3 files changed, 103 insertions, 13 deletions

diff --git a/smoketest/configs/service-https b/smoketest/configs/service-https
new file mode 100644
index 000000000..d478d5731
--- /dev/null
+++ b/smoketest/configs/service-https
@@ -0,0 +1,55 @@
+interfaces {
+    ethernet eth0 {
+        address 192.168.150.1/24
+    }
+}
+service {
+    https {
+        certificates {
+            system-generated-certificate {
+                lifetime 365
+            }
+        }
+    }
+}
+system {
+    config-management {
+        commit-revisions 100
+    }
+    console {
+        device ttyS0 {
+            speed 115200
+        }
+    }
+    host-name vyos
+    login {
+        user vyos {
+            authentication {
+                encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/
+                plaintext-password ""
+            }
+        }
+    }
+    ntp {
+        server time1.vyos.net {
+        }
+        server time2.vyos.net {
+        }
+        server time3.vyos.net {
+        }
+    }
+    syslog {
+        global {
+            facility all {
+                level info
+            }
+            facility protocols {
+                level debug
+            }
+        }
+    }
+}
+
+// Warning: Do not remove the following line.
+// vyos-config-version: "bgp@1:broadcast-relay@1:cluster@1:config-management@1:conntrack@2:conntrack-sync@2:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@22:ipoe-server@1:ipsec@6:isis@1:l2tp@3:lldp@1:mdns@1:nat@5:nat66@1:ntp@1:policy@1:pppoe-server@5:pptp@2:qos@1:quagga@9:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@21:vrf@2:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1"
+// Release version: 1.4-rolling-202106290839
diff --git a/smoketest/configs/pki-misc b/smoketest/configs/vpn-openconnect-sstp
index 4db795565..45e6dd9b2 100644
--- a/smoketest/configs/pki-misc
+++ b/smoketest/configs/vpn-openconnect-sstp
@@ -3,15 +3,6 @@ interfaces {
         address 192.168.150.1/24
     }
 }
-service {
-    https {
-        certificates {
-            system-generated-certificate {
-                lifetime 365
-            }
-        }
-    }
-}
 system {
     config-management {
         commit-revisions 100
@@ -59,10 +50,6 @@ vpn {
             }
             mode local
         }
-        listen-ports {
-            tcp 4443
-            udp 4443
-        }
         network-settings {
             client-ip-settings {
                 subnet 192.168.160.0/24
diff --git a/smoketest/scripts/cli/test_nat66.py b/smoketest/scripts/cli/test_nat66.py
index 4b5625569..c5db066db 100755
--- a/smoketest/scripts/cli/test_nat66.py
+++ b/smoketest/scripts/cli/test_nat66.py
@@ -131,6 +131,30 @@ class TestNAT66(VyOSUnitTestSHIM.TestCase):
 
         self.verify_nftables(nftables_search, 'ip6 nat')
 
+    def test_destination_nat66_protocol(self):
+        translation_address = '2001:db8:1111::1'
+        source_prefix = '2001:db8:2222::/64'
+        dport = '4545'
+        sport = '8080'
+        tport = '5555'
+        proto = 'tcp'
+        self.cli_set(dst_path + ['rule', '1', 'inbound-interface', 'eth1'])
+        self.cli_set(dst_path + ['rule', '1', 'destination', 'port', dport])
+        self.cli_set(dst_path + ['rule', '1', 'source', 'address', source_prefix])
+        self.cli_set(dst_path + ['rule', '1', 'source', 'port', sport])
+        self.cli_set(dst_path + ['rule', '1', 'protocol', proto])
+        self.cli_set(dst_path + ['rule', '1', 'translation', 'address', translation_address])
+        self.cli_set(dst_path + ['rule', '1', 'translation', 'port', tport])
+
+        # check validate() - outbound-interface must be defined
+        self.cli_commit()
+
+        nftables_search = [
+            ['iifname "eth1"', 'tcp dport { 4545 } ip6 saddr 2001:db8:2222::/64 tcp sport { 8080 } dnat to 2001:db8:1111::1:5555']
+        ]
+
+        self.verify_nftables(nftables_search, 'ip6 nat')
+
     def test_destination_nat66_prefix(self):
         destination_prefix = 'fc00::/64'
         translation_prefix = 'fc01::/64'
@@ -176,6 +200,30 @@ class TestNAT66(VyOSUnitTestSHIM.TestCase):
         self.cli_set(src_path + ['rule', rule, 'translation', 'address', 'masquerade'])
         self.cli_commit()
 
+    def test_source_nat66_protocol(self):
+        translation_address = '2001:db8:1111::1'
+        source_prefix = '2001:db8:2222::/64'
+        dport = '9999'
+        sport = '8080'
+        tport = '80'
+        proto = 'tcp'
+        self.cli_set(src_path + ['rule', '1', 'outbound-interface', 'eth1'])
+        self.cli_set(src_path + ['rule', '1', 'destination', 'port', dport])
+        self.cli_set(src_path + ['rule', '1', 'source', 'prefix', source_prefix])
+        self.cli_set(src_path + ['rule', '1', 'source', 'port', sport])
+        self.cli_set(src_path + ['rule', '1', 'protocol', proto])
+        self.cli_set(src_path + ['rule', '1', 'translation', 'address', translation_address])
+        self.cli_set(src_path + ['rule', '1', 'translation', 'port', tport])
+
+        # check validate() - outbound-interface must be defined
+        self.cli_commit()
+
+        nftables_search = [
+            ['oifname "eth1"', 'ip6 saddr 2001:db8:2222::/64 tcp dport { 9999 } tcp sport { 8080 } snat to 2001:db8:1111::1:80']
+        ]
+
+        self.verify_nftables(nftables_search, 'ip6 nat')
+
     def test_nat66_no_rules(self):
         # T3206: deleting all rules but keep the direction 'destination' or
         # 'source' resulteds in KeyError: 'rule'.