From 52366bd27684d54d5ed72bf5076cd7e1b0603d09 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 2 Mar 2021 12:37:57 -0500
Subject: [PATCH] test(rpfilter): add test to verify rpfilter rule generation

---
 src/tests/features/features.at |  1 +
 src/tests/features/rpfilter.at | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 src/tests/features/rpfilter.at

diff --git a/src/tests/features/features.at b/src/tests/features/features.at
index 50536273a..a77e9013e 100644
--- a/src/tests/features/features.at
+++ b/src/tests/features/features.at
@@ -14,3 +14,4 @@ m4_include([features/icmp_blocks.at])
 m4_include([features/rich_tcp_mss_clamp.at])
 m4_include([features/rich_destination_ipset.at])
 m4_include([features/zone.at])
+m4_include([features/rpfilter.at])
diff --git a/src/tests/features/rpfilter.at b/src/tests/features/rpfilter.at
new file mode 100644
index 000000000..2db2369d4
--- /dev/null
+++ b/src/tests/features/rpfilter.at
@@ -0,0 +1,32 @@
+FWD_START_TEST([rpfilter])
+AT_KEYWORDS(rpfilter)
+
+IF_HOST_SUPPORTS_NFT_FIB([
+    NFT_LIST_RULES([inet], [filter_PREROUTING], 0, [dnl
+        table inet firewalld {
+            chain filter_PREROUTING {
+                icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
+                meta nfproto ipv6 fib saddr . mark . iif oif missing drop
+            }
+        }
+    ])
+], [
+    NFT_LIST_RULES([inet], [filter_PREROUTING], 0, [dnl
+        table inet firewalld {
+            chain filter_PREROUTING {
+            }
+        }
+    ])
+])
+
+IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
+    ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134
+    ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135
+    DROP all ::/0 ::/0 rpfilter validmark invert
+    PREROUTING_direct all ::/0 ::/0
+    PREROUTING_POLICIES_pre all ::/0 ::/0
+    PREROUTING_ZONES all ::/0 ::/0
+    PREROUTING_POLICIES_post all ::/0 ::/0
+])
+
+FWD_END_TEST