1 Testing that zone policies are properly mapped to chains. 2 3 -- Testcase -- 4 {% 5 include("./root/usr/share/firewall4/main.uc", { 6 getenv: function(varname) { 7 switch (varname) { 8 case 'ACTION': 9 return 'print'; 10 } 11 } 12 }) 13 %} 14 -- End -- 15 16 -- File uci/helpers.json -- 17 {} 18 -- End -- 19 20 -- File fs/open~_sys_class_net_zone1_flags.txt -- 21 0x1103 22 -- End -- 23 24 -- File fs/open~_sys_class_net_zone2_flags.txt -- 25 0x1103 26 -- End -- 27 28 -- File fs/open~_sys_class_net_zone3_flags.txt -- 29 0x1103 30 -- End -- 31 32 -- File uci/firewall.json -- 33 { 34 "zone": [ 35 { 36 ".description": "Zone accept policies should map to accept rules from/to covered interfaces", 37 "name": "test1", 38 "input": "ACCEPT", 39 "output": "ACCEPT", 40 "forward": "ACCEPT", 41 "device": "zone1" 42 }, 43 { 44 ".description": "Zone drop policies should map to drop rules from/to covered interfaces", 45 "name": "test2", 46 "input": "DROP", 47 "output": "DROP", 48 "forward": "DROP", 49 "device": "zone2" 50 }, 51 { 52 ".description": "Zone reject policies should map to reject rules from/to covered interfaces", 53 "name": "test3", 54 "input": "REJECT", 55 "output": "REJECT", 56 "forward": "REJECT", 57 "device": "zone3" 58 } 59 ] 60 } 61 -- End -- 62 63 -- Expect stdout -- 64 table inet fw4 65 flush table inet fw4 66 67 table inet fw4 { 68 # 69 # Defines 70 # 71 72 define test1_devices = { "zone1" } 73 define test1_subnets = { } 74 75 define test2_devices = { "zone2" } 76 define test2_subnets = { } 77 78 define test3_devices = { "zone3" } 79 define test3_subnets = { } 80 81 82 # 83 # User includes 84 # 85 86 include "/etc/nftables.d/*.nft" 87 88 89 # 90 # Filter rules 91 # 92 93 chain input { 94 type filter hook input priority filter; policy drop; 95 96 iif "lo" accept comment "!fw4: Accept traffic from loopback" 97 98 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 99 iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" 100 iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" 101 iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" 102 } 103 104 chain forward { 105 type filter hook forward priority filter; policy drop; 106 107 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 108 iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" 109 iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" 110 iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic" 111 } 112 113 chain output { 114 type filter hook output priority filter; policy drop; 115 116 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 117 118 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 119 oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" 120 oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" 121 oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" 122 } 123 124 chain prerouting { 125 type filter hook prerouting priority filter; policy accept; 126 iifname "zone1" jump helper_test1 comment "!fw4: Handle test1 IPv4/IPv6 helper assignment" 127 iifname "zone2" jump helper_test2 comment "!fw4: Handle test2 IPv4/IPv6 helper assignment" 128 iifname "zone3" jump helper_test3 comment "!fw4: Handle test3 IPv4/IPv6 helper assignment" 129 } 130 131 chain handle_reject { 132 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 133 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 134 } 135 136 chain input_test1 { 137 jump accept_from_test1 138 } 139 140 chain output_test1 { 141 jump accept_to_test1 142 } 143 144 chain forward_test1 { 145 jump accept_to_test1 146 } 147 148 chain helper_test1 { 149 } 150 151 chain accept_from_test1 { 152 iifname "zone1" counter accept comment "!fw4: accept test1 IPv4/IPv6 traffic" 153 } 154 155 chain accept_to_test1 { 156 oifname "zone1" counter accept comment "!fw4: accept test1 IPv4/IPv6 traffic" 157 } 158 159 chain input_test2 { 160 jump drop_from_test2 161 } 162 163 chain output_test2 { 164 jump drop_to_test2 165 } 166 167 chain forward_test2 { 168 jump drop_to_test2 169 } 170 171 chain helper_test2 { 172 } 173 174 chain drop_from_test2 { 175 iifname "zone2" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic" 176 } 177 178 chain drop_to_test2 { 179 oifname "zone2" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic" 180 } 181 182 chain input_test3 { 183 jump reject_from_test3 184 } 185 186 chain output_test3 { 187 jump reject_to_test3 188 } 189 190 chain forward_test3 { 191 jump reject_to_test3 192 } 193 194 chain helper_test3 { 195 } 196 197 chain reject_from_test3 { 198 iifname "zone3" counter jump handle_reject comment "!fw4: reject test3 IPv4/IPv6 traffic" 199 } 200 201 chain reject_to_test3 { 202 oifname "zone3" counter jump handle_reject comment "!fw4: reject test3 IPv4/IPv6 traffic" 203 } 204 205 206 # 207 # NAT rules 208 # 209 210 chain dstnat { 211 type nat hook prerouting priority dstnat; policy accept; 212 } 213 214 chain srcnat { 215 type nat hook postrouting priority srcnat; policy accept; 216 } 217 218 219 # 220 # Raw rules (notrack) 221 # 222 223 chain raw_prerouting { 224 type filter hook prerouting priority raw; policy accept; 225 } 226 227 chain raw_output { 228 type filter hook output priority raw; policy accept; 229 } 230 231 232 # 233 # Mangle rules 234 # 235 236 chain mangle_prerouting { 237 type filter hook prerouting priority mangle; policy accept; 238 } 239 240 chain mangle_postrouting { 241 type filter hook postrouting priority mangle; policy accept; 242 } 243 244 chain mangle_input { 245 type filter hook input priority mangle; policy accept; 246 } 247 248 chain mangle_output { 249 type route hook output priority mangle; policy accept; 250 } 251 252 chain mangle_forward { 253 type filter hook forward priority mangle; policy accept; 254 } 255 } 256 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt