1 Test that the zone family is honoured regardless of whether subnets are 2 specified or not. 3 4 -- Testcase -- 5 {% 6 include("./root/usr/share/firewall4/main.uc", { 7 getenv: function(varname) { 8 switch (varname) { 9 case 'ACTION': 10 return 'print'; 11 } 12 } 13 }) 14 %} 15 -- End -- 16 17 -- File uci/helpers.json -- 18 { 19 "helper" : [ 20 { 21 "description" : "An example IPv4-only conntrack helper", 22 "family" : "ipv4", 23 "module" : "nf_conntrack_dummy", 24 "name" : "test", 25 "port" : 1234, 26 "proto" : "tcp" 27 } 28 ] 29 } 30 -- End -- 31 32 -- File uci/firewall.json -- 33 { 34 "zone": [ 35 { 36 ".description": "Family any with IPv4 subnet should emit only IPv4 rules", 37 "name": "test1", 38 "family": "any", 39 "subnet": [ "10.0.0.0/8" ], 40 "auto_helper": 0 41 }, 42 43 { 44 ".description": "Family any with IPv6 subnet should emit only IPv6 rules", 45 "name": "test2", 46 "family": "any", 47 "subnet": [ "2001:db8:1234::1/64" ], 48 "auto_helper": 0 49 }, 50 51 { 52 ".description": "Family IPv6 with IPv6 subnet should emit only IPv6 rules", 53 "name": "test3", 54 "family": "ipv6", 55 "subnet": [ "2001:db8:1234::1/64" ], 56 "auto_helper": 0 57 }, 58 59 { 60 ".description": "Family IPv6 with IPv4 subnet should emit no rules", 61 "name": "test4", 62 "family": "ipv6", 63 "subnet": [ "2001:db8:1234::1/64" ], 64 "auto_helper": 0 65 }, 66 67 { 68 ".description": "Family IPv6 with no subnets should emit only IPv6 rules", 69 "name": "test5", 70 "family": "ipv6", 71 "device": [ "eth0" ], 72 "auto_helper": 0 73 }, 74 75 { 76 ".description": "Family restrictions of associated ct helpers should not influence zone family selection", 77 "name": "test6", 78 "family": "any", 79 "device": [ "br-lan" ], 80 "helper": [ "test" ] 81 } 82 ] 83 } 84 -- End -- 85 86 -- Expect stdout -- 87 table inet fw4 88 flush table inet fw4 89 90 table inet fw4 { 91 # 92 # CT helper definitions 93 # 94 95 ct helper test { 96 type "test" protocol tcp; 97 } 98 99 100 # 101 # Defines 102 # 103 104 define test1_devices = { } 105 define test1_subnets = { 10.0.0.0/8 } 106 107 define test2_devices = { } 108 define test2_subnets = { 2001:db8:1234::/64 } 109 110 define test3_devices = { } 111 define test3_subnets = { 2001:db8:1234::/64 } 112 113 define test4_devices = { } 114 define test4_subnets = { 2001:db8:1234::/64 } 115 116 define test5_devices = { "eth0" } 117 define test5_subnets = { } 118 119 define test6_devices = { "br-lan" } 120 define test6_subnets = { } 121 122 123 # 124 # User includes 125 # 126 127 include "/etc/nftables.d/*.nft" 128 129 130 # 131 # Filter rules 132 # 133 134 chain input { 135 type filter hook input priority filter; policy drop; 136 137 iif "lo" accept comment "!fw4: Accept traffic from loopback" 138 139 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 140 meta nfproto ipv4 ip saddr 10.0.0.0/8 jump input_test1 comment "!fw4: Handle test1 IPv4 input traffic" 141 meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic" 142 meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test3 comment "!fw4: Handle test3 IPv6 input traffic" 143 meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test4 comment "!fw4: Handle test4 IPv6 input traffic" 144 meta nfproto ipv6 iifname "eth0" jump input_test5 comment "!fw4: Handle test5 IPv6 input traffic" 145 iifname "br-lan" jump input_test6 comment "!fw4: Handle test6 IPv4/IPv6 input traffic" 146 } 147 148 chain forward { 149 type filter hook forward priority filter; policy drop; 150 151 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 152 meta nfproto ipv4 ip saddr 10.0.0.0/8 jump forward_test1 comment "!fw4: Handle test1 IPv4 forward traffic" 153 meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic" 154 meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump forward_test3 comment "!fw4: Handle test3 IPv6 forward traffic" 155 meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump forward_test4 comment "!fw4: Handle test4 IPv6 forward traffic" 156 meta nfproto ipv6 iifname "eth0" jump forward_test5 comment "!fw4: Handle test5 IPv6 forward traffic" 157 iifname "br-lan" jump forward_test6 comment "!fw4: Handle test6 IPv4/IPv6 forward traffic" 158 } 159 160 chain output { 161 type filter hook output priority filter; policy drop; 162 163 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 164 165 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 166 meta nfproto ipv4 ip daddr 10.0.0.0/8 jump output_test1 comment "!fw4: Handle test1 IPv4 output traffic" 167 meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic" 168 meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test3 comment "!fw4: Handle test3 IPv6 output traffic" 169 meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test4 comment "!fw4: Handle test4 IPv6 output traffic" 170 meta nfproto ipv6 oifname "eth0" jump output_test5 comment "!fw4: Handle test5 IPv6 output traffic" 171 oifname "br-lan" jump output_test6 comment "!fw4: Handle test6 IPv4/IPv6 output traffic" 172 } 173 174 chain prerouting { 175 type filter hook prerouting priority filter; policy accept; 176 iifname "br-lan" jump helper_test6 comment "!fw4: Handle test6 IPv4/IPv6 helper assignment" 177 } 178 179 chain handle_reject { 180 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 181 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 182 } 183 184 chain input_test1 { 185 jump drop_from_test1 186 } 187 188 chain output_test1 { 189 jump drop_to_test1 190 } 191 192 chain forward_test1 { 193 jump drop_to_test1 194 } 195 196 chain drop_from_test1 { 197 meta nfproto ipv4 ip saddr 10.0.0.0/8 counter drop comment "!fw4: drop test1 IPv4 traffic" 198 } 199 200 chain drop_to_test1 { 201 meta nfproto ipv4 ip daddr 10.0.0.0/8 counter drop comment "!fw4: drop test1 IPv4 traffic" 202 } 203 204 chain input_test2 { 205 jump drop_from_test2 206 } 207 208 chain output_test2 { 209 jump drop_to_test2 210 } 211 212 chain forward_test2 { 213 jump drop_to_test2 214 } 215 216 chain drop_from_test2 { 217 meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 counter drop comment "!fw4: drop test2 IPv6 traffic" 218 } 219 220 chain drop_to_test2 { 221 meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 counter drop comment "!fw4: drop test2 IPv6 traffic" 222 } 223 224 chain input_test3 { 225 jump drop_from_test3 226 } 227 228 chain output_test3 { 229 jump drop_to_test3 230 } 231 232 chain forward_test3 { 233 jump drop_to_test3 234 } 235 236 chain drop_from_test3 { 237 meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 counter drop comment "!fw4: drop test3 IPv6 traffic" 238 } 239 240 chain drop_to_test3 { 241 meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 counter drop comment "!fw4: drop test3 IPv6 traffic" 242 } 243 244 chain input_test4 { 245 jump drop_from_test4 246 } 247 248 chain output_test4 { 249 jump drop_to_test4 250 } 251 252 chain forward_test4 { 253 jump drop_to_test4 254 } 255 256 chain drop_from_test4 { 257 meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 counter drop comment "!fw4: drop test4 IPv6 traffic" 258 } 259 260 chain drop_to_test4 { 261 meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 counter drop comment "!fw4: drop test4 IPv6 traffic" 262 } 263 264 chain input_test5 { 265 jump drop_from_test5 266 } 267 268 chain output_test5 { 269 jump drop_to_test5 270 } 271 272 chain forward_test5 { 273 jump drop_to_test5 274 } 275 276 chain drop_from_test5 { 277 meta nfproto ipv6 iifname "eth0" counter drop comment "!fw4: drop test5 IPv6 traffic" 278 } 279 280 chain drop_to_test5 { 281 meta nfproto ipv6 oifname "eth0" counter drop comment "!fw4: drop test5 IPv6 traffic" 282 } 283 284 chain input_test6 { 285 jump drop_from_test6 286 } 287 288 chain output_test6 { 289 jump drop_to_test6 290 } 291 292 chain forward_test6 { 293 jump drop_to_test6 294 } 295 296 chain helper_test6 { 297 meta nfproto ipv4 meta l4proto tcp tcp dport 1234 ct helper set "test" comment "!fw4: An example IPv4-only conntrack helper" 298 } 299 300 chain drop_from_test6 { 301 iifname "br-lan" counter drop comment "!fw4: drop test6 IPv4/IPv6 traffic" 302 } 303 304 chain drop_to_test6 { 305 oifname "br-lan" counter drop comment "!fw4: drop test6 IPv4/IPv6 traffic" 306 } 307 308 309 # 310 # NAT rules 311 # 312 313 chain dstnat { 314 type nat hook prerouting priority dstnat; policy accept; 315 } 316 317 chain srcnat { 318 type nat hook postrouting priority srcnat; policy accept; 319 } 320 321 322 # 323 # Raw rules (notrack) 324 # 325 326 chain raw_prerouting { 327 type filter hook prerouting priority raw; policy accept; 328 } 329 330 chain raw_output { 331 type filter hook output priority raw; policy accept; 332 } 333 334 335 # 336 # Mangle rules 337 # 338 339 chain mangle_prerouting { 340 type filter hook prerouting priority mangle; policy accept; 341 } 342 343 chain mangle_postrouting { 344 type filter hook postrouting priority mangle; policy accept; 345 } 346 347 chain mangle_input { 348 type filter hook input priority mangle; policy accept; 349 } 350 351 chain mangle_output { 352 type route hook output priority mangle; policy accept; 353 } 354 355 chain mangle_forward { 356 type filter hook forward priority mangle; policy accept; 357 } 358 } 359 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt