1 Test that non-contiguous subnet masks are properly handled. Such masks need 2 to be translated into bitwise expressions which may not appear as part of 3 sets, so various permutations of rules need to be emitted. 4 5 -- Testcase -- 6 {% 7 include("./root/usr/share/firewall4/main.uc", { 8 getenv: function(varname) { 9 switch (varname) { 10 case 'ACTION': 11 return 'print'; 12 } 13 } 14 }) 15 %} 16 -- End -- 17 18 -- File uci/helpers.json -- 19 {} 20 -- End -- 21 22 -- File uci/firewall.json -- 23 { 24 "zone": [ 25 { 26 ".description": "IP addrs with non-contiguous masks should be translated to bitwise comparisons", 27 "name": "test1", 28 "subnet": [ 29 "::1/::ffff", 30 "!::2/::ffff" 31 ] 32 }, 33 34 { 35 ".description": "IP addrs with non-contiguous masks should not be part of sets", 36 "name": "test2", 37 "subnet": [ 38 "::1/::ffff", 39 "::2/::ffff", 40 "::3/128", 41 "::4/128", 42 "!::5/::ffff", 43 "!::6/::ffff", 44 "!::7/128", 45 "!::8/128" 46 ] 47 } 48 ] 49 } 50 -- End -- 51 52 -- Expect stdout -- 53 table inet fw4 54 flush table inet fw4 55 56 table inet fw4 { 57 # 58 # Defines 59 # 60 61 define test1_devices = { } 62 define test1_subnets = { } 63 64 define test2_devices = { } 65 define test2_subnets = { ::3, ::4 } 66 67 68 # 69 # User includes 70 # 71 72 include "/etc/nftables.d/*.nft" 73 74 75 # 76 # Filter rules 77 # 78 79 chain input { 80 type filter hook input priority filter; policy drop; 81 82 iif "lo" accept comment "!fw4: Accept traffic from loopback" 83 84 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 85 meta nfproto ipv6 ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::2 jump input_test1 comment "!fw4: Handle test1 IPv6 input traffic" 86 meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic" 87 meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic" 88 meta nfproto ipv6 ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic" 89 } 90 91 chain forward { 92 type filter hook forward priority filter; policy drop; 93 94 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 95 meta nfproto ipv6 ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::2 jump forward_test1 comment "!fw4: Handle test1 IPv6 forward traffic" 96 meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic" 97 meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic" 98 meta nfproto ipv6 ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic" 99 } 100 101 chain output { 102 type filter hook output priority filter; policy drop; 103 104 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 105 106 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 107 meta nfproto ipv6 ip6 daddr & ::ffff == ::1 ip6 daddr & ::ffff != ::2 jump output_test1 comment "!fw4: Handle test1 IPv6 output traffic" 108 meta nfproto ipv6 ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff == ::1 ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic" 109 meta nfproto ipv6 ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff == ::2 ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic" 110 meta nfproto ipv6 ip6 daddr { ::3, ::4 } ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic" 111 } 112 113 chain prerouting { 114 type filter hook prerouting priority filter; policy accept; 115 meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump helper_test2 comment "!fw4: Handle test2 IPv6 helper assignment" 116 meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump helper_test2 comment "!fw4: Handle test2 IPv6 helper assignment" 117 meta nfproto ipv6 ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump helper_test2 comment "!fw4: Handle test2 IPv6 helper assignment" 118 } 119 120 chain handle_reject { 121 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 122 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 123 } 124 125 chain input_test1 { 126 jump drop_from_test1 127 } 128 129 chain output_test1 { 130 jump drop_to_test1 131 } 132 133 chain forward_test1 { 134 jump drop_to_test1 135 } 136 137 chain helper_test1 { 138 } 139 140 chain drop_from_test1 { 141 meta nfproto ipv6 ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::2 counter drop comment "!fw4: drop test1 IPv6 traffic" 142 } 143 144 chain drop_to_test1 { 145 meta nfproto ipv6 ip6 daddr & ::ffff == ::1 ip6 daddr & ::ffff != ::2 counter drop comment "!fw4: drop test1 IPv6 traffic" 146 } 147 148 chain input_test2 { 149 jump drop_from_test2 150 } 151 152 chain output_test2 { 153 jump drop_to_test2 154 } 155 156 chain forward_test2 { 157 jump drop_to_test2 158 } 159 160 chain helper_test2 { 161 } 162 163 chain drop_from_test2 { 164 meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 counter drop comment "!fw4: drop test2 IPv6 traffic" 165 meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 counter drop comment "!fw4: drop test2 IPv6 traffic" 166 meta nfproto ipv6 ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 counter drop comment "!fw4: drop test2 IPv6 traffic" 167 } 168 169 chain drop_to_test2 { 170 meta nfproto ipv6 ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff == ::1 ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 counter drop comment "!fw4: drop test2 IPv6 traffic" 171 meta nfproto ipv6 ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff == ::2 ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 counter drop comment "!fw4: drop test2 IPv6 traffic" 172 meta nfproto ipv6 ip6 daddr { ::3, ::4 } ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 counter drop comment "!fw4: drop test2 IPv6 traffic" 173 } 174 175 176 # 177 # NAT rules 178 # 179 180 chain dstnat { 181 type nat hook prerouting priority dstnat; policy accept; 182 } 183 184 chain srcnat { 185 type nat hook postrouting priority srcnat; policy accept; 186 } 187 188 189 # 190 # Raw rules (notrack) 191 # 192 193 chain raw_prerouting { 194 type filter hook prerouting priority raw; policy accept; 195 } 196 197 chain raw_output { 198 type filter hook output priority raw; policy accept; 199 } 200 201 202 # 203 # Mangle rules 204 # 205 206 chain mangle_prerouting { 207 type filter hook prerouting priority mangle; policy accept; 208 } 209 210 chain mangle_postrouting { 211 type filter hook postrouting priority mangle; policy accept; 212 } 213 214 chain mangle_input { 215 type filter hook input priority mangle; policy accept; 216 } 217 218 chain mangle_output { 219 type route hook output priority mangle; policy accept; 220 } 221 222 chain mangle_forward { 223 type filter hook forward priority mangle; policy accept; 224 } 225 } 226 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt