1 Testing that dropping of invalid conntrack state traffic can be inhibited. 2 3 -- Testcase -- 4 {% 5 include("./root/usr/share/firewall4/main.uc", { 6 getenv: function(varname) { 7 switch (varname) { 8 case 'ACTION': 9 return 'print'; 10 } 11 } 12 }) 13 %} 14 -- End -- 15 16 -- File uci/helpers.json -- 17 {} 18 -- End -- 19 20 -- File fs/open~_sys_class_net_zone1_flags.txt -- 21 0x1103 22 -- End -- 23 24 -- File fs/open~_sys_class_net_zone2_flags.txt -- 25 0x1103 26 -- End -- 27 28 -- File uci/firewall.json -- 29 { 30 "zone": [ 31 { 32 ".description": "No ct state invalid drop rule should be generated", 33 "name": "test1", 34 "input": "ACCEPT", 35 "output": "ACCEPT", 36 "forward": "ACCEPT", 37 "device": "zone1", 38 "masq": "1", 39 "masq_allow_invalid": 1 40 } 41 ] 42 } 43 -- End -- 44 45 -- Expect stdout -- 46 table inet fw4 47 flush table inet fw4 48 49 table inet fw4 { 50 # 51 # Defines 52 # 53 54 define test1_devices = { "zone1" } 55 define test1_subnets = { } 56 57 58 # 59 # User includes 60 # 61 62 include "/etc/nftables.d/*.nft" 63 64 65 # 66 # Filter rules 67 # 68 69 chain input { 70 type filter hook input priority filter; policy drop; 71 72 iif "lo" accept comment "!fw4: Accept traffic from loopback" 73 74 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 75 iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" 76 } 77 78 chain forward { 79 type filter hook forward priority filter; policy drop; 80 81 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 82 iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" 83 } 84 85 chain output { 86 type filter hook output priority filter; policy drop; 87 88 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 89 90 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 91 oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" 92 } 93 94 chain prerouting { 95 type filter hook prerouting priority filter; policy accept; 96 } 97 98 chain handle_reject { 99 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 100 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 101 } 102 103 chain input_test1 { 104 jump accept_from_test1 105 } 106 107 chain output_test1 { 108 jump accept_to_test1 109 } 110 111 chain forward_test1 { 112 jump accept_to_test1 113 } 114 115 chain accept_from_test1 { 116 iifname "zone1" counter accept comment "!fw4: accept test1 IPv4/IPv6 traffic" 117 } 118 119 chain accept_to_test1 { 120 oifname "zone1" counter accept comment "!fw4: accept test1 IPv4/IPv6 traffic" 121 } 122 123 124 # 125 # NAT rules 126 # 127 128 chain dstnat { 129 type nat hook prerouting priority dstnat; policy accept; 130 } 131 132 chain srcnat { 133 type nat hook postrouting priority srcnat; policy accept; 134 oifname "zone1" jump srcnat_test1 comment "!fw4: Handle test1 IPv4/IPv6 srcnat traffic" 135 } 136 137 chain srcnat_test1 { 138 meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 test1 traffic" 139 } 140 141 142 # 143 # Raw rules (notrack) 144 # 145 146 chain raw_prerouting { 147 type filter hook prerouting priority raw; policy accept; 148 } 149 150 chain raw_output { 151 type filter hook output priority raw; policy accept; 152 } 153 154 155 # 156 # Mangle rules 157 # 158 159 chain mangle_prerouting { 160 type filter hook prerouting priority mangle; policy accept; 161 } 162 163 chain mangle_postrouting { 164 type filter hook postrouting priority mangle; policy accept; 165 } 166 167 chain mangle_input { 168 type filter hook input priority mangle; policy accept; 169 } 170 171 chain mangle_output { 172 type route hook output priority mangle; policy accept; 173 } 174 175 chain mangle_forward { 176 type filter hook forward priority mangle; policy accept; 177 } 178 } 179 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt