1 Testing that zone masquerading is properly mapped to chains. 2 3 -- Testcase -- 4 {% 5 include("./root/usr/share/firewall4/main.uc", { 6 getenv: function(varname) { 7 switch (varname) { 8 case 'ACTION': 9 return 'print'; 10 } 11 } 12 }) 13 %} 14 -- End -- 15 16 -- File uci/helpers.json -- 17 {} 18 -- End -- 19 20 -- File fs/open~_sys_class_net_zone1_flags.txt -- 21 0x1103 22 -- End -- 23 24 -- File fs/open~_sys_class_net_zone2_flags.txt -- 25 0x1103 26 -- End -- 27 28 -- File fs/open~_sys_class_net_zone3_flags.txt -- 29 0x1103 30 -- End -- 31 32 -- File uci/firewall.json -- 33 { 34 "zone": [ 35 { 36 ".description": "Setting masq to true should emit an IPv4 masquerading rule and inhibit default helper assignment", 37 "name": "test1", 38 "input": "ACCEPT", 39 "output": "ACCEPT", 40 "forward": "ACCEPT", 41 "device": "zone1", 42 "masq": "1" 43 }, 44 { 45 ".description": "Setting masq6 to true should emit an IPv6 masquerading rule and inhibit default helper assignment", 46 "name": "test2", 47 "input": "DROP", 48 "output": "DROP", 49 "forward": "DROP", 50 "device": "zone2", 51 "masq6": "1" 52 }, 53 { 54 ".description": "Setting both masq and masq6 should emit IPv4 and IPv6 masquerading and inhibit default helper assignment", 55 "name": "test3", 56 "input": "REJECT", 57 "output": "REJECT", 58 "forward": "REJECT", 59 "device": "zone3", 60 "masq": "1", 61 "masq6": "1" 62 } 63 ] 64 } 65 -- End -- 66 67 -- Expect stdout -- 68 table inet fw4 69 flush table inet fw4 70 71 table inet fw4 { 72 # 73 # Defines 74 # 75 76 define test1_devices = { "zone1" } 77 define test1_subnets = { } 78 79 define test2_devices = { "zone2" } 80 define test2_subnets = { } 81 82 define test3_devices = { "zone3" } 83 define test3_subnets = { } 84 85 86 # 87 # User includes 88 # 89 90 include "/etc/nftables.d/*.nft" 91 92 93 # 94 # Filter rules 95 # 96 97 chain input { 98 type filter hook input priority filter; policy drop; 99 100 iif "lo" accept comment "!fw4: Accept traffic from loopback" 101 102 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 103 iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" 104 iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" 105 iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" 106 } 107 108 chain forward { 109 type filter hook forward priority filter; policy drop; 110 111 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 112 iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" 113 iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" 114 iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic" 115 } 116 117 chain output { 118 type filter hook output priority filter; policy drop; 119 120 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 121 122 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 123 oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" 124 oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" 125 oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" 126 } 127 128 chain prerouting { 129 type filter hook prerouting priority filter; policy accept; 130 } 131 132 chain handle_reject { 133 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 134 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 135 } 136 137 chain input_test1 { 138 jump accept_from_test1 139 } 140 141 chain output_test1 { 142 jump accept_to_test1 143 } 144 145 chain forward_test1 { 146 jump accept_to_test1 147 } 148 149 chain accept_from_test1 { 150 iifname "zone1" counter accept comment "!fw4: accept test1 IPv4/IPv6 traffic" 151 } 152 153 chain accept_to_test1 { 154 meta nfproto ipv4 oifname "zone1" ct state invalid counter drop comment "!fw4: Prevent NAT leakage" 155 oifname "zone1" counter accept comment "!fw4: accept test1 IPv4/IPv6 traffic" 156 } 157 158 chain input_test2 { 159 jump drop_from_test2 160 } 161 162 chain output_test2 { 163 jump drop_to_test2 164 } 165 166 chain forward_test2 { 167 jump drop_to_test2 168 } 169 170 chain drop_from_test2 { 171 iifname "zone2" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic" 172 } 173 174 chain drop_to_test2 { 175 oifname "zone2" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic" 176 } 177 178 chain input_test3 { 179 jump reject_from_test3 180 } 181 182 chain output_test3 { 183 jump reject_to_test3 184 } 185 186 chain forward_test3 { 187 jump reject_to_test3 188 } 189 190 chain reject_from_test3 { 191 iifname "zone3" counter jump handle_reject comment "!fw4: reject test3 IPv4/IPv6 traffic" 192 } 193 194 chain reject_to_test3 { 195 oifname "zone3" counter jump handle_reject comment "!fw4: reject test3 IPv4/IPv6 traffic" 196 } 197 198 199 # 200 # NAT rules 201 # 202 203 chain dstnat { 204 type nat hook prerouting priority dstnat; policy accept; 205 } 206 207 chain srcnat { 208 type nat hook postrouting priority srcnat; policy accept; 209 oifname "zone1" jump srcnat_test1 comment "!fw4: Handle test1 IPv4/IPv6 srcnat traffic" 210 oifname "zone2" jump srcnat_test2 comment "!fw4: Handle test2 IPv4/IPv6 srcnat traffic" 211 oifname "zone3" jump srcnat_test3 comment "!fw4: Handle test3 IPv4/IPv6 srcnat traffic" 212 } 213 214 chain srcnat_test1 { 215 meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 test1 traffic" 216 } 217 218 chain srcnat_test2 { 219 meta nfproto ipv6 masquerade comment "!fw4: Masquerade IPv6 test2 traffic" 220 } 221 222 chain srcnat_test3 { 223 meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 test3 traffic" 224 meta nfproto ipv6 masquerade comment "!fw4: Masquerade IPv6 test3 traffic" 225 } 226 227 228 # 229 # Raw rules (notrack) 230 # 231 232 chain raw_prerouting { 233 type filter hook prerouting priority raw; policy accept; 234 } 235 236 chain raw_output { 237 type filter hook output priority raw; policy accept; 238 } 239 240 241 # 242 # Mangle rules 243 # 244 245 chain mangle_prerouting { 246 type filter hook prerouting priority mangle; policy accept; 247 } 248 249 chain mangle_postrouting { 250 type filter hook postrouting priority mangle; policy accept; 251 } 252 253 chain mangle_input { 254 type filter hook input priority mangle; policy accept; 255 } 256 257 chain mangle_output { 258 type route hook output priority mangle; policy accept; 259 } 260 261 chain mangle_forward { 262 type filter hook forward priority mangle; policy accept; 263 } 264 } 265 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt