5 files changed, 97 insertions, 82 deletions
diff --git a/smoketest/scripts/cli/base_interfaces_test.py b/smoketest/scripts/cli/base_interfaces_test.py
index 820024dc9..51ccbc9e6 100644
--- a/smoketest/scripts/cli/base_interfaces_test.py
+++ b/smoketest/scripts/cli/base_interfaces_test.py
@@ -834,8 +834,12 @@ class BasicInterfaceTest:
                     self.assertEqual('1', tmp)
 
                 if cli_defined(self._base_path + ['ip'], 'source-validation'):
-                    tmp = read_file(f'{proc_base}/rp_filter')
-                    self.assertEqual('2', tmp)
+                    base_options = f'iifname "{interface}"'
+                    out = cmd('sudo nft list chain ip raw vyos_rpfilter')
+                    for line in out.splitlines():
+                        if line.startswith(base_options):
+                            self.assertIn('fib saddr oif 0', line)
+                            self.assertIn('drop', line)
 
         def test_interface_ipv6_options(self):
             if not self._test_ipv6:
diff --git a/smoketest/scripts/cli/test_dependency_graph.py b/smoketest/scripts/cli/test_dependency_graph.py
deleted file mode 100755
index 45a40acc4..000000000
--- a/smoketest/scripts/cli/test_dependency_graph.py
+++ /dev/null
@@ -1,54 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2022 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import json
-import unittest
-from graphlib import TopologicalSorter, CycleError
-
-DEP_FILE = '/usr/share/vyos/config-mode-dependencies.json'
-
-def graph_from_dict(d):
-    g = {}
-    for k in list(d):
-        g[k] = set()
-        # add the dependencies for every sub-case; should there be cases
-        # that are mutally exclusive in the future, the graphs will be
-        # distinguished
-        for el in list(d[k]):
-            g[k] |= set(d[k][el])
-    return g
-
-class TestDependencyGraph(unittest.TestCase):
-    def setUp(self):
-        with open(DEP_FILE) as f:
-            dd = json.load(f)
-            self.dependency_graph = graph_from_dict(dd)
-
-    def test_cycles(self):
-        ts = TopologicalSorter(self.dependency_graph)
-        out = None
-        try:
-            # get node iterator
-            order = ts.static_order()
-            # try iteration
-            _ = [*order]
-        except CycleError as e:
-            out = e.args
-
-        self.assertIsNone(out)
-
-if __name__ == '__main__':
-    unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 92fe322ce..f74ce4b72 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -564,23 +564,27 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
     def test_source_validation(self):
         # Strict
         self.cli_set(['firewall', 'global-options', 'source-validation', 'strict'])
+        self.cli_set(['firewall', 'global-options', 'ipv6-source-validation', 'strict'])
         self.cli_commit()
 
         nftables_strict_search = [
             ['fib saddr . iif oif 0', 'drop']
         ]
 
-        self.verify_nftables(nftables_strict_search, 'inet vyos_global_rpfilter')
+        self.verify_nftables_chain(nftables_strict_search, 'ip raw', 'vyos_global_rpfilter')
+        self.verify_nftables_chain(nftables_strict_search, 'ip6 raw', 'vyos_global_rpfilter')
 
         # Loose
         self.cli_set(['firewall', 'global-options', 'source-validation', 'loose'])
+        self.cli_set(['firewall', 'global-options', 'ipv6-source-validation', 'loose'])
         self.cli_commit()
 
         nftables_loose_search = [
             ['fib saddr oif 0', 'drop']
         ]
 
-        self.verify_nftables(nftables_loose_search, 'inet vyos_global_rpfilter')
+        self.verify_nftables_chain(nftables_loose_search, 'ip raw', 'vyos_global_rpfilter')
+        self.verify_nftables_chain(nftables_loose_search, 'ip6 raw', 'vyos_global_rpfilter')
 
     def test_sysfs(self):
         for name, conf in sysfs_config.items():
diff --git a/smoketest/scripts/cli/test_interfaces_netns.py b/smoketest/scripts/cli/test_netns.py
index b8bebb221..fd04dd520 100755
--- a/smoketest/scripts/cli/test_interfaces_netns.py
+++ b/smoketest/scripts/cli/test_netns.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -16,7 +16,6 @@
 
 import unittest
 
-from netifaces import interfaces
 from base_vyostest_shim import VyOSUnitTestSHIM
 
 from vyos.configsession import ConfigSession
@@ -24,56 +23,61 @@ from vyos.configsession import ConfigSessionError
 from vyos.ifconfig import Interface
 from vyos.ifconfig import Section
 from vyos.utils.process import cmd
+from vyos.utils.network import is_netns_interface
+from vyos.utils.network import get_netns_all
 
 base_path = ['netns']
-namespaces = ['mgmt', 'front', 'back', 'ams-ix']
+interfaces = ['dum10', 'dum12', 'dum50']
 
-class NETNSTest(VyOSUnitTestSHIM.TestCase):
-    def setUp(self):
-        self._interfaces = ['dum10', 'dum12', 'dum50']
+class NetNSTest(VyOSUnitTestSHIM.TestCase):
+    def tearDown(self):
+        self.cli_delete(base_path)
+        # commit changes
+        self.cli_commit()
+
+        # There should be no network namespace remaining
+        tmp = cmd('ip netns ls')
+        self.assertFalse(tmp)
+
+        super(NetNSTest, self).tearDown()
 
-    def test_create_netns(self):
+    def test_netns_create(self):
+        namespaces = ['mgmt', 'front', 'back']
         for netns in namespaces:
-            base = base_path + ['name', netns]
-            self.cli_set(base)
+            self.cli_set(base_path + ['name', netns])
 
         # commit changes
         self.cli_commit()
 
-        netns_list = cmd('ip netns ls')
-
         # Verify NETNS configuration
         for netns in namespaces:
-            self.assertTrue(netns in netns_list)
-
+            self.assertIn(netns, get_netns_all())
 
-    def test_netns_assign_interface(self):
+    def test_netns_interface(self):
         netns = 'foo'
-        self.cli_set(['netns', 'name', netns])
+        self.cli_set(base_path + ['name', netns])
 
         # Set
-        for iface in self._interfaces:
+        for iface in interfaces:
             self.cli_set(['interfaces', 'dummy', iface, 'netns', netns])
 
         # commit changes
         self.cli_commit()
 
-        netns_iface_list = cmd(f'sudo ip netns exec {netns} ip link show')
-
-        for iface in self._interfaces:
-            self.assertTrue(iface in netns_iface_list)
+        for interface in interfaces:
+            self.assertTrue(is_netns_interface(interface, netns))
 
         # Delete
-        for iface in self._interfaces:
-            self.cli_delete(['interfaces', 'dummy', iface, 'netns', netns])
+        for interface in interfaces:
+            self.cli_delete(['interfaces', 'dummy', interface])
 
         # commit changes
         self.cli_commit()
 
         netns_iface_list = cmd(f'sudo ip netns exec {netns} ip link show')
 
-        for iface in self._interfaces:
-            self.assertNotIn(iface, netns_iface_list)
+        for interface in interfaces:
+            self.assertFalse(is_netns_interface(interface, netns))
 
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_system_conntrack.py b/smoketest/scripts/cli/test_system_conntrack.py
index 2a89aa98b..ea304783d 100755
--- a/smoketest/scripts/cli/test_system_conntrack.py
+++ b/smoketest/scripts/cli/test_system_conntrack.py
@@ -35,6 +35,17 @@ class TestSystemConntrack(VyOSUnitTestSHIM.TestCase):
         self.cli_delete(base_path)
         self.cli_commit()
 
+    def verify_nftables(self, nftables_search, table, inverse=False, args=''):
+        nftables_output = cmd(f'sudo nft {args} list table {table}')
+
+        for search in nftables_search:
+            matched = False
+            for line in nftables_output.split("\n"):
+                if all(item in line for item in search):
+                    matched = True
+                    break
+            self.assertTrue(not matched if inverse else matched, msg=search)
+
     def test_conntrack_options(self):
         conntrack_config = {
             'net.netfilter.nf_conntrack_expect_max' : {
@@ -232,5 +243,51 @@ class TestSystemConntrack(VyOSUnitTestSHIM.TestCase):
         tmp = read_file('/etc/modprobe.d/vyatta_nf_conntrack.conf')
         self.assertIn(hash_size_default, tmp)
 
+    def test_conntrack_ignore(self):
+        address_group = 'conntracktest'
+        address_group_member = '192.168.0.1'
+        ipv6_address_group = 'conntracktest6'
+        ipv6_address_group_member = 'dead:beef::1'
+
+        self.cli_set(['firewall', 'group', 'address-group', address_group, 'address', address_group_member])
+        self.cli_set(['firewall', 'group', 'ipv6-address-group', ipv6_address_group, 'address', ipv6_address_group_member])
+
+        self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '1', 'source', 'address', '192.0.2.1'])
+        self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '1', 'destination', 'address', '192.0.2.2'])
+        self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '1', 'destination', 'port', '22'])
+        self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '1', 'protocol', 'tcp'])
+
+        self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '2', 'source', 'address', '192.0.2.1'])
+        self.cli_set(base_path + ['ignore', 'ipv4', 'rule', '2', 'destination', 'group', 'address-group', address_group])
+
+        self.cli_set(base_path + ['ignore', 'ipv6', 'rule', '11', 'source', 'address', 'fe80::1'])
+        self.cli_set(base_path + ['ignore', 'ipv6', 'rule', '11', 'destination', 'address', 'fe80::2'])
+        self.cli_set(base_path + ['ignore', 'ipv6', 'rule', '11', 'destination', 'port', '22'])
+        self.cli_set(base_path + ['ignore', 'ipv6', 'rule', '11', 'protocol', 'tcp'])
+
+        self.cli_set(base_path + ['ignore', 'ipv6', 'rule', '12', 'source', 'address', 'fe80::1'])
+        self.cli_set(base_path + ['ignore', 'ipv6', 'rule', '12', 'destination', 'group', 'address-group', ipv6_address_group])
+
+        self.cli_set(base_path + ['ignore', 'ipv6', 'rule', '13', 'source', 'address', 'fe80::1'])
+        self.cli_set(base_path + ['ignore', 'ipv6', 'rule', '13', 'destination', 'address', '!fe80::3'])
+
+        self.cli_commit()
+
+        nftables_search = [
+            ['ip saddr 192.0.2.1', 'ip daddr 192.0.2.2', 'tcp dport 22', 'notrack'],
+            ['ip saddr 192.0.2.1', 'ip daddr @A_conntracktest', 'notrack']
+        ]
+
+        nftables6_search = [
+            ['ip6 saddr fe80::1', 'ip6 daddr fe80::2', 'tcp dport 22', 'notrack'],
+            ['ip6 saddr fe80::1', 'ip6 daddr @A6_conntracktest6', 'notrack'],
+            ['ip6 saddr fe80::1', 'ip6 daddr != fe80::3', 'notrack']
+        ]
+
+        self.verify_nftables(nftables_search, 'raw')
+        self.verify_nftables(nftables6_search, 'ip6 raw')
+
+        self.cli_delete(['firewall'])
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)