1 Testing that zone masquerading restrictions source and destination restrictions are properly applied. 2 3 -- Testcase -- 4 {% 5 include("./root/usr/share/firewall4/main.uc", { 6 getenv: function(varname) { 7 switch (varname) { 8 case 'ACTION': 9 return 'print'; 10 } 11 } 12 }) 13 %} 14 -- End -- 15 16 -- File uci/helpers.json -- 17 {} 18 -- End -- 19 20 -- File fs/open~_sys_class_net_zone1_flags.txt -- 21 0x1103 22 -- End -- 23 24 -- File fs/open~_sys_class_net_zone2_flags.txt -- 25 0x1103 26 -- End -- 27 28 -- File uci/firewall.json -- 29 { 30 "zone": [ 31 { 32 ".description": "Positive and negative entries should be handled properly and IPv6 addresses should be filtered out for IPv4 masquerading", 33 "name": "test1", 34 "input": "ACCEPT", 35 "output": "ACCEPT", 36 "forward": "ACCEPT", 37 "device": "zone1", 38 "masq": "1", 39 "masq_src": [ 40 "10.1.0.0/24", 41 "10.1.1.1", 42 "!10.1.0.1", 43 "!10.1.0.2", 44 "2001:db8:0:1::/64", 45 "2001:db8:0:2::/64", 46 "!2001:db8:0:1::1", 47 "!2001:db8:0:1::2" 48 ], 49 "masq_dest": [ 50 "10.2.0.0/24", 51 "10.2.1.1", 52 "!10.2.0.1", 53 "!10.2.0.2", 54 "2001:db8:1:1::/64", 55 "2001:db8:1:2::/64", 56 "!2001:db8:1:1::1", 57 "!2001:db8:1:1::2" 58 ] 59 }, 60 { 61 ".description": "Positive and negative entries should be handled properly and IPv4 addresses should be filtered out for IPv6 masquerading", 62 "name": "test2", 63 "input": "DROP", 64 "output": "DROP", 65 "forward": "DROP", 66 "device": "zone2", 67 "masq6": "1", 68 "masq_src": [ 69 "10.1.0.0/24", 70 "10.1.1.1", 71 "!10.1.0.1", 72 "!10.1.0.2", 73 "2001:db8:0:1::/64", 74 "2001:db8:0:2::/64", 75 "!2001:db8:0:1::1", 76 "!2001:db8:0:1::2" 77 ], 78 "masq_dest": [ 79 "10.2.0.0/24", 80 "10.2.1.1", 81 "!10.2.0.1", 82 "!10.2.0.2", 83 "2001:db8:1:1::/64", 84 "2001:db8:1:2::/64", 85 "!2001:db8:1:1::1", 86 "!2001:db8:1:1::2" 87 ] 88 } 89 ] 90 } 91 -- End -- 92 93 -- Expect stdout -- 94 table inet fw4 95 flush table inet fw4 96 97 table inet fw4 { 98 # 99 # Defines 100 # 101 102 define test1_devices = { "zone1" } 103 define test1_subnets = { } 104 105 define test2_devices = { "zone2" } 106 define test2_subnets = { } 107 108 109 # 110 # User includes 111 # 112 113 include "/etc/nftables.d/*.nft" 114 115 116 # 117 # Filter rules 118 # 119 120 chain input { 121 type filter hook input priority filter; policy drop; 122 123 iif "lo" accept comment "!fw4: Accept traffic from loopback" 124 125 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 126 iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" 127 iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" 128 } 129 130 chain forward { 131 type filter hook forward priority filter; policy drop; 132 133 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 134 iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" 135 iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" 136 } 137 138 chain output { 139 type filter hook output priority filter; policy drop; 140 141 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 142 143 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 144 oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" 145 oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" 146 } 147 148 chain prerouting { 149 type filter hook prerouting priority filter; policy accept; 150 } 151 152 chain handle_reject { 153 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 154 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 155 } 156 157 chain input_test1 { 158 jump accept_from_test1 159 } 160 161 chain output_test1 { 162 jump accept_to_test1 163 } 164 165 chain forward_test1 { 166 jump accept_to_test1 167 } 168 169 chain accept_from_test1 { 170 iifname "zone1" counter accept comment "!fw4: accept test1 IPv4/IPv6 traffic" 171 } 172 173 chain accept_to_test1 { 174 meta nfproto ipv4 oifname "zone1" ct state invalid counter drop comment "!fw4: Prevent NAT leakage" 175 oifname "zone1" counter accept comment "!fw4: accept test1 IPv4/IPv6 traffic" 176 } 177 178 chain input_test2 { 179 jump drop_from_test2 180 } 181 182 chain output_test2 { 183 jump drop_to_test2 184 } 185 186 chain forward_test2 { 187 jump drop_to_test2 188 } 189 190 chain drop_from_test2 { 191 iifname "zone2" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic" 192 } 193 194 chain drop_to_test2 { 195 oifname "zone2" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic" 196 } 197 198 199 # 200 # NAT rules 201 # 202 203 chain dstnat { 204 type nat hook prerouting priority dstnat; policy accept; 205 } 206 207 chain srcnat { 208 type nat hook postrouting priority srcnat; policy accept; 209 oifname "zone1" jump srcnat_test1 comment "!fw4: Handle test1 IPv4/IPv6 srcnat traffic" 210 oifname "zone2" jump srcnat_test2 comment "!fw4: Handle test2 IPv4/IPv6 srcnat traffic" 211 } 212 213 chain srcnat_test1 { 214 meta nfproto ipv4 ip saddr { 10.1.0.0/24, 10.1.1.1 } ip saddr != { 10.1.0.1, 10.1.0.2 } ip daddr { 10.2.0.0/24, 10.2.1.1 } ip daddr != { 10.2.0.1, 10.2.0.2 } masquerade comment "!fw4: Masquerade IPv4 test1 traffic" 215 } 216 217 chain srcnat_test2 { 218 meta nfproto ipv6 ip6 saddr { 2001:db8:0:1::/64, 2001:db8:0:2::/64 } ip6 saddr != { 2001:db8:0:1::1, 2001:db8:0:1::2 } ip6 daddr { 2001:db8:1:1::/64, 2001:db8:1:2::/64 } ip6 daddr != { 2001:db8:1:1::1, 2001:db8:1:1::2 } masquerade comment "!fw4: Masquerade IPv6 test2 traffic" 219 } 220 221 222 # 223 # Raw rules (notrack) 224 # 225 226 chain raw_prerouting { 227 type filter hook prerouting priority raw; policy accept; 228 } 229 230 chain raw_output { 231 type filter hook output priority raw; policy accept; 232 } 233 234 235 # 236 # Mangle rules 237 # 238 239 chain mangle_prerouting { 240 type filter hook prerouting priority mangle; policy accept; 241 } 242 243 chain mangle_postrouting { 244 type filter hook postrouting priority mangle; policy accept; 245 } 246 247 chain mangle_input { 248 type filter hook input priority mangle; policy accept; 249 } 250 251 chain mangle_output { 252 type route hook output priority mangle; policy accept; 253 } 254 255 chain mangle_forward { 256 type filter hook forward priority mangle; policy accept; 257 } 258 } 259 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt