From dcf452936a9dc6e7a8d01e5593d6950fd87db46c Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Wed, 27 Jun 2018 23:35:21 +0200
Subject: tests: add firewalld default ruleset from fedora 27

The ipv4 version has bogus counters so this can also check
save/restore -c option.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 .../ipt-save/0002load-fedora27-firewalld_0         |  59 +++++++++
 .../testcases/ipt-save/dumps/fedora27-ip6tables    | 125 +++++++++++++++++++
 .../testcases/ipt-save/dumps/fedora27-iptables     | 136 +++++++++++++++++++++
 3 files changed, 320 insertions(+)
 create mode 100755 iptables/tests/shell/testcases/ipt-save/0002load-fedora27-firewalld_0
 create mode 100644 iptables/tests/shell/testcases/ipt-save/dumps/fedora27-ip6tables
 create mode 100644 iptables/tests/shell/testcases/ipt-save/dumps/fedora27-iptables

diff --git a/iptables/tests/shell/testcases/ipt-save/0002load-fedora27-firewalld_0 b/iptables/tests/shell/testcases/ipt-save/0002load-fedora27-firewalld_0
new file mode 100755
index 00000000..2ab08b7c
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-save/0002load-fedora27-firewalld_0
@@ -0,0 +1,59 @@
+#!/bin/bash
+
+RET=0
+tmpfile=""
+
+clean_tmpfile()
+{
+        if [ ! -z "$tmpfile" ];then
+                rm -f "$tmpfile"
+        fi
+}
+
+trap clean_tmpfile EXIT
+
+do_diff()
+{
+	A="$1"
+	B="$2"
+
+	AT=$(mktemp)
+	grep -v "^#" "$A" > "$AT"
+
+	diff -u "$AT" "$B"
+	x=$?
+	rm -f "$AT"
+
+	return $x
+}
+
+tmpfile=$(mktemp) || exit 1
+do_simple()
+{
+	iptables="$1"
+	dumpfile="$2"
+	opt="$3"
+
+	$XT_MULTI ${iptables}-restore $opt < "$dumpfile"
+	if [ $? -ne 0 ]; then
+		echo "$XT_MULTI ${iptables}-restore $opt $dumpfile failed" 1>&2
+		exit 1
+	fi
+
+	:> "$tmpfile"
+
+	for table in mangle raw filter; do
+		$XT_MULTI ${iptables}-save -t $table $opt | grep -v "^#" >> "$tmpfile"
+	done
+
+	do_diff $dumpfile "$tmpfile"
+
+	if [ $? -ne 0 ]; then
+		RET=1
+	fi
+}
+# fedora27-iptables dump contains chain counters to test counter restore/save
+do_simple "iptables" $(dirname "$0")/dumps/fedora27-iptables "-c"
+do_simple "ip6tables" $(dirname "$0")/dumps/fedora27-ip6tables
+
+exit $RET
diff --git a/iptables/tests/shell/testcases/ipt-save/dumps/fedora27-ip6tables b/iptables/tests/shell/testcases/ipt-save/dumps/fedora27-ip6tables
new file mode 100644
index 00000000..6c426a7a
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-save/dumps/fedora27-ip6tables
@@ -0,0 +1,125 @@
+# Generated by ip6tables-save v1.6.1 on Sat Feb 17 10:51:39 2018
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:FORWARD_direct - [0:0]
+:INPUT_direct - [0:0]
+:OUTPUT_direct - [0:0]
+:POSTROUTING_direct - [0:0]
+:PREROUTING_ZONES - [0:0]
+:PREROUTING_ZONES_SOURCE - [0:0]
+:PREROUTING_direct - [0:0]
+:PRE_FedoraWorkstation - [0:0]
+:PRE_FedoraWorkstation_allow - [0:0]
+:PRE_FedoraWorkstation_deny - [0:0]
+:PRE_FedoraWorkstation_log - [0:0]
+-A PREROUTING -j PREROUTING_direct
+-A PREROUTING -j PREROUTING_ZONES_SOURCE
+-A PREROUTING -j PREROUTING_ZONES
+-A INPUT -j INPUT_direct
+-A FORWARD -j FORWARD_direct
+-A OUTPUT -j OUTPUT_direct
+-A POSTROUTING -j POSTROUTING_direct
+-A PREROUTING_ZONES -i wlp58s0 -g PRE_FedoraWorkstation
+-A PREROUTING_ZONES -g PRE_FedoraWorkstation
+-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_log
+-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_deny
+-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_allow
