@@ -695,13 +695,21 @@ def test_ipv4_state_and_status_rules(self):
695695 self .verify_nftables_chain ([['accept' ]], 'ip vyos_conntrack' , 'FW_CONNTRACK' )
696696 self .verify_nftables_chain ([['return' ]], 'ip6 vyos_conntrack' , 'FW_CONNTRACK' )
697697
698- def test_bridge_basic_rules (self ):
698+ def test_bridge_firewall (self ):
699699 name = 'smoketest'
700700 interface_in = 'eth0'
701701 mac_address = '00:53:00:00:00:01'
702702 vlan_id = '12'
703703 vlan_prior = '3'
704704
705+ # Check bridge-nf-call-iptables default value: 0
706+ self .assertEqual (get_sysctl ('net.bridge.bridge-nf-call-iptables' ), '0' )
707+ self .assertEqual (get_sysctl ('net.bridge.bridge-nf-call-ip6tables' ), '0' )
708+
709+ self .cli_set (['firewall' , 'group' , 'ipv6-address-group' , 'AGV6' , 'address' , '2001:db1::1' ])
710+ self .cli_set (['firewall' , 'global-options' , 'state-policy' , 'established' , 'action' , 'accept' ])
711+ self .cli_set (['firewall' , 'global-options' , 'apply-for-bridge' , 'ipv4' ])
712+
705713 self .cli_set (['firewall' , 'bridge' , 'name' , name , 'default-action' , 'accept' ])
706714 self .cli_set (['firewall' , 'bridge' , 'name' , name , 'default-log' ])
707715 self .cli_set (['firewall' , 'bridge' , 'name' , name , 'rule' , '1' , 'action' , 'accept' ])
@@ -718,20 +726,42 @@ def test_bridge_basic_rules(self):
718726 self .cli_set (['firewall' , 'bridge' , 'forward' , 'filter' , 'rule' , '2' , 'jump-target' , name ])
719727 self .cli_set (['firewall' , 'bridge' , 'forward' , 'filter' , 'rule' , '2' , 'vlan' , 'priority' , vlan_prior ])
720728
729+ self .cli_set (['firewall' , 'bridge' , 'input' , 'filter' , 'rule' , '1' , 'action' , 'accept' ])
730+ self .cli_set (['firewall' , 'bridge' , 'input' , 'filter' , 'rule' , '1' , 'inbound-interface' , 'name' , interface_in ])
731+ self .cli_set (['firewall' , 'bridge' , 'input' , 'filter' , 'rule' , '1' , 'source' , 'address' , '192.0.2.2' ])
732+ self .cli_set (['firewall' , 'bridge' , 'input' , 'filter' , 'rule' , '1' , 'state' , 'new' ])
733+
734+ self .cli_set (['firewall' , 'bridge' , 'prerouting' , 'filter' , 'rule' , '1' , 'action' , 'drop' ])
735+ self .cli_set (['firewall' , 'bridge' , 'prerouting' , 'filter' , 'rule' , '1' , 'destination' , 'group' , 'ipv6-address-group' , 'AGV6' ])
736+
737+
721738 self .cli_commit ()
722739
723740 nftables_search = [
741+ ['set A6_AGV6' ],
742+ ['type ipv6_addr' ],
743+ ['elements' , '2001:db1::1' ],
724744 ['chain VYOS_FORWARD_filter' ],
725745 ['type filter hook forward priority filter; policy accept;' ],
746+ ['jump VYOS_STATE_POLICY' ],
726747 [f'vlan id { vlan_id } , 'accept' ],
727748 [f'vlan pcp { vlan_prior } , f'jump NAME_{ name } ],
728749 ['log prefix "[bri-FWD-filter-default-D]"' , 'drop' , 'FWD-filter default-action drop' ],
729750 [f'chain NAME_{ name } ],
730751 [f'ether saddr { mac_address } , f'iifname "{ interface_in } , f'log prefix "[bri-NAM-{ name } , 'accept' ],
731- ['accept' , f'{ name } ]
752+ ['accept' , f'{ name } ],
753+ ['chain VYOS_INPUT_filter' ],
754+ ['type filter hook input priority filter; policy accept;' ],
755+ ['ct state new' , 'ip saddr 192.0.2.2' , f'iifname "{ interface_in } , 'accept' ],
756+ ['chain VYOS_PREROUTING_filter' ],
757+ ['type filter hook prerouting priority filter; policy accept;' ],
758+ ['ip6 daddr @A6_AGV6' , 'drop' ]
732759 ]
733760
734761 self .verify_nftables (nftables_search , 'bridge vyos_filter' )
762+ ## Check bridge-nf-call-iptables is set to 1, and for ipv6 remains on default 0
763+ self .assertEqual (get_sysctl ('net.bridge.bridge-nf-call-iptables' ), '1' )
764+ self .assertEqual (get_sysctl ('net.bridge.bridge-nf-call-ip6tables' ), '0' )
735765
736766 def test_source_validation (self ):
737767 # Strict
0 commit comments