1 Testing that `config rule` rules are rendered before `config forwarding` ones 2 and that rules are rendered in the order they're declared. 3 4 -- Testcase -- 5 {% 6 include("./root/usr/share/firewall4/main.uc", { 7 TRACE_CALLS: "stderr", 8 9 getenv: function(varname) { 10 switch (varname) { 11 case 'ACTION': 12 return 'print'; 13 } 14 } 15 }) 16 %} 17 -- End -- 18 19 -- File uci/helpers.json -- 20 {} 21 -- End -- 22 23 -- File uci/firewall.json -- 24 { 25 "zone": [ 26 { 27 "name": "lan", 28 "network": "lan", 29 "auto_helper": 0 30 }, 31 { 32 "name": "wan", 33 "network": "wan", 34 "auto_helper": 0 35 } 36 ], 37 "forwarding": [ 38 { 39 "src": "lan", 40 "dest": "wan" 41 } 42 ], 43 "rule": [ 44 { 45 "name": "Deny rule #1", 46 "proto": "any", 47 "src": "lan", 48 "dest": "wan", 49 "src_ip": [ "192.168.1.2" ], 50 "target": "drop" 51 }, 52 { 53 "name": "Deny rule #2", 54 "proto": "icmp", 55 "src": "lan", 56 "dest": "wan", 57 "src_ip": [ "192.168.1.3" ], 58 "target": "drop" 59 } 60 ] 61 } 62 -- End -- 63 64 -- Expect stdout -- 65 table inet fw4 66 flush table inet fw4 67 68 table inet fw4 { 69 # 70 # Defines 71 # 72 73 define lan_devices = { "br-lan" } 74 define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 } 75 76 define wan_devices = { "pppoe-wan" } 77 define wan_subnets = { 10.11.12.0/24 } 78 79 80 # 81 # User includes 82 # 83 84 include "/etc/nftables.d/*.nft" 85 86 87 # 88 # Filter rules 89 # 90 91 chain input { 92 type filter hook input priority filter; policy drop; 93 94 iif "lo" accept comment "!fw4: Accept traffic from loopback" 95 96 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 97 iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" 98 iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" 99 } 100 101 chain forward { 102 type filter hook forward priority filter; policy drop; 103 104 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 105 iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" 106 iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" 107 } 108 109 chain output { 110 type filter hook output priority filter; policy drop; 111 112 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 113 114 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 115 oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" 116 oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" 117 } 118 119 chain prerouting { 120 type filter hook prerouting priority filter; policy accept; 121 } 122 123 chain handle_reject { 124 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 125 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 126 } 127 128 chain input_lan { 129 jump drop_from_lan 130 } 131 132 chain output_lan { 133 jump drop_to_lan 134 } 135 136 chain forward_lan { 137 ip saddr 192.168.1.2 counter jump drop_to_wan comment "!fw4: Deny rule #1" 138 meta l4proto icmp ip saddr 192.168.1.3 counter jump drop_to_wan comment "!fw4: Deny rule #2" 139 jump accept_to_wan comment "!fw4: Accept lan to wan forwarding" 140 jump drop_to_lan 141 } 142 143 chain drop_from_lan { 144 iifname "br-lan" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic" 145 } 146 147 chain drop_to_lan { 148 oifname "br-lan" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic" 149 } 150 151 chain input_wan { 152 jump drop_from_wan 153 } 154 155 chain output_wan { 156 jump drop_to_wan 157 } 158 159 chain forward_wan { 160 jump drop_to_wan 161 } 162 163 chain accept_to_wan { 164 oifname "pppoe-wan" counter accept comment "!fw4: accept wan IPv4/IPv6 traffic" 165 } 166 167 chain drop_from_wan { 168 iifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic" 169 } 170 171 chain drop_to_wan { 172 oifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic" 173 } 174 175 176 # 177 # NAT rules 178 # 179 180 chain dstnat { 181 type nat hook prerouting priority dstnat; policy accept; 182 } 183 184 chain srcnat { 185 type nat hook postrouting priority srcnat; policy accept; 186 } 187 188 189 # 190 # Raw rules (notrack) 191 # 192 193 chain raw_prerouting { 194 type filter hook prerouting priority raw; policy accept; 195 } 196 197 chain raw_output { 198 type filter hook output priority raw; policy accept; 199 } 200 201 202 # 203 # Mangle rules 204 # 205 206 chain mangle_prerouting { 207 type filter hook prerouting priority mangle; policy accept; 208 } 209 210 chain mangle_postrouting { 211 type filter hook postrouting priority mangle; policy accept; 212 } 213 214 chain mangle_input { 215 type filter hook input priority mangle; policy accept; 216 } 217 218 chain mangle_output { 219 type route hook output priority mangle; policy accept; 220 } 221 222 chain mangle_forward { 223 type filter hook forward priority mangle; policy accept; 224 } 225 } 226 -- End -- 227 228 -- Expect stderr -- 229 [call] ctx.call object <network.interface> method <dump> args <null> 230 [call] ctx.call object <service> method <get_data> args <{ "type": "firewall" }> 231 [call] fs.open path </proc/version> mode <r> 232 [call] fs.glob pattern </usr/share/nftables.d/ruleset-pre/*.nft> 233 [call] fs.glob pattern </usr/share/nftables.d/ruleset-post/*.nft> 234 [call] fs.glob pattern </usr/share/nftables.d/table-pre/*.nft> 235 [call] fs.glob pattern </usr/share/nftables.d/table-post/*.nft> 236 [call] fs.lsdir path </usr/share/nftables.d/chain-pre> 237 [call] fs.lsdir path </usr/share/nftables.d/chain-post> 238 [call] fs.popen cmdline </usr/sbin/nft --terse --json list flowtables inet> mode <r> 239 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt