1 Testing zone helper assignments 2 3 -- Testcase -- 4 {% 5 include("./root/usr/share/firewall4/main.uc", { 6 getenv: function(varname) { 7 switch (varname) { 8 case 'ACTION': 9 return 'print'; 10 } 11 } 12 }) 13 %} 14 -- End -- 15 16 -- File fs/open~_sys_class_net_zone1_flags.txt -- 17 0x1103 18 -- End -- 19 20 -- File fs/open~_sys_class_net_zone2_flags.txt -- 21 0x1103 22 -- End -- 23 24 -- File fs/open~_sys_class_net_zone3_flags.txt -- 25 0x1103 26 -- End -- 27 28 -- File fs/open~_sys_class_net_zone4_flags.txt -- 29 0x1103 30 -- End -- 31 32 -- File fs/open~_sys_class_net_zone5_flags.txt -- 33 0x1103 34 -- End -- 35 36 -- File uci/firewall.json -- 37 { 38 "zone": [ 39 { 40 ".description": "Setting masq to true for a zone with a helper should emit a helper chain for the zone with the configured helper", 41 "name": "test1", 42 "device": "zone1", 43 "masq": "1", 44 "helper": [ "tftp" ] 45 }, 46 { 47 ".description": "Setting masq6 to true for a zone with a helper should emit a helper chain for the zone with the configured helper", 48 "name": "test2", 49 "device": "zone2", 50 "masq6": "1", 51 "helper": [ "tftp" ] 52 }, 53 { 54 ".description": "Disabling both masq and masq6 for a zone with a helper should emit a helper chain for the zone with the configured helper", 55 "name": "test3", 56 "device": "zone3", 57 "masq": "0", 58 "masq6": "0", 59 "helper": [ "tftp" ] 60 }, 61 { 62 ".description": "Disabling both masq and masq6 for a zone with a helper should configure default helper assignment", 63 "name": "test4", 64 "device": "zone4", 65 "masq": "0", 66 "masq6": "0", 67 }, 68 { 69 ".description": "Specifying an invalid helper should write a warning to stderr", 70 "name": "test5", 71 "device": "zone5", 72 "masq": "0", 73 "masq6": "0", 74 "helper": [ "foo" ] 75 } 76 ] 77 } 78 -- End -- 79 80 -- Expect stdout -- 81 table inet fw4 82 flush table inet fw4 83 84 table inet fw4 { 85 # 86 # CT helper definitions 87 # 88 89 ct helper amanda { 90 type "amanda" protocol udp; 91 } 92 93 ct helper ftp { 94 type "ftp" protocol tcp; 95 } 96 97 ct helper RAS { 98 type "RAS" protocol udp; 99 } 100 101 ct helper Q.931 { 102 type "Q.931" protocol tcp; 103 } 104 105 ct helper irc { 106 type "irc" protocol tcp; 107 } 108 109 ct helper netbios-ns { 110 type "netbios-ns" protocol udp; 111 } 112 113 ct helper pptp { 114 type "pptp" protocol tcp; 115 } 116 117 ct helper sane { 118 type "sane" protocol tcp; 119 } 120 121 ct helper sip { 122 type "sip" protocol udp; 123 } 124 125 ct helper snmp { 126 type "snmp" protocol udp; 127 } 128 129 ct helper tftp { 130 type "tftp" protocol udp; 131 } 132 133 ct helper rtsp { 134 type "rtsp" protocol tcp; 135 } 136 137 138 # 139 # Defines 140 # 141 142 define test1_devices = { "zone1" } 143 define test1_subnets = { } 144 145 define test2_devices = { "zone2" } 146 define test2_subnets = { } 147 148 define test3_devices = { "zone3" } 149 define test3_subnets = { } 150 151 define test4_devices = { "zone4" } 152 define test4_subnets = { } 153 154 155 # 156 # User includes 157 # 158 159 include "/etc/nftables.d/*.nft" 160 161 162 # 163 # Filter rules 164 # 165 166 chain input { 167 type filter hook input priority filter; policy drop; 168 169 iif "lo" accept comment "!fw4: Accept traffic from loopback" 170 171 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 172 iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" 173 iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" 174 iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" 175 iifname "zone4" jump input_test4 comment "!fw4: Handle test4 IPv4/IPv6 input traffic" 176 } 177 178 chain forward { 179 type filter hook forward priority filter; policy drop; 180 181 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 182 iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" 183 iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" 184 iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic" 185 