Re: [pve-devel] [PATCH proxmox-firewall 3/3] tests: add Ping macro to tests

Thu, 13 Mar 2025 08:42:11 -0700 

Tested these changes, I could reproduce the described problem, and
after applying the patches the macros only matches the correct ICMP
packets, not all.

so consider this:
Tested-by: Hannes Laimer <h.lai...@proxmox.com>

On 04.02.25 10:57, Stefan Hanreich wrote:

Rules using the Ping macro were wrongly generated due to the ICMP
macros using the wrong format for specifying ICMP type. The test cases
did not include any macros utilizing the ICMP protocol. Add them to
catch any errors related to ICMP parsing in the future.

Signed-off-by: Stefan Hanreich <s.hanre...@proxmox.com>
---
Depends on bumped proxmox-ve-config to work.

  proxmox-firewall/tests/input/host.fw          |  1 +
  .../integration_tests__firewall.snap          | 57 ++++++++++++++++++-
  2 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/proxmox-firewall/tests/input/host.fw 
b/proxmox-firewall/tests/input/host.fw
index a61b0bd..ddfcb1c 100644
--- a/proxmox-firewall/tests/input/host.fw
+++ b/proxmox-firewall/tests/input/host.fw
@@ -20,6 +20,7 @@ nf_conntrack_helpers: 
amanda,ftp,irc,netbios-ns,pptp,sane,sip,snmp,tftp
  IN DNS(ACCEPT) -source dc/network1 -log nolog
  IN DHCPv6(ACCEPT) -log nolog
  IN DHCPfwd(ACCEPT) -log nolog
+IN Ping(REJECT)
  IN REJECT -p udp --dport 443
  OUT REJECT -p udp --dport 443
diff --git a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap 
index 9194fc6..d25ece8 100644
--- a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
+++ b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
@@ -1,7 +1,6 @@
  ---
  source: proxmox-firewall/tests/integration_tests.rs
  expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
-snapshot_kind: text
  ---
  {
    "nftables": [
@@ -3533,6 +3532,62 @@ snapshot_kind: text
          }
        }
      },
+    {
+      "add": {
+        "rule": {
+          "family": "inet",
+          "table": "proxmox-firewall",
+          "chain": "host-in",
+          "expr": [
+            {
+              "match": {
+                "op": "==",
+                "left": {
+                  "payload": {
+                    "protocol": "icmp",
+                    "field": "type"
+                  }
+                },
+                "right": "echo-request"
+              }
+            },
+            {
+              "jump": {
+                "target": "do-reject"
+              }
+            }
+          ]
+        }
+      }
+    },
+    {
+      "add": {
+        "rule": {
+          "family": "inet",
+          "table": "proxmox-firewall",
+          "chain": "host-in",
+          "expr": [
+            {
+              "match": {
+                "op": "==",
+                "left": {
+                  "payload": {
+                    "protocol": "icmpv6",
+                    "field": "type"
+                  }
+                },
+                "right": "echo-request"
+              }
+            },
+            {
+              "jump": {
+                "target": "do-reject"
+              }
+            }
+          ]
+        }
+      }
+    },
      {
        "add": {
          "rule": {




_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to