | grep firewalld | grep debug=10" 0 "debug level is set to 10" - rlAssertGrep "DefaultZone=public" /etc/firewalld/firewalld.conf - rlAssertNotExists /etc/firewalld/zones/work.xml - - rlRun "firewall-cmd --add-service smtp" - rlRun "fwdResetConfig -n" - rlRun "fwdResetConfig --no-restart" - rlRun "firewall-cmd --query-service smtp" - - rlRun "fwdResetConfig --badargument" 1 - rlRun "fwdResetConfig --mor -e" 1 - rlRun "fwdResetConfig -n" - rlRun "fwdCleanup" - rlPhaseEnd - - rlPhaseStartTest "SetBackend / GetBackend" - rlRun "fwdSetup" - rlRun "fwdGetBackend > >(tee backend.out)" - if ! rlIsRHEL 7; then - rlAssertGrep "^nftables$" backend.out - else - rlAssertGrep "^iptables$" backend.out - fi - rlRun "fwdSetBackend iptables" - rlRun "fwdGetBackend > >(tee backend.out)" - rlAssertGrep "^iptables$" backend.out - rlAssertGrep "FirewallBackend=iptables" /etc/firewalld/firewalld.conf - rlRun "fwdSetBackend nftables" - rlAssertGrep "FirewallBackend=nftables" /etc/firewalld/firewalld.conf - rlRun "fwdGetBackend > >(tee backend.out)" - rlAssertGrep "^nftables$" backend.out - rlRun "fwdSetBackend notiptables" 1 "invalid backend" - rlRun "fwdSetBackend iptables" 0 "change to iptables again" - rlRun "fwdSetBackend" 0 "reset to default backend (force to nftables)" - rlAssertGrep "FirewallBackend=nftables" /etc/firewalld/firewalld.conf - rlRun "sed -e '/FirewallBackend/d' -i /etc/firewalld/firewalld.conf" 0 "remove FirewallBackend option" - rlRun "fwdSetBackend iptables" 1 "unsupported change" - rlRun "fwdGetBackend > >(tee backend.out)" 1 - rlAssertNotDiffer backend.out /dev/null - rlRun "fwdCleanup" - rlPhaseEnd - fi - - rlPhaseStartCleanup - rlRun "popd" - rlRun "rm -r $TmpDir" 0 "Removing tmp directory" - rlPhaseEnd -rlJournalPrintText -rlJournalEnd diff --git a/tests/Regression/broute-table-support/PURPOSE b/tests/Regression/broute-table-support/PURPOSE deleted file mode 100644 index 372391efd..000000000 --- a/tests/Regression/broute-table-support/PURPOSE +++ /dev/null @@ -1,5 +0,0 @@ -PURPOSE of /CoreOS/firewalld/Regression/broute-table-support -Description: Test for BZ#1752727 (RHEL 7.7 rebase of firewalld removed support for) -Author: Tomas Dolezal -Bug summary: RHEL 7.7 rebase of firewalld removed support for the ebtables broute table -Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=1752727 diff --git a/tests/Regression/broute-table-support/runtest.sh b/tests/Regression/broute-table-support/runtest.sh deleted file mode 100755 index 87bb1e6a0..000000000 --- a/tests/Regression/broute-table-support/runtest.sh +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/bash -# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# runtest.sh of /CoreOS/firewalld/Regression/broute-table-support -# Description: Test for BZ#1752727 (RHEL 7.7 rebase of firewalld removed support for) -# Author: Tomas Dolezal -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2019 Red Hat, Inc. -# -# This program is free software: you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation, either version 2 of -# the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see http://www.gnu.org/licenses/. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -# Include Beaker environment -. /usr/bin/rhts-environment.sh || exit 1 -. /usr/share/beakerlib/beakerlib.sh || exit 1 - -PACKAGE="firewalld" -TESTRULE="-i someif -j redirect --redirect-target DROP" -TESTRULE_MATCH="-i someif -j redirect ?--redirect-target DROP" - -rlJournalStart - rlPhaseStartSetup - rlAssertRpm $PACKAGE - rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" - rlRun "pushd $TmpDir" - rlRun "rlImport firewalld/main" || rlDie - fwdSetup - rlIsRHEL 7 || { fwdSetBackend iptables; fwdRestart ; } - rlPhaseEnd - -check_broute_rules() { - rlLogInfo "checking broute rules in ebtables" - rlRun -s "ebtables-save" - mv $rlRun_LOG ebtables-save.output - rlRun -s "ebtables -t broute -L" - mv $rlRun_LOG ebtables-broute.output - - rlAssertGrep "-j BROUTING_direct" ebtables-broute.output - rlAssertGrep "$TESTRULE_MATCH" ebtables-broute.output -E - - rlAssertGrep "-A