4 files changed, 177 insertions, 4 deletions

diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index cffa1c0be..066ed707b 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -408,6 +408,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         name = 'v6-smoketest'
         interface = 'eth0'
 
+        self.cli_set(['firewall', 'global-options', 'state-policy', 'established', 'action', 'accept'])
+        self.cli_set(['firewall', 'global-options', 'state-policy', 'related', 'action', 'accept'])
+        self.cli_set(['firewall', 'global-options', 'state-policy', 'invalid', 'action', 'drop'])
+
         self.cli_set(['firewall', 'ipv6', 'name', name, 'default-action', 'drop'])
         self.cli_set(['firewall', 'ipv6', 'name', name, 'enable-default-log'])
 
@@ -452,7 +456,12 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
             ['log prefix "[ipv6-OUT-filter-default-D]"','OUT-filter default-action drop', 'drop'],
             [f'chain NAME6_{name}'],
             ['saddr 2002::1', 'daddr 2002::1:1', 'log prefix "[ipv6-NAM-v6-smoketest-1-A]" log level crit', 'accept'],
-            [f'"{name} default-action drop"', f'log prefix "[ipv6-{name}-default-D]"', 'drop']
+            [f'"{name} default-action drop"', f'log prefix "[ipv6-{name}-default-D]"', 'drop'],
+            ['jump VYOS_STATE_POLICY6'],
+            ['chain VYOS_STATE_POLICY6'],
+            ['ct state established', 'accept'],
+            ['ct state invalid', 'drop'],
+            ['ct state related', 'accept']
         ]
 
         self.verify_nftables(nftables_search, 'ip6 vyos_filter')
@@ -535,6 +544,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         name = 'smoketest-state'
         interface = 'eth0'
 
+        self.cli_set(['firewall', 'global-options', 'state-policy', 'established', 'action', 'accept'])
+        self.cli_set(['firewall', 'global-options', 'state-policy', 'related', 'action', 'accept'])
+        self.cli_set(['firewall', 'global-options', 'state-policy', 'invalid', 'action', 'drop'])
+
         self.cli_set(['firewall', 'ipv4', 'name', name, 'default-action', 'drop'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'action', 'accept'])
         self.cli_set(['firewall', 'ipv4', 'name', name, 'rule', '1', 'state', 'established'])
@@ -561,7 +574,12 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
             ['ct state new', 'ct status dnat', 'accept'],
             ['ct state { established, new }', 'ct status snat', 'accept'],
             ['ct state related', 'ct helper { "ftp", "pptp" }', 'accept'],
-            ['drop', f'comment "{name} default-action drop"']
+            ['drop', f'comment "{name} default-action drop"'],
+            ['jump VYOS_STATE_POLICY'],
+            ['chain VYOS_STATE_POLICY'],
+            ['ct state established', 'accept'],
+            ['ct state invalid', 'drop'],
+            ['ct state related', 'accept']
         ]
 
         self.verify_nftables(nftables_search, 'ip vyos_filter')
@@ -657,6 +675,10 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'zone', 'smoketest-eth0', 'from', 'smoketest-local', 'firewall', 'name', 'smoketest'])
         self.cli_set(['firewall', 'zone', 'smoketest-local', 'local-zone'])
         self.cli_set(['firewall', 'zone', 'smoketest-local', 'from', 'smoketest-eth0', 'firewall', 'name', 'smoketest'])
+        self.cli_set(['firewall', 'global-options', 'state-policy', 'established', 'action', 'accept'])
+        self.cli_set(['firewall', 'global-options', 'state-policy', 'established', 'log'])
+        self.cli_set(['firewall', 'global-options', 'state-policy', 'related', 'action', 'accept'])
+        self.cli_set(['firewall', 'global-options', 'state-policy', 'invalid', 'action', 'drop'])
 
         self.cli_commit()
 
