[pve-devel] [PATCH proxmox-firewall 2/2] firewall: add rule comments to snapshot tests

Mon, 15 Dec 2025 07:10:46 -0800 

Signed-off-by: Robert Obkircher <[email protected]>
---
 proxmox-firewall/tests/input/host.fw          |  4 +-
 .../integration_tests__firewall.snap          | 44 ++++++++++++++++++-
 2 files changed, 45 insertions(+), 3 deletions(-)

diff --git a/proxmox-firewall/tests/input/host.fw 
b/proxmox-firewall/tests/input/host.fw
index 7b89aad..56c8054 100644
--- a/proxmox-firewall/tests/input/host.fw
+++ b/proxmox-firewall/tests/input/host.fw
@@ -13,15 +13,17 @@ protection_synflood_burst: 1337
 protection_synflood_rate: 400
 nosmurfs: 1
 nf_conntrack_helpers: amanda,ftp,irc,netbios-ns,pptp,sane,sip,snmp,tftp
+preserve_comments: 1
 
 
 [RULES]
 
-IN DNS(ACCEPT) -source dc/network1 -log nolog
+IN DNS(ACCEPT) -source dc/network1 -log nolog # prevent DNS issues
 IN DHCPv6(ACCEPT) -log nolog
 IN DHCPfwd(ACCEPT) -log nolog
 IN ACCEPT --icmp-type neighbor-solicitation --proto ipv6-icmp --log info
 IN Ping(REJECT)
 IN REJECT -p udp --dport 443
 OUT REJECT -p udp --dport 443
+IN REJECT -p udp --dport 1000 # Mid character trucation of 129 byte comment: 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa🦀🦀
 
diff --git a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap 
b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
index 79cb882..0fb44f4 100644
--- a/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
+++ b/proxmox-firewall/tests/snapshots/integration_tests__firewall.snap
@@ -1,8 +1,6 @@
 ---
 source: proxmox-firewall/tests/integration_tests.rs
-assertion_line: 127
 expression: "firewall.full_host_fw().expect(\"firewall can be generated\")"
-snapshot_kind: text
 ---
 {
   "nftables": [
@@ -3657,6 +3655,7 @@ snapshot_kind: text
           "family": "inet",
           "table": "proxmox-firewall",
           "chain": "host-in",
+          "comment": "prevent DNS issues",
           "expr": [
             {
               "match": {
@@ -3711,6 +3710,7 @@ snapshot_kind: text
           "family": "inet",
           "table": "proxmox-firewall",
           "chain": "host-in",
+          "comment": "prevent DNS issues",
           "expr": [
             {
               "match": {
@@ -4034,6 +4034,46 @@ snapshot_kind: text
         }
       }
     },
+    {
+      "add": {
+        "rule": {
+          "family": "inet",
+          "table": "proxmox-firewall",
+          "chain": "host-in",
+          "comment": "Mid character trucation of 129 byte comment: 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa🦀",
+          "expr": [
+            {
+              "match": {
+                "op": "==",
+                "left": {
+                  "meta": {
+                    "key": "l4proto"
+                  }
+                },
+                "right": "udp"
+              }
+            },
+            {
+              "match": {
+                "op": "==",
+                "left": {
+                  "payload": {
+                    "protocol": "th",
+                    "field": "dport"
+                  }
+                },
+                "right": 1000
+              }
+            },
+            {
+              "jump": {
+                "target": "do-reject"
+              }
+            }
+          ]
+        }
+      }
+    },
     {
       "add": {
         "rule": {
-- 
2.47.3



_______________________________________________
pve-devel mailing list
[email protected]
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to