BROUTING -j BROUTING_direct" ebtables-save.output - rlAssertGrep "-A BROUTING_direct $TESTRULE_MATCH" ebtables-save.output -E -} - rlPhaseStartTest - rlRun "firewall-cmd --direct --add-rule eb broute BROUTING 0 $TESTRULE" - check_broute_rules - - rlRun "firewall-cmd --runtime-to-permanent" - rlRun "firewall-cmd --reload" - check_broute_rules - rlPhaseEnd - - rlPhaseStartCleanup - fwdCleanup - rlRun "popd" - rlRun "rm -r $TmpDir" 0 "Removing tmp directory" - rlPhaseEnd -rlJournalPrintText -rlJournalEnd diff --git a/tests/Regression/nftables-backend/PURPOSE b/tests/Regression/nftables-backend/PURPOSE deleted file mode 100644 index 55f7d9839..000000000 --- a/tests/Regression/nftables-backend/PURPOSE +++ /dev/null @@ -1,5 +0,0 @@ -PURPOSE of /CoreOS/firewalld/Regression/nftables-backend -Description: Test for BZ#1509026 ([RFE] firewalld Implement nftables backend) -Author: Tomas Dolezal -Bug summary: [RFE] firewalld: Implement nftables backend -Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=1509026 diff --git a/tests/Regression/nftables-backend/main.fmf b/tests/Regression/nftables-backend/main.fmf deleted file mode 100644 index 64532f46f..000000000 --- a/tests/Regression/nftables-backend/main.fmf +++ /dev/null @@ -1,6 +0,0 @@ -description: | - Bug summary: [RFE] firewalld: Implement nftables backend - Bugzilla link: https://bugzilla.redhat.com/show_bug.cgi?id=1509026 -relevancy+: | - distro = rhel-7: False -summary: Test for BZ#1509026 ([RFE] firewalld Implement nftables backend) diff --git a/tests/Regression/nftables-backend/runtest.sh b/tests/Regression/nftables-backend/runtest.sh deleted file mode 100755 index f647e7535..000000000 --- a/tests/Regression/nftables-backend/runtest.sh +++ /dev/null @@ -1,184 +0,0 @@ -#!/bin/bash -# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# runtest.sh of /CoreOS/firewalld/Regression/nftables-backend -# Description: Test for BZ#1509026 ([RFE] firewalld Implement nftables backend) -# Author: Tomas Dolezal -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2019 Red Hat, Inc. -# -# This program is free software: you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation, either version 2 of -# the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see http://www.gnu.org/licenses/. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -# Include Beaker environment -. /usr/bin/rhts-environment.sh || exit 1 -. /usr/share/beakerlib/beakerlib.sh || exit 1 - -PACKAGE="firewalld" -LOGFILE="/var/log/firewalld" - -IPSET4='ipsetv4' -IPSET6='ipsetv6' -VER_0_7_UP=false - -# limit output lines by arbitrary number after firewalld reloads in certain log check calls -LINES_OF_CONTEXT=35 - -save_log_cursor() { - rlLogInfo "log recency mark" - _LOG_LINE="$(wc -l "$LOGFILE" | cut -d' ' -f 1)" - [[ ${PIPESTATUS[0]} -eq 0 ]] || rlFail "could not read $LOGFILE" -} -get_recent_log() { - rlRun "tail -n +$_LOG_LINE $LOGFILE > firewalld.log.recent" 0 "get recent log messages" -} -nft_grepper() { - local grepstr="$1" - local comment="$2" - rlRun "nft -nn list ruleset | egrep '$grepstr'" 0 "$comment" -} -check_log_and_mark() { - get_recent_log - rlAssertNotGrep "ERROR" firewalld.log.recent - cat firewalld.log.recent - save_log_cursor -} -rlJournalStart - rlPhaseStartSetup - rlAssertRpm $PACKAGE - rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" - rlRun "pushd $TmpDir" - rlCmpVersion 0.7 $(rpm -q --qf %{VERSION} firewalld) - if [[ $? -eq 0 || $? -eq 2 ]]; then - # new version - VER_0_7_UP=true - fi - rlRun "rlImport firewalld/main" || rlDie - fwdSetup - rlRun "fwdGetBackend | grep nftables" 0 "verify nftables backend" - rlPhaseEnd - - rlPhaseStartTest - # service - save_log_cursor - rlRun "firewall-cmd --add-service smtp" - #rlRun "nft -nn list ruleset | grep 'tcp dport 25 ct state new,untracked accept'" - nft_grepper "tcp dport 25 ct state new,untracked accept" - check_log_and_mark - # port - rlRun "firewall-cmd --add-port 22335/tcp" - rlRun "firewall-cmd --add-port 22336/udp" - check_log_and_mark - nft_grepper "tcp dport 22335 ct state new,untracked accept" "verify port rule presence" - nft_grepper "udp dport 22336 ct state new,untracked accept" "verify port rule presence" - # protocol (SEE zone/protocol) - # module - rlRun "firewall-cmd --add-service ftp" 0 "add ftp service with ftp module" - if $VER_0_7_UP; then - nft_grepper 'tcp dport 21 ct helper set "helper-ftp-tcp"' "helper presence" - else - nft_grepper 'tcp dport 21 ct helper "ftp"' "helper presence" - fi - rlAssertExists "/sys/module/nf_nat_ftp/" - check_log_and_mark - # source/destination ports (UNTESTED) - fwdRestart; save_log_cursor - - # zone - # source/dest - rlRun "firewall-cmd --zone internal --add-source 192.0.2.40" - rlRun "firewall-cmd --zone internal --add-source ::ffff:192.0.2.60" - nft_grepper "ip saddr 192.0.2.40 goto .*internal" - nft_grepper "ip6 saddr ::ffff:192.0.2.60 goto .*internal" - check_log_and_mark - # protocol - rlRun "firewall-cmd --add-protocol igmp" 0 "add protocol" - nft_grepper "meta l4proto igmp ct state new,untracked accept" "verify protocol rule presence" - check_log_and_mark - # icmp block - rlRun "firewall-cmd --add-icmp-block time-exceeded" - nft_grepper "icmp type time-exceeded reject with icmp" - nft_grepper "icmpv6 type time-exceeded reject with icmpv6" - check_log_and_mark - # forward - rlRun "firewall-cmd --add-forward-port=port=22990-22999:proto=tcp:toaddr=127.0.0.2" - if $VER_0_7_UP; then - nft_grepper 'tcp dport 22990-22999 dnat to 127.0.0.2' "forward rule presence" - else - nft_grepper "tcp dport 22990-22999 mark set" - nft_grepper "meta l4proto tcp mark 0x0[0-9]+ dnat to 127.0.0.2" - fi - check_log_and_mark - # masquerade - rlRun "firewall-cmd --add-masquerade" - nft_grepper 'oifname != "lo" masquerade' - check_log_and_mark - # rich rule (not needed to cover) - # interface - rlRun "firewall-cmd --add-interface ifcustom" - nft_grepper '[oi]ifname "ifcustom" goto [a-zA-Z_]+_public' - check_log_and_mark - # ipset - rlLogInfo "ipsets/zones" - rlRun "firewall-cmd --new-ipset '$IPSET4' --permanent --type hash:ip" - rlRun "firewall-cmd --new-ipset '$IPSET6' --permanent --type hash:ip --family inet6" - fwdRestart - save_log_cursor - rlRun "firewall-cmd --ipset $IPSET4 --add-entry '192.0.2.12'" - rlRun "firewall-cmd --ipset $IPSET6 --add-entry '::2'" - # partial set match (also in ip/ip6 tables - rlRun "nft list set inet firewalld $IPSET4 | grep '192.0.2.12'" - rlRun "nft list set inet firewalld $IPSET6 | grep '::2'" - rlRun "nft list set ip firewalld $IPSET4 | grep '192.0.2.12'" - rlRun "nft list set ip6 firewalld $IPSET6 | grep '::2'" - check_log_and_mark - rlRun "firewall-cmd --add-source ipset:$IPSET4" - rlRun "firewall-cmd --add-source ipset:$IPSET6" - nft_grepper "ip daddr @$IPSET4 goto [a-zA-Z_]+_public" - nft_grepper "ip6 daddr @$IPSET6 goto [a-zA-Z_]+_public" - check_log_and_mark - # helpers - # modules covered in services above - # direct (iptables only) - # panic - # covered in /CoreOS/firewalld/Regression/firewalld-panic-on-doesn-t-work - #bash - rlRun "firewall-cmd --state" 0 "verify firewalld reported state" - - rlLogInfo "use permanent config for sets in nft" # bz1738545 - check_log_and_mark - rlRun "firewall-cmd --runtime-to-permanent" - rlRun "firewall-cmd --reload" - rlRun "firewall-cmd --state" - # limit output lines by arbitrary number after firewalld reloads - check_log_and_mark | grep -i ERROR -A $LINES_OF_CONTEXT - rlRun "firewall-cmd --permanent --add-source ipset:$IPSET4" - rlRun "firewall-cmd --permanent --add-source ipset:$IPSET6" - rlRun "firewall-cmd --reload" - rlRun "firewall-cmd --state" - # limit output lines by arbitrary number after firewalld reloads - check_log_and_mark | grep -i ERROR -A $LINES_OF_CONTEXT - rlPhaseEnd - - rlPhaseStartCleanup - fwdCleanup - rlRun "popd" - rlRun "rm -r $TmpDir" 0 "Removing tmp directory" - rlPhaseEnd -rlJournalPrintText -rlJournalEnd diff --git a/tests/main.fmf b/tests/main.fmf deleted file mode 100644 index 24e4a42d8..000000000 --- a/tests/main.fmf +++ /dev/null @@ -1,7 +0,0 @@ -component: firewalld -contact: Tomas Dolezal -test: make run -duration: 5m -relevancy: | - distro < rhel-7: False -tier: 1