improvement(zone): icmp_block_inversion: now only applies to INPUT

BREAKING CHANGE:

Improve the zone concept by making icmp block inversion only apply to
INPUT. Previously it was applied to INPUT and FORWARD. This is unlike
other features which typically apply only to INPUT.

This makes zones behave more like simply a policy for INPUT packets.

src/firewall/core/fw_zone.py

@@ -984,33 +984,24 @@ def add_icmp_block_inversion(self, zone, sender=None):
         p_name = self.policy_name_from_zones(zone, "HOST")
         self._fw.policy.add_icmp_block_inversion(p_name, sender)
 
-        p_name = self.policy_name_from_zones(zone, "ANY")
-        self._fw.policy.add_icmp_block_inversion(p_name, sender)
         return zone
 
     def _icmp_block_inversion(self, enable, zone, transaction):
         zone = self._fw.check_zone(zone)
         p_name = self.policy_name_from_zones(zone, "HOST")
         self._fw.policy._icmp_block_inversion(enable, p_name, transaction)
 
-        p_name = self.policy_name_from_zones(zone, "ANY")
-        self._fw.policy._icmp_block_inversion(enable, p_name, transaction)
-
     def remove_icmp_block_inversion(self, zone):
         zone = self._fw.check_zone(zone)
         p_name = self.policy_name_from_zones(zone, "HOST")
         self._fw.policy.remove_icmp_block_inversion(p_name)
 
-        p_name = self.policy_name_from_zones(zone, "ANY")
-        self._fw.policy.remove_icmp_block_inversion(p_name)
         return zone
 
     def query_icmp_block_inversion(self, zone):
         zone = self._fw.check_zone(zone)
         p_name_host = self.policy_name_from_zones(zone, "HOST")
-        p_name_fwd = self.policy_name_from_zones(zone, "ANY")
-        return self._fw.policy.query_icmp_block_inversion(p_name_host) and \
-               self._fw.policy.query_icmp_block_inversion(p_name_fwd)
+        return self._fw.policy.query_icmp_block_inversion(p_name_host)
 
     def _forward(self, enable, zone, transaction):
         p_name = self.policy_name_from_zones(zone, "ANY")

src/tests/cli/firewall-cmd.at

@@ -1393,7 +1393,6 @@ FWD_START_TEST([rich rules priority])
         jump filter_FWD_public_deny
         jump filter_FWD_public_allow
         jump filter_FWD_public_post
-        meta l4proto { icmp, ipv6-icmp } accept
         reject with icmpx type admin-prohibited
         }
         }
@@ -1413,7 +1412,6 @@ FWD_START_TEST([rich rules priority])
         FWD_public_deny all -- 0.0.0.0/0 0.0.0.0/0
         FWD_public_allow all -- 0.0.0.0/0 0.0.0.0/0
         FWD_public_post all -- 0.0.0.0/0 0.0.0.0/0
-        ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
         REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
     ])
     IP6TABLES_LIST_RULES([filter], [IN_public], 0, [dnl
@@ -1431,7 +1429,6 @@ FWD_START_TEST([rich rules priority])
         FWD_public_deny all ::/0 ::/0
         FWD_public_allow all ::/0 ::/0
         FWD_public_post all ::/0 ::/0
-        ACCEPT icmpv6 ::/0 ::/0
         REJECT all ::/0 ::/0 reject-with icmp6-port-unreachable
     ])
 

src/tests/features/zone.at

@@ -116,7 +116,6 @@ NFT_LIST_RULES([inet], [filter_FWD_foobar], 0, [dnl
             jump filter_FWD_foobar_deny
             jump filter_FWD_foobar_allow
             jump filter_FWD_foobar_post
-            meta l4proto { icmp, ipv6-icmp } accept
             reject with icmpx type admin-prohibited
         }
     }
@@ -127,7 +126,6 @@ IPTABLES_LIST_RULES([filter], [FWD_foobar], 0, [dnl
     FWD_foobar_deny all -- 0.0.0.0/0 0.0.0.0/0
     FWD_foobar_allow all -- 0.0.0.0/0 0.0.0.0/0
     FWD_foobar_post all -- 0.0.0.0/0 0.0.0.0/0
-    ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0                                 
     REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
 ])
 IP6TABLES_LIST_RULES([filter], [FWD_foobar], 0, [dnl
@@ -136,7 +134,6 @@ IP6TABLES_LIST_RULES([filter], [FWD_foobar], 0, [dnl
     FWD_foobar_deny all ::/0 ::/0
     FWD_foobar_allow all ::/0 ::/0
     FWD_foobar_post all ::/0 ::/0
-    ACCEPT icmpv6 ::/0 ::/0                                
     REJECT all ::/0 ::/0 reject-with icmp6-port-unreachable
 ])