firewall: T5493: Implement remote-group

author: Alex W <embezzle.dev@proton.me> 2025-01-30 20:22:41 +0000
committer: Alex W <embezzle.dev@proton.me> 2025-03-21 21:08:50 +0100
commit: 9e2bdc96ea63e7ee1adb002df17e0d9ecc1cd410 (patch)
tree: 29af39c615a3b3cbcf327af4839f578f29af00d9 /smoketest/scripts/cli
parent: 7eec4583bf7feb900fad02e009b9ded11b52fd5d (diff)
download: vyos-1x-9e2bdc96ea63e7ee1adb002df17e0d9ecc1cd410.tar.gz
vyos-1x-9e2bdc96ea63e7ee1adb002df17e0d9ecc1cd410.zip
1 files changed, 34 insertions, 0 deletions
diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py
index 33144c7fa..2829edbfb 100755
--- a/smoketest/scripts/cli/test_firewall.py
+++ b/smoketest/scripts/cli/test_firewall.py
@@ -1273,5 +1273,39 @@ class TestFirewall(VyOSUnitTestSHIM.TestCase):
         with self.assertRaises(ConfigSessionError):
             self.cli_commit()
 
+    def test_ipv4_remote_group(self):
+        # Setup base config for test
+        self.cli_set(['firewall', 'group', 'remote-group', 'group01', 'url', 'http://127.0.0.1:80/list.txt'])
+        self.cli_set(['firewall', 'group', 'remote-group', 'group01', 'description', 'Example Group 01'])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '10', 'action', 'drop'])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '10', 'protocol', 'tcp'])
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '10', 'destination', 'group', 'remote-group', 'group01'])
+
+        self.cli_commit()
+
+        # Test remote-group had been loaded correctly in nft
+        nftables_search = [
+            ['R_group01'],
+            ['type ipv4_addr'],
+            ['flags interval'],
+            ['meta l4proto', 'daddr @R_group01', "ipv4-INP-filter-10"]
+        ]
+        self.verify_nftables(nftables_search, 'ip vyos_filter')
+
+        # Test remote-group cannot be configured without a URL
+        self.cli_delete(['firewall', 'group', 'remote-group', 'group01', 'url'])
+
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_discard()
+
+        # Test remote-group cannot be set alongside address in rules
+        self.cli_set(['firewall', 'ipv4', 'input', 'filter', 'rule', '10', 'destination', 'address', '127.0.0.1'])
+
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        self.cli_discard()
+
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
author	Alex W <embezzle.dev@proton.me>	2025-01-30 20:22:41 +0000
committer	Alex W <embezzle.dev@proton.me>	2025-03-21 21:08:50 +0100
commit	9e2bdc96ea63e7ee1adb002df17e0d9ecc1cd410 (patch)
tree	29af39c615a3b3cbcf327af4839f578f29af00d9 /smoketest/scripts/cli
parent	7eec4583bf7feb900fad02e009b9ded11b52fd5d (diff)
download	vyos-1x-9e2bdc96ea63e7ee1adb002df17e0d9ecc1cd410.tar.gz vyos-1x-9e2bdc96ea63e7ee1adb002df17e0d9ecc1cd410.zip