1 Test that wildcard devices are properly handled. 2 3 -- Testcase -- 4 {% 5 include("./root/usr/share/firewall4/main.uc", { 6 getenv: function(varname) { 7 switch (varname) { 8 case 'ACTION': 9 return 'print'; 10 } 11 } 12 }) 13 %} 14 -- End -- 15 16 -- File uci/helpers.json -- 17 {} 18 -- End -- 19 20 -- File fs/open~_sys_class_net_never_flags.txt -- 21 0x0 22 -- End -- 23 24 -- File fs/open~_sys_class_net_test_flags.txt -- 25 0x0 26 -- End -- 27 28 -- File fs/open~_sys_class_net_foo_flags.txt -- 29 0x0 30 -- End -- 31 32 -- File fs/open~_sys_class_net_bar_flags.txt -- 33 0x0 34 -- End -- 35 36 -- File fs/open~_sys_class_net_baz_flags.txt -- 37 0x0 38 -- End -- 39 40 -- File fs/open~_sys_class_net_qrx_flags.txt -- 41 0x0 42 -- End -- 43 44 -- File fs/open~_sys_class_net_test1_flags.txt -- 45 0x1103 46 -- End -- 47 48 -- File fs/open~_sys_class_net_test2_flags.txt -- 49 0x1103 50 -- End -- 51 52 -- File uci/firewall.json -- 53 { 54 "zone": [ 55 { 56 ".description": "A '+' device match should translate to no ifname match at all", 57 "name": "test1", 58 "device": [ "+" ] 59 }, 60 { 61 ".description": "An inverted '+' device match should result in a match that always fails", 62 "name": "test2", 63 "device": [ "!+" ] 64 }, 65 { 66 ".description": "A 'name+' device match should translate to an nft wildcard pattern", 67 "name": "test3", 68 "device": [ "test+" ] 69 }, 70 { 71 ".description": "Wildcard matches must not be grouped into sets", 72 "name": "test4", 73 "device": [ "foo+", "bar+", "test1", "test2" ] 74 }, 75 { 76 ".description": "Multiple inverted wildcard matches may be grouped into one rule", 77 "name": "test5", 78 "device": [ "foo+", "bar+", "!baz+", "!qrx+", "test1", "test2", "!test3", "!test4" ] 79 } 80 ] 81 } 82 -- End -- 83 84 -- Expect stdout -- 85 table inet fw4 86 flush table inet fw4 87 88 table inet fw4 { 89 # 90 # Defines 91 # 92 93 define test1_devices = { "+" } 94 define test1_subnets = { } 95 96 define test2_devices = { "/never/" } 97 define test2_subnets = { } 98 99 define test3_devices = { "test*" } 100 define test3_subnets = { } 101 102 define test4_devices = { "foo*", "bar*", "test1", "test2" } 103 define test4_subnets = { } 104 105 define test5_devices = { "foo*", "bar*", "test1", "test2" } 106 define test5_subnets = { } 107 108 109 # 110 # User includes 111 # 112 113 include "/etc/nftables.d/*.nft" 114 115 116 # 117 # Filter rules 118 # 119 120 chain input { 121 type filter hook input priority filter; policy drop; 122 123 iif "lo" accept comment "!fw4: Accept traffic from loopback" 124 125 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 126 jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" 127 iifname "/never/" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" 128 iifname "test*" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" 129 iifname "foo*" jump input_test4 comment "!fw4: Handle test4 IPv4/IPv6 input traffic" 130 iifname "bar*" jump input_test4 comment "!fw4: Handle test4 IPv4/IPv6 input traffic" 131 iifname { "test1", "test2" } jump input_test4 comment "!fw4: Handle test4 IPv4/IPv6 input traffic" 132 iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump input_test5 comment "!fw4: Handle test5 IPv4/IPv6 input traffic" 133 iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump input_test5 comment "!fw4: Handle test5 IPv4/IPv6 input traffic" 134 iifname { "test1", "test2" } iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump input_test5 comment "!fw4: Handle test5 IPv4/IPv6 input traffic" 135 } 136 137 chain forward { 138 type filter hook forward priority filter; policy drop; 139 140 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 141 jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" 142 iifname "/never/" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" 143 iifname "test*" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic" 144 iifname "foo*" jump forward_test4 comment "!fw4: Handle test4 IPv4/IPv6 forward traffic" 145 iifname "bar*" jump forward_test4 comment "!fw4: Handle test4 IPv4/IPv6 forward traffic" 146 iifname { "test1", "test2" } jump forward_test4 comment "!fw4: Handle test4 IPv4/IPv6 forward traffic" 147 iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump forward_test5 comment "!fw4: Handle test5 IPv4/IPv6 forward traffic" 148 iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump forward_test5 comment "!fw4: Handle test5 IPv4/IPv6 forward traffic" 149 iifname { "test1", "test2" } iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump forward_test5 comment "!fw4: Handle test5 IPv4/IPv6 forward traffic" 150 } 151 152 chain output { 153 type filter hook output priority filter; policy drop; 154 155 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 156 157 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 158 jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" 159 oifname "/never/" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" 160 oifname "test*" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" 161 oifname "foo*" jump output_test4 comment "!fw4: Handle test4 IPv4/IPv6 output traffic" 162 oifname "bar*" jump output_test4 comment "!fw4: Handle test4 IPv4/IPv6 output traffic" 163 oifname { "test1", "test2" } jump output_test4 comment "!fw4: Handle test4 IPv4/IPv6 output traffic" 164 oifname "foo*" oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" jump output_test5 comment "!fw4: Handle test5 IPv4/IPv6 output traffic" 165 oifname "bar*" oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" jump output_test5 comment "!fw4: Handle test5 IPv4/IPv6 output traffic" 166 oifname { "test1", "test2" } oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" jump output_test5 comment "!fw4: Handle test5 IPv4/IPv6 output traffic" 167 } 168 169 chain prerouting { 170 type filter hook prerouting priority filter; policy accept; 171 iifname "/never/" jump helper_test2 comment "!fw4: Handle test2 IPv4/IPv6 helper assignment" 172 iifname "test*" jump helper_test3 comment "!fw4: Handle test3 IPv4/IPv6 helper assignment" 173 iifname "foo*" jump helper_test4 comment "!fw4: Handle test4 IPv4/IPv6 helper assignment" 174 iifname "bar*" jump helper_test4 comment "!fw4: Handle test4 IPv4/IPv6 helper assignment" 175 iifname { "test1", "test2" } jump helper_test4 comment "!fw4: Handle test4 IPv4/IPv6 helper assignment" 176 iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: Handle test5 IPv4/IPv6 helper assignment" 177 iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: Handle test5 IPv4/IPv6 helper assignment" 178 iifname { "test1", "test2" } iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: Handle test5 IPv4/IPv6 helper assignment" 179 } 180 181 chain handle_reject { 182 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 183 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 184 } 185 186 chain input_test1 { 187 jump drop_from_test1 188 } 189 190 chain output_test1 { 191 jump drop_to_test1 192 } 193 194 chain forward_test1 { 195 jump drop_to_test1 196 } 197 198 chain helper_test1 { 199 } 200 201 chain drop_from_test1 { 202 counter drop comment "!fw4: drop test1 IPv4/IPv6 traffic" 203 } 204 205 chain drop_to_test1 { 206 counter drop comment "!fw4: drop test1 IPv4/IPv6 traffic" 207 } 208 209 chain input_test2 { 210 jump drop_from_test2 211 } 212 213 chain output_test2 { 214 jump drop_to_test2 215 } 216 217 chain forward_test2 { 218 jump drop_to_test2 219 } 220 221 chain helper_test2 { 222 } 223 224 chain drop_from_test2 { 225 iifname "/never/" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic" 226 } 227 228 chain drop_to_test2 { 229 oifname "/never/" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic" 230 } 231 232 chain input_test3 { 233 jump drop_from_test3 234 } 235 236 chain output_test3 { 237 jump drop_to_test3 238 } 239 240 chain forward_test3 { 241 jump drop_to_test3 242 } 243 244 chain helper_test3 { 245 } 246 247 chain drop_from_test3 { 248 iifname "test*" counter drop comment "!fw4: drop test3 IPv4/IPv6 traffic" 249 } 250 251 chain drop_to_test3 { 252 oifname "test*" counter drop comment "!fw4: drop test3 IPv4/IPv6 traffic" 253 } 254 255 chain input_test4 { 256 jump drop_from_test4 257 } 258 259 chain output_test4 { 260 jump drop_to_test4 261 } 262 263 chain forward_test4 { 264 jump drop_to_test4 265 } 266 267 chain helper_test4 { 268 } 269 270 chain drop_from_test4 { 271 iifname "foo*" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic" 272 iifname "bar*" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic" 273 iifname { "test1", "test2" } counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic" 274 } 275 276 chain drop_to_test4 { 277 oifname "foo*" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic" 278 oifname "bar*" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic" 279 oifname { "test1", "test2" } counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic" 280 } 281 282 chain input_test5 { 283 jump drop_from_test5 284 } 285 286 chain output_test5 { 287 jump drop_to_test5 288 } 289 290 chain forward_test5 { 291 jump drop_to_test5 292 } 293 294 chain helper_test5 { 295 } 296 297 chain drop_from_test5 { 298 iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic" 299 iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic" 300 iifname { "test1", "test2" } iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic" 301 } 302 303 chain drop_to_test5 { 304 oifname "foo*" oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic" 305 oifname "bar*" oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic" 306 oifname { "test1", "test2" } oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic" 307 } 308 309 310 # 311 # NAT rules 312 # 313 314 chain dstnat { 315 type nat hook prerouting priority dstnat; policy accept; 316 } 317 318 chain srcnat { 319 type nat hook postrouting priority srcnat; policy accept; 320 } 321 322 323 # 324 # Raw rules (notrack) 325 # 326 327 chain raw_prerouting { 328 type filter hook prerouting priority raw; policy accept; 329 } 330 331 chain raw_output { 332 type filter hook output priority raw; policy accept; 333 } 334 335 336 # 337 # Mangle rules 338 # 339 340 chain mangle_prerouting { 341 type filter hook prerouting priority mangle; policy accept; 342 } 343 344 chain mangle_postrouting { 345 type filter hook postrouting priority mangle; policy accept; 346 } 347 348 chain mangle_input { 349 type filter hook input priority mangle; policy accept; 350 } 351 352 chain mangle_output { 353 type route hook output priority mangle; policy accept; 354 } 355 356 chain mangle_forward { 357 type filter hook forward priority mangle; policy accept; 358 } 359 } 360 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt