Merge pull request #4326 from Embezzle/T5493

firewall: T5493: Implement remote-group
author: Daniil Baturin <daniil@vyos.io> 2025-03-25 15:20:48 +0000
committer: GitHub <noreply@github.com> 2025-03-25 15:20:48 +0000
commit: 1c66841323ba1fa4f90d3ce3de6ef7cebc07ed97 (patch)
tree: 91c8431c6b5f238d9251177ff0ee1985ad29aef6 /smoketest/scripts/cli
parent: 3fee8ec30dce8f3987fe468d29109ed4e1bc492a (diff)
parent: 9e2bdc96ea63e7ee1adb002df17e0d9ecc1cd410 (diff)
download: vyos-1x-1c66841323ba1fa4f90d3ce3de6ef7cebc07ed97.tar.gz
vyos-1x-1c66841323ba1fa4f90d3ce3de6ef7cebc07ed97.zip
1 files changed, 34 insertions, 0 deletions
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 33144c7fa..2829edbfb 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -1273,5 +1273,39 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         with self.assertRaises(ConfigSessionError):
             self.cli_commit()
 
+    def test_ipv4_remote_group(self):
+        # Setup base config for test
+        self.cli_set(['firewall', 'group', 'remote-group', 'group01', 'url', 'http://127.0.0.1:80/list.txt'])
+        self.cli_set(['firewall', 'group', 'remote-group', 'group01', 'description', 'Example Group 01'])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '10', 'action', 'drop'])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '10', 'protocol', 'tcp'])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '10', 'destination', 'group', 'remote-group', 'group01'])
+
+        self.cli_commit()
+
+        # Test remote-group had been loaded correctly in nft
+        nftables_search = [
+            ['R_group01'],
+            ['type ipv4_addr'],
+            ['flags interval'],
+            ['meta l4proto', 'daddr @R_group01', "ipv4-INP-filter-10"]
+        ]
+        self.verify_nftables(nftables_search, 'ip vyos_filter')
+
+        # Test remote-group cannot be configured without a URL
+        self.cli_delete(['firewall', 'group', 'remote-group', 'group01', 'url'])
+
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_discard()
+
+        # Test remote-group cannot be set alongside address in rules
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '10', 'destination', 'address', '127.0.0.1'])
+
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_discard()
+
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
author	Daniil Baturin <daniil@vyos.io>	2025-03-25 15:20:48 +0000
committer	GitHub <noreply@github.com>	2025-03-25 15:20:48 +0000
commit	1c66841323ba1fa4f90d3ce3de6ef7cebc07ed97 (patch)
tree	91c8431c6b5f238d9251177ff0ee1985ad29aef6 /smoketest/scripts/cli
parent	3fee8ec30dce8f3987fe468d29109ed4e1bc492a (diff)
parent	9e2bdc96ea63e7ee1adb002df17e0d9ecc1cd410 (diff)
download	vyos-1x-1c66841323ba1fa4f90d3ce3de6ef7cebc07ed97.tar.gz vyos-1x-1c66841323ba1fa4f90d3ce3de6ef7cebc07ed97.zip