+COMMIT
+# Completed on Sat Feb 17 10:51:39 2018
+# Generated by ip6tables-save v1.6.1 on Sat Feb 17 10:51:39 2018
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:OUTPUT_direct - [0:0]
+:PREROUTING_ZONES - [0:0]
+:PREROUTING_ZONES_SOURCE - [0:0]
+:PREROUTING_direct - [0:0]
+:PRE_FedoraWorkstation - [0:0]
+:PRE_FedoraWorkstation_allow - [0:0]
+:PRE_FedoraWorkstation_deny - [0:0]
+:PRE_FedoraWorkstation_log - [0:0]
+-A PREROUTING -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
+-A PREROUTING -j PREROUTING_direct
+-A PREROUTING -j PREROUTING_ZONES_SOURCE
+-A PREROUTING -j PREROUTING_ZONES
+-A OUTPUT -j OUTPUT_direct
+-A PREROUTING_ZONES -i wlp58s0 -g PRE_FedoraWorkstation
+-A PREROUTING_ZONES -g PRE_FedoraWorkstation
+-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_log
+-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_deny
+-A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_allow
+COMMIT
+# Completed on Sat Feb 17 10:51:39 2018
+# Generated by ip6tables-save v1.6.1 on Sat Feb 17 10:51:39 2018
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:FORWARD_IN_ZONES - [0:0]
+:FORWARD_IN_ZONES_SOURCE - [0:0]
+:FORWARD_OUT_ZONES - [0:0]
+:FORWARD_OUT_ZONES_SOURCE - [0:0]
+:FORWARD_direct - [0:0]
+:FWDI_FedoraWorkstation - [0:0]
+:FWDI_FedoraWorkstation_allow - [0:0]
+:FWDI_FedoraWorkstation_deny - [0:0]
+:FWDI_FedoraWorkstation_log - [0:0]
+:FWDO_FedoraWorkstation - [0:0]
+:FWDO_FedoraWorkstation_allow - [0:0]
+:FWDO_FedoraWorkstation_deny - [0:0]
+:FWDO_FedoraWorkstation_log - [0:0]
+:INPUT_ZONES - [0:0]
+:INPUT_ZONES_SOURCE - [0:0]
+:INPUT_direct - [0:0]
+:IN_FedoraWorkstation - [0:0]
+:IN_FedoraWorkstation_allow - [0:0]
+:IN_FedoraWorkstation_deny - [0:0]
+:IN_FedoraWorkstation_log - [0:0]
+:OUTPUT_direct - [0:0]
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -j INPUT_direct
+-A INPUT -j INPUT_ZONES_SOURCE
+-A INPUT -j INPUT_ZONES
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i lo -j ACCEPT
+-A FORWARD -j FORWARD_direct
+-A FORWARD -j FORWARD_IN_ZONES_SOURCE
+-A FORWARD -j FORWARD_IN_ZONES
+-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
+-A FORWARD -j FORWARD_OUT_ZONES
+-A FORWARD -m conntrack --ctstate INVALID -j DROP
+-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
+-A OUTPUT -j OUTPUT_direct
+-A FORWARD_IN_ZONES -i wlp58s0 -g FWDI_FedoraWorkstation
+-A FORWARD_IN_ZONES -g FWDI_FedoraWorkstation
+-A FORWARD_OUT_ZONES -o wlp58s0 -g FWDO_FedoraWorkstation
+-A FORWARD_OUT_ZONES -g FWDO_FedoraWorkstation
+-A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_log
+-A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_deny
+-A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_allow
+-A FWDI_FedoraWorkstation -p ipv6-icmp -j ACCEPT
+-A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_log
+-A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_deny
+-A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_allow
+-A INPUT_ZONES -i wlp58s0 -g IN_FedoraWorkstation
+-A INPUT_ZONES -g IN_FedoraWorkstation
+-A IN_FedoraWorkstation -j IN_FedoraWorkstation_log
+-A IN_FedoraWorkstation -j IN_FedoraWorkstation_deny
+-A IN_FedoraWorkstation -j IN_FedoraWorkstation_allow
+-A IN_FedoraWorkstation -p ipv6-icmp -j ACCEPT
+-A IN_FedoraWorkstation_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT
+-A IN_FedoraWorkstation_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT
+-A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
+-A IN_FedoraWorkstation_allow -d ff02::fb/128 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
+-A IN_FedoraWorkstation_allow -d fe80::/64 -p udp -m udp --dport 546 -m conntrack --ctstate NEW -j ACCEPT
+-A IN_FedoraWorkstation_allow -p udp -m udp --dport 1025:65535 -m conntrack --ctstate NEW -j ACCEPT
+-A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 1025:65535 -m conntrack --ctstate NEW -j ACCEPT
+COMMIT
+# Completed on Sat Feb 17 10:51:39 2018
diff --git a/iptables/tests/shell/testcases/ipt-save/dumps/fedora27-iptables b/iptables/tests/shell/testcases/ipt-save/dumps/fedora27-iptables
new file mode 100644
index 00000000..89a05fc5
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-save/dumps/fedora27-iptables
@@ -0,0 +1,136 @@
+# Completed on Sat Feb 17 10:50:33 2018
+# Generated by iptables-save v1.6.1 on Sat Feb 17 10:50:33 2018
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:FORWARD_direct - [0:0]
+:INPUT_direct - [0:0]
+:OUTPUT_direct - [0:0]
+:POSTROUTING_direct - [0:0]
+:PREROUTING_ZONES - [0:0]
+:PREROUTING_ZONES_SOURCE - [0:0]
+:PREROUTING_direct - [0:0]
+:PRE_FedoraWorkstation - [0:0]
+:PRE_FedoraWorkstation_allow - [0:0]
+:PRE_FedoraWorkstation_deny - [0:0]
+:PRE_FedoraWorkstation_log - [0:0]
+[1:2] -A PREROUTING -j PREROUTING_direct
+[3:4] -A PREROUTING -j PREROUTING_ZONES_SOURCE
+[0:0] -A PREROUTING -j PREROUTING_ZONES
+[0:0] -A INPUT -j INPUT_direct
+[0:0] -A FORWARD -j FORWARD_direct
+[0:0] -A OUTPUT -j OUTPUT_direct
+[0:0] -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+[0:0] -A POSTROUTING -j POSTROUTING_direct
+[0:0] -A PREROUTING_ZONES -i wlp58s0 -g PRE_FedoraWorkstation
+[0:0] -A PREROUTING_ZONES -g PRE_FedoraWorkstation
+[0:0] -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_log
+[0:0] -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_deny
+[0:0] -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_allow
+COMMIT
+# Completed on Sat Feb 17 10:50:33 2018
+# Generated by iptables-save v1.6.1 on Sat Feb 17 10:50:33 2018
+*raw
+:PREROUTING ACCEPT [1681:2620433]
+:OUTPUT ACCEPT [1619:171281]
+:OUTPUT_direct - [0:0]
+:PREROUTING_ZONES - [0:0]
+:PREROUTING_ZONES_SOURCE - [0:0]
+:PREROUTING_direct - [0:0]
+:PRE_FedoraWorkstation - [0:0]
+:PRE_FedoraWorkstation_allow - [0:0]
+:PRE_FedoraWorkstation_deny - [0:0]
+:PRE_FedoraWorkstation_log - [0:0]
+[0:0] -A PREROUTING -j PREROUTING_direct
+[0:0] -A PREROUTING -j PREROUTING_ZONES_SOURCE
+[0:0] -A PREROUTING -j PREROUTING_ZONES
+[0:0] -A OUTPUT -j OUTPUT_direct
+[0:0] -A PREROUTING_ZONES -i wlp58s0 -g PRE_FedoraWorkstation
+[0:0] -A PREROUTING_ZONES -g PRE_FedoraWorkstation
+[0:0] -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_log
+[0:0] -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_deny
+[0:0] -A PRE_FedoraWorkstation -j PRE_FedoraWorkstation_allow
+[0:0] -A PRE_FedoraWorkstation_allow -p udp -m udp --dport 137 -j CT --helper netbios-ns
+COMMIT
+# Completed on Sat Feb 17 10:50:33 2018
+# Generated by iptables-save v1.6.1 on Sat Feb 17 10:50:33 2018
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [1619:171281]
+:FORWARD_IN_ZONES - [0:0]
+:FORWARD_IN_ZONES_SOURCE - [0:0]
+:FORWARD_OUT_ZONES - [0:0]
+:FORWARD_OUT_ZONES_SOURCE - [0:0]
+:FORWARD_direct - [0:0]
+:FWDI_FedoraWorkstation - [0:0]
+:FWDI_FedoraWorkstation_allow - [0:0]
+:FWDI_FedoraWorkstation_deny - [0:0]
+:FWDI_FedoraWorkstation_log - [0:0]
+:FWDO_FedoraWorkstation - [0:0]
+:FWDO_FedoraWorkstation_allow - [0:0]
+:FWDO_FedoraWorkstation_deny - [0:0]
+:FWDO_FedoraWorkstation_log - [0:0]
+:INPUT_ZONES - [0:0]
+:INPUT_ZONES_SOURCE - [0:0]
+:INPUT_direct - [0:0]
+:IN_FedoraWorkstation - [0:0]
+:IN_FedoraWorkstation_allow - [0:0]
+:IN_FedoraWorkstation_deny - [0:0]
+:IN_FedoraWorkstation_log - [0:0]
+:OUTPUT_direct - [0:0]
+[5:6] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
+[0:123456789] -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
+[0:0] -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
+[0:0] -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
+[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+[0:0] -A INPUT -i lo -j ACCEPT
+[0:0] -A INPUT -j INPUT_direct
+[0:0] -A INPUT -j INPUT_ZONES_SOURCE
+[0:0] -A INPUT -j INPUT_ZONES
+[0:0] -A INPUT -m conntrack --ctstate INVALID -j DROP
+[0:0] -A INPUT -j REJECT --reject-with icmp-host-prohibited
+[0:0] -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+[0:0] -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
+[0:0] -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
+[0:0] -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
+[0:0] -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
+[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+[0:0] -A FORWARD -i lo -j ACCEPT
+[0:0] -A FORWARD -j FORWARD_direct
+[0:0] -A FORWARD -j FORWARD_IN_ZONES_SOURCE
+[0:0] -A FORWARD -j FORWARD_IN_ZONES
+[0:0] -A FORWARD -j FORWARD_OUT_ZONES_SOURCE
+[0:0] -A FORWARD -j FORWARD_OUT_ZONES
+[0:0] -A FORWARD -m conntrack --ctstate INVALID -j DROP
+[0:0] -A FORWARD -j REJECT --reject-with icmp-host-prohibited
+[0:0] -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
+[0:0] -A OUTPUT -j OUTPUT_direct
+[0:0] -A FORWARD_IN_ZONES -i wlp58s0 -g FWDI_FedoraWorkstation
+[0:0] -A FORWARD_IN_ZONES -g FWDI_FedoraWorkstation
+[0:0] -A FORWARD_OUT_ZONES -o wlp58s0 -g FWDO_FedoraWorkstation
+[0:0] -A FORWARD_OUT_ZONES -g FWDO_FedoraWorkstation
+[0:0] -A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_log
+[0:0] -A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_deny
+[0:0] -A FWDI_FedoraWorkstation -j FWDI_FedoraWorkstation_allow
+[0:0] -A FWDI_FedoraWorkstation -p icmp -j ACCEPT
+[0:0] -A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_log
+[0:0] -A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_deny
+[0:0] -A FWDO_FedoraWorkstation -j FWDO_FedoraWorkstation_allow
+[0:0] -A INPUT_ZONES -i wlp58s0 -g IN_FedoraWorkstation
+[0:0] -A INPUT_ZONES -g IN_FedoraWorkstation
+[0:0] -A IN_FedoraWorkstation -j IN_FedoraWorkstation_log
+[0:0] -A IN_FedoraWorkstation -j IN_FedoraWorkstation_deny
+[0:0] -A IN_FedoraWorkstation -j IN_FedoraWorkstation_allow
+[0:0] -A IN_FedoraWorkstation -p icmp -j ACCEPT
+[0:0] -A IN_FedoraWorkstation_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT
+[0:0] -A IN_FedoraWorkstation_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT
+[0:0] -A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
+[0:0] -A IN_FedoraWorkstation_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
+[0:0] -A IN_FedoraWorkstation_allow -p udp -m udp --dport 1025:65535 -m conntrack --ctstate NEW -j ACCEPT
+[7:8] -A IN_FedoraWorkstation_allow -p tcp -m tcp --dport 1025:65535 -m conntrack --ctstate NEW -j ACCEPT
+COMMIT
+# Completed on Sat Feb 17 10:50:33 2018
-- 
cgit v1.2.3