We now map the iptables icmpv6-types to the nftables icmpv6-types which have slightly different names. Add a simple test that shows the mapping between "neighbor-solicitation" and "nd-neighbor-solicit".
Signed-off-by: Gabriel Goller <[email protected]> --- proxmox-firewall/tests/input/host.fw | 1 + .../integration_tests__firewall.snap | 63 +++++++++++++++++++ 2 files changed, 64 insertions(+) diff --git a/proxmox-firewall/tests/input/host.fw b/proxmox-firewall/tests/input/host.fw index ddfcb1c4d2c8..7b89aad86317 100644 --- a/proxmox-firewall/tests/input/host.fw +++ b/proxmox-firewall/tests/input/host.fw @@ -20,6 +20,7 @@ nf_conntrack_helpers: amanda,ftp,irc,netbios-ns,pptp,sane,sip,snmp,tftp IN DNS(ACCEPT) -source dc/network1 -log nolog IN DHCPv6(ACCEPT) -log nolog IN DHCPfwd(ACCEPT) -log nolog +IN ACCEPT --icmp-type neighbor-solicitation --proto ipv6-icmp --log info IN Ping(REJECT) IN REJECT -p udp --dport 443 OUT REJECT -p udp --dport 443 diff --git a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap index e3db8ae2db10..e6ba681d8095 100644 --- a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap +++ b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap @@ -1,6 +1,7 @@ --- source: proxmox-firewall/tests/integration_tests.rs expression: "firewall.full_host_fw().expect(\"firewall can be generated\")" +snapshot_kind: text --- { "nftables": [ @@ -3593,6 +3594,68 @@ expression: "firewall.full_host_fw().expect(\"firewall can be generated\")" } } }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "host-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmpv6", + "field": "type" + } + }, + "right": "nd-neighbor-solicit" + } + }, + { + "limit": { + "rate": 2, + "per": "second", + "burst": 12 + } + }, + { + "log": { + "prefix": ":0:6:host-in: ACCEPT: ", + "group": 0 + } + } + ] + } + } + }, + { + "add": { + "rule": { + "family": "inet", + "table": "proxmox-firewall", + "chain": "host-in", + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmpv6", + "field": "type" + } + }, + "right": "nd-neighbor-solicit" + } + }, + { + "accept": null + } + ] + } + } + }, { "add": { "rule": { -- 2.47.3 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
