diff options
| author | Nicolas Fort <nicolasfort1988@gmail.com> | 2022-09-21 17:46:32 +0000 |
|---|---|---|
| committer | Nicolas Fort <nicolasfort1988@gmail.com> | 2022-09-21 17:46:32 +0000 |
| commit | 2a4f007bc3f384fcd7ca43254f38a4156ab1f8c8 (patch) | |
| tree | 7b43b254d872e058111e0723e8d5cd6352c4ed5e | |
| parent | 87d54b805f6fe1ede06387241117d492334bee31 (diff) | |
| download | vyos-1x-2a4f007bc3f384fcd7ca43254f38a4156ab1f8c8.tar.gz vyos-1x-2a4f007bc3f384fcd7ca43254f38a4156ab1f8c8.zip | |
T4699: Firewall: Add return action, since jump action was added recently
| -rw-r--r-- | interface-definitions/include/firewall/action.xml.i | 8 | ||||
| -rw-r--r-- | interface-definitions/include/firewall/default-action.xml.i | 8 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_firewall.py | 9 |
3 files changed, 20 insertions, 5 deletions
diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i index 0738fa503..468340cbb 100644 --- a/interface-definitions/include/firewall/action.xml.i +++ b/interface-definitions/include/firewall/action.xml.i @@ -3,7 +3,7 @@ <properties> <help>Rule action</help> <completionHelp> - <list>accept jump reject drop</list> + <list>accept jump reject return drop</list> </completionHelp> <valueHelp> <format>accept</format> @@ -18,11 +18,15 @@ <description>Reject matching entries</description> </valueHelp> <valueHelp> + <format>return</format> + <description>Return from the current chain and continue at the next rule of the last chain</description> + </valueHelp> + <valueHelp> <format>drop</format> <description>Drop matching entries</description> </valueHelp> <constraint> - <regex>(accept|jump|reject|drop)</regex> + <regex>(accept|jump|reject|return|drop)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/include/firewall/default-action.xml.i b/interface-definitions/include/firewall/default-action.xml.i index 5107768d3..80efaf335 100644 --- a/interface-definitions/include/firewall/default-action.xml.i +++ b/interface-definitions/include/firewall/default-action.xml.i @@ -3,7 +3,7 @@ <properties> <help>Default-action for rule-set</help> <completionHelp> - <list>drop jump reject accept</list> + <list>drop jump reject return accept</list> </completionHelp> <valueHelp> <format>drop</format> @@ -18,11 +18,15 @@ <description>Drop and notify source if no prior rules are hit</description> </valueHelp> <valueHelp> + <format>return</format> + <description>Return from the current chain and continue at the next rule of the last chain</description> + </valueHelp> + <valueHelp> <format>accept</format> <description>Accept if no prior rules are hit</description> </valueHelp> <constraint> - <regex>(drop|jump|reject|accept)</regex> + <regex>(drop|jump|reject|return|accept)</regex> </constraint> </properties> <defaultValue>drop</defaultValue> diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index c54cba027..4b2cf9864 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -209,6 +209,8 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'name', name, 'rule', '5', 'protocol', 'tcp']) self.cli_set(['firewall', 'name', name, 'rule', '5', 'tcp', 'flags', 'syn']) self.cli_set(['firewall', 'name', name, 'rule', '5', 'tcp', 'mss', mss_range]) + self.cli_set(['firewall', 'name', name, 'rule', '6', 'action', 'return']) + self.cli_set(['firewall', 'name', name, 'rule', '6', 'protocol', 'gre']) self.cli_set(['firewall', 'interface', interface, 'in', 'name', name]) @@ -222,6 +224,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): ['log prefix "[smoketest-default-D]"','smoketest default-action', 'drop'], ['tcp dport 22', 'add @RECENT_smoketest_4 { ip saddr limit rate over 10/minute burst 10 packets }', 'drop'], ['tcp flags & syn == syn', f'tcp option maxseg size {mss_range}'], + ['meta l4proto gre', 'return'] ] self.verify_nftables(nftables_search, 'ip vyos_filter') @@ -286,6 +289,9 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'protocol', 'tcp_udp']) self.cli_set(['firewall', 'ipv6-name', name, 'rule', '2', 'destination', 'port', '8888']) + self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'action', 'return']) + self.cli_set(['firewall', 'ipv6-name', name, 'rule', '3', 'protocol', 'gre']) + self.cli_set(['firewall', 'interface', interface, 'in', 'ipv6-name', name]) self.cli_commit() @@ -294,7 +300,8 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): [f'iifname "{interface}"', f'jump NAME6_{name}'], ['saddr 2002::1', 'daddr 2002::1:1', 'log prefix "[v6-smoketest-1-A]" level crit', 'return'], ['meta l4proto { tcp, udp }', 'th dport 8888', 'reject'], - ['smoketest default-action', f'log prefix "[{name}-default-D]"', 'drop'] + ['smoketest default-action', f'log prefix "[{name}-default-D]"', 'drop'], + ['meta l4proto gre', 'return'] ] self.verify_nftables(nftables_search, 'ip6 vyos_filter') |