openshift · shreyasbe · May 8, 2026 · May 9, 2026 · May 10, 2026 · May 14, 2026
diff --git a/test/extended/networking/egress_firewall.go b/test/extended/networking/egress_firewall.go
@@ -156,11 +156,32 @@ func sendEgressFwTraffic(f *e2e.Framework, mgmtFw *e2e.Framework, oc *exutil.CLI
 		out, err := oc.Run("exec").Args(pod, "--", "ping", "-c", "1", "1.1.1.1").Output()
 		expectError(err, "ping to 1.1.1.1 should fail: %s", out)
 	}
+
+	//Shreyas(S) ================================================================
 	// Test curl to redhat.com should pass
 	// because we have allow dns rule for redhat.com
-	g.By("sending traffic that matches allow dns rule")
-	_, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m5", "https://redhat.com").Output()
-	expectNoError(err)
+	g.By("Shreyas- sending traffic that matches allow dns rule")
+
+	// First, try to resolve DNS to see what IP would be used
+	e2e.Logf("Shreyas- Resolving redhat.com DNS...")
+	dnsOutRedhat, dnsErrRedhat := oc.Run("exec").Args(pod, "--", "nslookup", "redhat.com").Output()
+	if dnsErrRedhat == nil {
+		e2e.Logf("Shreyas- DNS Resolution for redhat.com:\n%s", dnsOutRedhat)
+	} else {
+		e2e.Logf("Shreyas- DNS Resolution failed: %v\nOutput: %s", dnsErrRedhat, dnsOutRedhat)
+	}
+
+	// Try curl with verbose output to see connection details and IP address
+	e2e.Logf("Shreyas- Attempting curl to redhat.com (expected to succeed)...")
+	outRedhat, errRedhat := oc.Run("exec").Args(pod, "--", "curl", "-v", "-I", "-m5", "--connect-timeout", "5", "https://redhat.com").Output()
+	e2e.Logf("Shreyas- Curl output (stdout+stderr):\n%s", outRedhat)
+
+	// Also try to get the resolved IP using curl's --write-out option
+	ipOutRedhat, ipErrRedhat := oc.Run("exec").Args(pod, "--", "curl", "-s", "-o", "/dev/null", "-w", "Remote IP: %{remote_ip}\\nHTTP Code: %{http_code}\\n", "-m5", "https://redhat.com").Output()
+	e2e.Logf("Shreyas- Curl IP info: %s (error: %v)", ipOutRedhat, ipErrRedhat)
+
+	expectNoError(errRedhat)
+	//Shreyas(E) ================================================================
 
 	// Test curl to amazon.com should pass
 	// because we have allow dns rule for amazon.com
@@ -180,11 +201,38 @@ func sendEgressFwTraffic(f *e2e.Framework, mgmtFw *e2e.Framework, oc *exutil.CLI
 		expectNoError(err)
 	}
 
+	//Shreyas(S) ================================================================
 	// Test curl to www.redhat.com should fail
 	// because we don't have allow dns rule for www.redhat.com
-	g.By("sending traffic that does not match allow dns rule")
-	_, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m5", "https://www.redhat.com").Output()
+	g.By("Shreyas- sending traffic that does not match allow dns rule for www.redhat.com")
+
+	// First, try to resolve DNS to see what IP would be used
+	e2e.Logf("Shreyas- Resolving www.redhat.com DNS...")
+	dnsOutWww, dnsErrWww := oc.Run("exec").Args(pod, "--", "nslookup", "www.redhat.com").Output()
+	if dnsErrWww == nil {
+		e2e.Logf("Shreyas- DNS Resolution for www.redhat.com:\n%s", dnsOutWww)
+	} else {
+		e2e.Logf("Shreyas- DNS Resolution failed: %v\nOutput: %s", dnsErrWww, dnsOutWww)
+	}
+
+	// Try curl with verbose output to see connection details and IP address
+	e2e.Logf("Shreyas- Attempting curl to www.redhat.com (expected to fail)...")
+	outWww, errWww := oc.Run("exec").Args(pod, "--", "curl", "-v", "-I", "-m5", "--connect-timeout", "5", "https://www.redhat.com").Output()
+	e2e.Logf("Shreyas- Curl output (stdout+stderr):\n%s", outWww)
+
+	// Also try to get the resolved IP using curl's --write-out option
+	ipOutWww, ipErrWww := oc.Run("exec").Args(pod, "--", "curl", "-s", "-o", "/dev/null", "-w", "Remote IP: %{remote_ip}\\nHTTP Code: %{http_code}\\n", "-m5", "https://www.redhat.com").Output()
+	e2e.Logf("Shreyas- Curl IP info: %s (error: %v)", ipOutWww, ipErrWww)
+	// One Line Added for Debugging
+	// www.redhat.com not in allow list, connection should fail
+	expectError(errWww)
+
+	// Test curl to www.apple.com should fail
+	// because we don't have allow dns rule for www.apple.com
+	g.By("Shreyas- sending traffic that does not match allow dns rule for www.apple.com")
+	_, err = oc.Run("exec").Args(pod, "--", "curl", "-q", "-s", "-I", "-m5", "https://www.apple.com").Output()
 	expectError(err)
+	//Shreyas(E) ================================================================
 
 	if nodeSelectorSupport {
 		// Access to control plane nodes should work

diff --git a/test/extended/testdata/egress-firewall/ovnk-egressfirewall-test.yaml b/test/extended/testdata/egress-firewall/ovnk-egressfirewall-test.yaml
@@ -24,6 +24,9 @@ spec:
       nodeSelector:
         matchLabels:
           node-role.kubernetes.io/control-plane: ''
-  - type: Deny
+  - type: Deny        # IPv4 default deny-all
     to:
       cidrSelector: 0.0.0.0/0
+  - type: Deny        # IPv6 default deny-all
+    to:
+      cidrSelector: ::/0
diff --git a/test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml b/test/extended/testdata/egress-firewall/ovnk-egressfirewall-wildcard-test.yaml
@@ -21,6 +21,9 @@ spec:
       nodeSelector:
         matchLabels:
           node-role.kubernetes.io/control-plane: ''
-  - type: Deny
+  - type: Deny        # IPv4 default deny-all
     to:
       cidrSelector: 0.0.0.0/0
+  - type: Deny        # IPv6 default deny-all
+    to:
+      cidrSelector: ::/0