revisions of isolation-check

.gitea/workflows/isolate-the-network.sh

@@ -49,15 +49,15 @@ done
 
 # Dont bother allowing intra-subnet traffic for IPv6
 
-# Deny IPv6 traffic to docker zone
+# # Deny IPv6 traffic to docker zone
-RULE="rule family=\"ipv6\" source address=\"${ISOLATEDNETv6}\" drop"
+# RULE="rule family=\"ipv6\" source address=\"${ISOLATEDNETv6}\" drop"
-$FWCMD $MKPERMANENT --zone=$DOCKERZONE --add-rich-rule="$RULE"
+# $FWCMD $MKPERMANENT --zone=$DOCKERZONE --add-rich-rule=\'$RULE\'
-
+#
-# Deny isolated ipv6 segment to LAN ipv6
+# # Deny isolated ipv6 segment to LAN ipv6
-for addr in $LAN6SUBNETS ; do
+# for addr in $LAN6SUBNETS ; do
-    RULE="rule family=\"ipv4\" source address=\"${ISOLATEDPREFIX}${ISOLATEDSUFFIX}/${ISOLATEDSEGMENT}\" destination address=\"$addr\" drop"
+#     RULE="rule family=\"ipv4\" source address=\"${ISOLATEDPREFIX}${ISOLATEDSUFFIX}/${ISOLATEDSEGMENT}\" destination address=\"$addr\" drop"
-    $FWCMD $MKPERMANENT --zone=$HOMEZONE --add-rich-rule="$RULE"
+#     $FWCMD $MKPERMANENT --zone=$HOMEZONE --add-rich-rule=\'$RULE\'
-done
+# done
 
 
 # $FWCMD --reload

.gitea/workflows/isolation-check.yaml

@@ -47,33 +47,18 @@ jobs:
           echo
           cat /etc/resolv.conf
 
-      - name: LAN reachability test
-        run: |
-          echo "=== LAN REACHABILITY ==="
-          echo "--- Checking private IP routes ---"
-          ip route | grep -E "192\.168|10\.|172\.(1[6-9]|2[0-9]|3[01])" \
-            && echo "!! Possible LAN route detected !!" \
-            || echo "No direct LAN route found."
-          echo "--- Checking for responses ---"
-          for subnet in 192.168.0.1 192.168.1.1 10.0.0.1 172.16.0.1 172.17.0.1 \
-          172.18.0.1 172.19.0.1 172.20.0.1 172.21.0.1 172.22.0.1 172.23.0.1 \
-          172.24.0.1 192.168.1.185; do
-            ping -4 -n -c 4 $subnet >/dev/null 2>&1 && echo "$subnet ping response"
-            curl -s -m 5 http://$subnet:8098/docker-compose.yaml >/dev/null 2>&1 && echo "HTTP response at $subnet:8098"
-          done
-
       - name: Check external IP
         run: |
           echo "--- Checking external IP (https://ifconfig.me)"
           for ignore in errors ; do
-            curl -4 icanhazip.com >/dev/null 2>&1
+            curl -4 icanhazip.com >/dev/null 2>&1 || echo 'Error getting ipv4' && true
             curl -6 icanhazip.com >/dev/null 2>&1 || echo "Error getting ipv6" && true
           done
 
       - name: Outbound reachability sanity check
         run: |
           echo "=== OUTBOUND TEST ==="
-          for addr in https://google.com ; do
+          for addr in https://google.com http://github.com ; do
             curl -fsSL "$addr" >/dev/null 2>&1 && echo "$addr access OK" || echo "No internet access to $addr?"
           done
 
@@ -85,6 +70,24 @@ jobs:
             traceroute -4 -n $addr
           done
 
+      - name: LAN reachability test
+        run: |
+          echo "=== LAN REACHABILITY ==="
+          echo "--- Checking private IP routes ---"
+          ip route | grep -E "192\.168|10\.|172\.(1[6-9]|2[0-9]|3[01])" \
+            && echo "!! Possible LAN route detected !!" \
+            || echo "No direct LAN route found."
+
+          echo "--- Checking for responses ---"
+          for subnet in 192.168.0.1 192.168.1.1 10.0.0.1 172.16.0.1 172.17.0.1 \
+          172.18.0.1 172.19.0.1 172.20.0.1 172.21.0.1 172.22.0.1 172.23.0.1 \
+          172.24.0.1 192.168.1.185; do
+            echo -n "$subnet ... "
+            ping -4 -n -c 1 $subnet >/dev/null 2>&1 && echo -n "ping response "
+            curl -m 3 http://$subnet:8098/docker-compose.yaml >/dev/null 2>&1 && echo -n "HTTP response "
+            echo ''
+          done
+
       - name: Process visibility
         run: |
           echo "=== PROCESS VISIBILITY ==="