Merge pull request #1718 from nicolas-fort/T4886_conn_mark

T4886: Firewall and route policy: Add connection-mark feature to vyos.
author: Christian Poessinger <christian@poessinger.com> 2022-12-19 19:32:45 +0100
committer: GitHub <noreply@github.com> 2022-12-19 19:32:45 +0100
commit: 71d2c583e3b8331e877bbb2f364b6da5c0a587a0 (patch)
tree: 41069c9cf16f53091ee13812aed97cf3f2194ff0 /smoketest/scripts/cli/test_firewall.py
parent: c4097097487467300a0a63c8a75f670dc0429f7c (diff)
parent: d9c9092dcdc430b26a326345934c4513534bff9b (diff)
download: vyos-1x-71d2c583e3b8331e877bbb2f364b6da5c0a587a0.tar.gz
vyos-1x-71d2c583e3b8331e877bbb2f364b6da5c0a587a0.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 9b28eb81b..f1c18d761 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -199,6 +199,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         name = 'smoketest'
         interface = 'eth0'
         mss_range = '501-1460'
+        conn_mark = '555'
 
         self.cli_set(['firewall', 'name', name, 'default-action', 'drop'])
         self.cli_set(['firewall', 'name', name, 'enable-default-log'])
@@ -234,11 +235,14 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         self.cli_set(['firewall', 'name', name, 'rule', '6', 'action', 'return'])
         self.cli_set(['firewall', 'name', name, 'rule', '6', 'protocol', 'gre'])
         self.cli_set(['firewall', 'name', name, 'rule', '6', 'outbound-interface', 'interface-name', interface])
+        self.cli_set(['firewall', 'name', name, 'rule', '6', 'connection-mark', conn_mark])
 
         self.cli_set(['firewall', 'interface', interface, 'in', 'name', name])
 
         self.cli_commit()
 
+        mark_hex = "{0:#010x}".format(int(conn_mark))
+
         nftables_search = [
             [f'iifname "{interface}"', f'jump NAME_{name}'],
             ['saddr 172.16.20.10', 'daddr 172.16.10.10', 'log prefix "[smoketest-1-A]" level debug', 'ip ttl 15', 'return'],
@@ -247,7 +251,7 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
             ['log prefix "[smoketest-default-D]"','smoketest default-action', 'drop'],
             ['tcp dport 22', 'add @RECENT_smoketest_4 { ip saddr limit rate over 10/minute burst 10 packets }', 'drop'],
             ['tcp flags & syn == syn', f'tcp option maxseg size {mss_range}', f'iifname "{interface}"'],
-            ['meta l4proto gre', f'oifname "{interface}"', 'return']
+            ['meta l4proto gre', f'oifname "{interface}"', f'ct mark {mark_hex}', 'return']
         ]
 
         self.verify_nftables(nftables_search, 'ip vyos_filter')
author	Christian Poessinger <christian@poessinger.com>	2022-12-19 19:32:45 +0100
committer	GitHub <noreply@github.com>	2022-12-19 19:32:45 +0100
commit	71d2c583e3b8331e877bbb2f364b6da5c0a587a0 (patch)
tree	41069c9cf16f53091ee13812aed97cf3f2194ff0 /smoketest/scripts/cli/test_firewall.py
parent	c4097097487467300a0a63c8a75f670dc0429f7c (diff)
parent	d9c9092dcdc430b26a326345934c4513534bff9b (diff)
download	vyos-1x-71d2c583e3b8331e877bbb2f364b6da5c0a587a0.tar.gz vyos-1x-71d2c583e3b8331e877bbb2f364b6da5c0a587a0.zip