File 0002-test-ipset-verify-match-with-iface.patch of Package firewalld.36786

From 950fe07aaa4ed54045e470887066b2dbe29280b6 Mon Sep 17 00:00:00 2001
From: Eric Garver <egarver@redhat.com>
Date: Wed, 30 Oct 2024 19:36:26 -0400
Subject: [PATCH 2/2] test(ipset): verify match with iface

---
 src/tests/regression/gh1406.at     |   62 +++++++++++++++++++++++++++++++++++++
 src/tests/regression/regression.at |    1 
 2 files changed, 63 insertions(+)
 create mode 100644 src/tests/regression/gh1406.at

--- /dev/null
+++ b/src/tests/regression/gh1406.at
@@ -0,0 +1,62 @@
+FWD_START_TEST([ipset iface])
+AT_KEYWORDS(ipset gh1406)
+
+FWD_CHECK([--permanent --new-ipset foobar --type hash:net,iface], 0, [ignore])
+FWD_CHECK([--permanent --ipset foobar --add-entry 10.10.10.0/24,dummy0], 0, [ignore])
+FWD_CHECK([--permanent --zone internal --add-source ipset:foobar], 0, [ignore])
+
+FWD_CHECK([--permanent --new-policy blah], 0, [ignore])
+FWD_CHECK([--permanent --policy blah --add-ingress-zone HOST], 0, [ignore])
+FWD_CHECK([--permanent --policy blah --add-egress-zone internal], 0, [ignore])
+FWD_RELOAD()
+
+NFT_LIST_RULES([inet], [filter_INPUT_POLICIES], 0, [dnl
+    table inet firewalld {
+        chain filter_INPUT_POLICIES {
+            ip saddr . iifname @foobar jump filter_IN_policy_allow-host-ipv6
+            ip saddr . iifname @foobar jump filter_IN_internal
+            ip saddr . iifname @foobar reject with icmpx admin-prohibited
+            jump filter_IN_policy_allow-host-ipv6
+            jump filter_IN_public
+            reject with icmpx admin-prohibited
+        }
+    }
+])
+NFT_LIST_RULES([inet], [filter_OUTPUT_POLICIES], 0, [dnl
+    table inet firewalld {
+        chain filter_OUTPUT_POLICIES {
+            ip daddr . oifname @foobar jump filter_OUT_policy_blah
+            ip daddr . oifname @foobar jump filter_OUT_internal
+            ip daddr . oifname @foobar return
+            jump filter_OUT_public
+            return
+        }
+    }
+])
+
+IPTABLES_LIST_RULES([filter], [INPUT_POLICIES], 0, [dnl
+    IN_allow-host-ipv6 0 -- 0.0.0.0/0 0.0.0.0/0 match-set foobar src,src
+    IN_internal 0 -- 0.0.0.0/0 0.0.0.0/0 match-set foobar src,src
+    REJECT 0 -- 0.0.0.0/0 0.0.0.0/0 match-set foobar src,src reject-with icmp-port-unreachable
+    IN_allow-host-ipv6 0 -- 0.0.0.0/0 0.0.0.0/0
+    IN_public 0 -- 0.0.0.0/0 0.0.0.0/0
+    REJECT 0 -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
+])
+IP6TABLES_LIST_RULES([filter], [INPUT_POLICIES], 0, [dnl
+    IN_allow-host-ipv6 0 -- ::/0 ::/0
+    IN_public 0 -- ::/0 ::/0
+    REJECT 0 -- ::/0 ::/0 reject-with icmp6-port-unreachable
+])
+IPTABLES_LIST_RULES([filter], [OUTPUT_POLICIES], 0, [dnl
+    OUT_blah 0 -- 0.0.0.0/0 0.0.0.0/0 match-set foobar dst,dst
+    OUT_internal 0 -- 0.0.0.0/0 0.0.0.0/0 match-set foobar dst,dst
+    RETURN 0 -- 0.0.0.0/0 0.0.0.0/0 match-set foobar dst,dst
+    OUT_public 0 -- 0.0.0.0/0 0.0.0.0/0
+    RETURN 0 -- 0.0.0.0/0 0.0.0.0/0
+])
+IP6TABLES_LIST_RULES([filter], [OUTPUT_POLICIES], 0, [dnl
+    OUT_public 0 -- ::/0 ::/0
+    RETURN 0 -- ::/0 ::/0
+])
+
+FWD_END_TEST()
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -58,3 +58,4 @@ m4_include([regression/gh1129.at])
 m4_include([regression/gh1146.at])
 m4_include([regression/gh1152.at])
 m4_include([regression/rhbz2222044.at])
++m4_include([regression/gh1406.at])
Places

File 0002-test-ipset-verify-match-with-iface.patch of Package firewalld.36786

Places