@@ -674,7 +696,12 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
             ['jump VZONE_smoketest-local_IN'],
             ['jump VZONE_smoketest-local_OUT'],
             ['iifname "eth0"', 'jump NAME_smoketest'],
-            ['oifname "eth0"', 'jump NAME_smoketest']
+            ['oifname "eth0"', 'jump NAME_smoketest'],
+            ['jump VYOS_STATE_POLICY'],
+            ['chain VYOS_STATE_POLICY'],
+            ['ct state established', 'log prefix "[STATE-POLICY-EST-A]"', 'accept'],
+            ['ct state invalid', 'drop'],
+            ['ct state related', 'accept']
         ]
 
         nftables_output = cmd('sudo nft list table ip vyos_filter')
diff --git a/smoketest/scripts/cli/test_nat64.py b/smoketest/scripts/cli/test_nat64.py
new file mode 100755
index 000000000..b5723ac7e
--- /dev/null
+++ b/smoketest/scripts/cli/test_nat64.py
@@ -0,0 +1,102 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import json
+import os
+import unittest
+
+from base_vyostest_shim import VyOSUnitTestSHIM
+from vyos.configsession import ConfigSessionError
+from vyos.utils.process import cmd
+from vyos.utils.dict import dict_search
+
+base_path = ['nat64']
+src_path = base_path + ['source']
+
+jool_nat64_config = '/run/jool/instance-100.json'
+
+
+class TestNAT64(VyOSUnitTestSHIM.TestCase):
+    @classmethod
+    def setUpClass(cls):
+        super(TestNAT64, cls).setUpClass()
+
+        # ensure we can also run this test on a live system - so lets clean
+        # out the current configuration :)
+        cls.cli_delete(cls, base_path)
+
+    def tearDown(self):
+        self.cli_delete(base_path)
+        self.cli_commit()
+        self.assertFalse(os.path.exists(jool_nat64_config))
+
+    def test_snat64(self):
+        rule = '100'
+        translation_rule = '10'
+        prefix_v6 = '64:ff9b::/96'
+        pool = '192.0.2.10'
+        pool_port = '1-65535'
+
+        self.cli_set(src_path + ['rule', rule, 'source', 'prefix', prefix_v6])
+        self.cli_set(
+            src_path
+            + ['rule', rule, 'translation', 'pool', translation_rule, 'address', pool]
+        )
+        self.cli_set(
+            src_path
+            + ['rule', rule, 'translation', 'pool', translation_rule, 'port', pool_port]
+        )
+        self.cli_commit()
+
+        # Load the JSON file
+        with open(f'/run/jool/instance-{rule}.json', 'r') as json_file:
+            config_data = json.load(json_file)
+
+        # Assertions based on the content of the JSON file
+        self.assertEqual(config_data['instance'], f'instance-{rule}')
+        self.assertEqual(config_data['framework'], 'netfilter')
+        self.assertEqual(config_data['global']['pool6'], prefix_v6)
+        self.assertTrue(config_data['global']['manually-enabled'])
+
+        # Check the pool4 entries
+        pool4_entries = config_data.get('pool4', [])
+        self.assertIsInstance(pool4_entries, list)
+        self.assertGreater(len(pool4_entries), 0)
+
+        for entry in pool4_entries:
+            self.assertIn('protocol', entry)
+            self.assertIn('prefix', entry)
+            self.assertIn('port range', entry)
+
+            protocol = entry['protocol']
+            prefix = entry['prefix']
+            port_range = entry['port range']
+
+            if protocol == 'ICMP':
+                self.assertEqual(prefix, pool)
+                self.assertEqual(port_range, pool_port)
+            elif protocol == 'UDP':
+                self.assertEqual(prefix, pool)
+                self.assertEqual(port_range, pool_port)
+            elif protocol == 'TCP':
+                self.assertEqual(prefix, pool)
+                self.assertEqual(port_range, pool_port)
+            else:
+                self.fail(f'Unexpected protocol: {protocol}')
+
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_service_dns_dynamic.py b/smoketest/scripts/cli/test_service_dns_dynamic.py
index cb3d90593..3c7303f32 100755
--- a/smoketest/scripts/cli/test_service_dns_dynamic.py
+++ b/smoketest/scripts/cli/test_service_dns_dynamic.py
@@ -294,7 +294,7 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase):
 
     def test_07_dyndns_vrf(self):
         # Table number randomized, but should be within range 100-65535
-        vrf_table = "".join(random.choices(string.digits, k=4))
+        vrf_table = '58710'
         vrf_name = f'vyos-test-{vrf_table}'
         svc_path = name_path + ['cloudflare']
         proto = 'cloudflare'
diff --git a/smoketest/scripts/cli/test_system_conntrack.py b/smoketest/scripts/cli/test_system_conntrack.py
index 7657ab724..0dbc97d49 100755
--- a/smoketest/scripts/cli/test_system_conntrack.py
+++ b/smoketest/scripts/cli/test_system_conntrack.py
@@ -297,5 +297,49 @@ class TestSystemConntrack(VyOSUnitTestSHIM.TestCase):
 
         self.cli_delete(['firewall'])
 
+    def test_conntrack_timeout_custom(self):
+
+        self.cli_set(base_path + ['timeout', 'custom', 'ipv4', 'rule', '1', 'source', 'address', '192.0.2.1'])
+        self.cli_set(base_path + ['timeout', 'custom', 'ipv4', 'rule', '1', 'destination', 'address', '192.0.2.2'])
+        self.cli_set(base_path + ['timeout', 'custom', 'ipv4', 'rule', '1', 'destination', 'port', '22'])
+        self.cli_set(base_path + ['timeout', 'custom', 'ipv4', 'rule', '1', 'protocol', 'tcp', 'syn-sent', '77'])
+        self.cli_set(base_path + ['timeout', 'custom', 'ipv4', 'rule', '1', 'protocol', 'tcp', 'close', '88'])
+        self.cli_set(base_path + ['timeout', 'custom', 'ipv4', 'rule', '1', 'protocol', 'tcp', 'established', '99'])
+
+        self.cli_set(base_path + ['timeout', 'custom', 'ipv4', 'rule', '2', 'inbound-interface', 'eth1'])
+        self.cli_set(base_path + ['timeout', 'custom', 'ipv4', 'rule', '2', 'source', 'address', '198.51.100.1'])
+        self.cli_set(base_path + ['timeout', 'custom', 'ipv4', 'rule', '2', 'protocol', 'udp', 'unreplied', '55'])
+
+        self.cli_set(base_path + ['timeout', 'custom', 'ipv6', 'rule', '1', 'source', 'address', '2001:db8::1'])
+        self.cli_set(base_path + ['timeout', 'custom', 'ipv6', 'rule', '1', 'inbound-interface', 'eth2'])
+        self.cli_set(base_path + ['timeout', 'custom', 'ipv6', 'rule', '1', 'protocol', 'tcp', 'time-wait', '22'])
+        self.cli_set(base_path + ['timeout', 'custom', 'ipv6', 'rule', '1', 'protocol', 'tcp', 'last-ack', '33'])
+
+        self.cli_commit()
+
+        nftables_search = [
+            ['ct timeout ct-timeout-1 {'],
+            ['protocol tcp'],
+            ['policy = { syn_sent : 77, established : 99, close : 88 }'],
+            ['ct timeout ct-timeout-2 {'],
+            ['protocol udp'],
+            ['policy = { unreplied : 55 }'],
+            ['chain VYOS_CT_TIMEOUT {'],
+            ['ip saddr 192.0.2.1', 'ip daddr 192.0.2.2', 'tcp dport 22', 'ct timeout set "ct-timeout-1"'],
+            ['iifname "eth1"', 'meta l4proto udp', 'ip saddr 198.51.100.1', 'ct timeout set "ct-timeout-2"']
+        ]
+
+        nftables6_search = [
+            ['ct timeout ct-timeout-1 {'],
+            ['protocol tcp'],
+            ['policy = { last_ack : 33, time_wait : 22 }'],
+            ['chain VYOS_CT_TIMEOUT {'],
+            ['iifname "eth2"', 'meta l4proto tcp', 'ip6 saddr 2001:db8::1', 'ct timeout set "ct-timeout-1"']
+        ]
+
+        self.verify_nftables(nftables_search, 'ip vyos_conntrack')
+        self.verify_nftables(nftables6_search, 'ip6 vyos_conntrack')
+
+        self.cli_delete(['firewall'])
 if __name__ == '__main__':
     unittest.main(verbosity=2)