diff options
author | Christian Poessinger <christian@poessinger.com> | 2022-07-04 20:55:49 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-07-04 20:55:49 +0200 |
commit | 26506757c3d0354d6d42101dcccde5613a9b1182 (patch) | |
tree | 0df570ec9d41b6932f7674cfca9952a38b818ce1 /smoketest/scripts/cli/test_firewall.py | |
parent | 171b224c1cf1303a608725ec74b545902daa243e (diff) | |
parent | 884f68b25455c547f7b0e7dea4e543daea99f3c2 (diff) | |
download | vyos-1x-26506757c3d0354d6d42101dcccde5613a9b1182.tar.gz vyos-1x-26506757c3d0354d6d42101dcccde5613a9b1182.zip |
Merge pull request #1386 from sarthurdev/geoip_negate
firewall: T4299: Add ability to inverse match country-codes
Diffstat (limited to 'smoketest/scripts/cli/test_firewall.py')
-rwxr-xr-x | smoketest/scripts/cli/test_firewall.py | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index ce06b9074..4de90e1ec 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -69,8 +69,8 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): self.verify_nftables(nftables_search, 'ip filter', inverse=True) - def verify_nftables(self, nftables_search, table, inverse=False): - nftables_output = cmd(f'sudo nft list table {table}') + def verify_nftables(self, nftables_search, table, inverse=False, args=''): + nftables_output = cmd(f'sudo nft {args} list table {table}') for search in nftables_search: matched = False @@ -80,6 +80,24 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase): break self.assertTrue(not matched if inverse else matched, msg=search) + def test_geoip(self): + self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'action', 'drop']) + self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'se']) + self.cli_set(['firewall', 'name', 'smoketest', 'rule', '1', 'source', 'geoip', 'country-code', 'gb']) + self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'action', 'accept']) + self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'de']) + self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'country-code', 'fr']) + self.cli_set(['firewall', 'name', 'smoketest', 'rule', '2', 'source', 'geoip', 'inverse-match']) + + self.cli_commit() + + nftables_search = [ + ['ip saddr @GEOIP_CC_smoketest_1', 'drop'], + ['ip saddr != @GEOIP_CC_smoketest_2', 'return'] + ] + # -t prevents 1000+ GeoIP elements being returned + self.verify_nftables(nftables_search, 'ip filter', args='-t') + def test_groups(self): hostmap_path = ['system', 'static-host-mapping', 'host-name'] example_org = ['192.0.2.8', '192.0.2.10', '192.0.2.11'] |