iifname "zone4" jump forward_test4 comment "!fw4: Handle test4 IPv4/IPv6 forward traffic" 186 } 187 188 chain output { 189 type filter hook output priority filter; policy drop; 190 191 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 192 193 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 194 oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" 195 oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" 196 oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" 197 oifname "zone4" jump output_test4 comment "!fw4: Handle test4 IPv4/IPv6 output traffic" 198 } 199 200 chain prerouting { 201 type filter hook prerouting priority filter; policy accept; 202 iifname "zone1" jump helper_test1 comment "!fw4: Handle test1 IPv4/IPv6 helper assignment" 203 iifname "zone2" jump helper_test2 comment "!fw4: Handle test2 IPv4/IPv6 helper assignment" 204 iifname "zone3" jump helper_test3 comment "!fw4: Handle test3 IPv4/IPv6 helper assignment" 205 iifname "zone4" jump helper_test4 comment "!fw4: Handle test4 IPv4/IPv6 helper assignment" 206 } 207 208 chain handle_reject { 209 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 210 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 211 } 212 213 chain input_test1 { 214 jump drop_from_test1 215 } 216 217 chain output_test1 { 218 jump drop_to_test1 219 } 220 221 chain forward_test1 { 222 jump drop_to_test1 223 } 224 225 chain helper_test1 { 226 meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking" 227 } 228 229 chain drop_from_test1 { 230 iifname "zone1" counter drop comment "!fw4: drop test1 IPv4/IPv6 traffic" 231 } 232 233 chain drop_to_test1 { 234 oifname "zone1" counter drop comment "!fw4: drop test1 IPv4/IPv6 traffic" 235 } 236 237 chain input_test2 { 238 jump drop_from_test2 239 } 240 241 chain output_test2 { 242 jump drop_to_test2 243 } 244 245 chain forward_test2 { 246 jump drop_to_test2 247 } 248 249 chain helper_test2 { 250 meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking" 251 } 252 253 chain drop_from_test2 { 254 iifname "zone2" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic" 255 } 256 257 chain drop_to_test2 { 258 oifname "zone2" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic" 259 } 260 261 chain input_test3 { 262 jump drop_from_test3 263 } 264 265 chain output_test3 { 266 jump drop_to_test3 267 } 268 269 chain forward_test3 { 270 jump drop_to_test3 271 } 272 273 chain helper_test3 { 274 meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking" 275 } 276 277 chain drop_from_test3 { 278 iifname "zone3" counter drop comment "!fw4: drop test3 IPv4/IPv6 traffic" 279 } 280 281 chain drop_to_test3 { 282 oifname "zone3" counter drop comment "!fw4: drop test3 IPv4/IPv6 traffic" 283 } 284 285 chain input_test4 { 286 jump drop_from_test4 287 } 288 289 chain output_test4 { 290 jump drop_to_test4 291 } 292 293 chain forward_test4 { 294 jump drop_to_test4 295 } 296 297 chain helper_test4 { 298 meta l4proto udp udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto" 299 meta l4proto tcp tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking" 300 meta l4proto udp udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking" 301 meta l4proto tcp tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking" 302 meta nfproto ipv4 meta l4proto tcp tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking" 303 meta nfproto ipv4 meta l4proto udp udp dport 137 ct helper set "netbios-ns" comment "!fw4: NetBIOS name service broadcast tracking" 304 meta nfproto ipv4 meta l4proto tcp tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking" 305 meta l4proto tcp tcp dport 6566 ct helper set "sane" comment "!fw4: SANE scanner connection tracking" 306 meta l4proto udp udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking" 307 meta nfproto ipv4 meta l4proto udp udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking" 308 meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking" 309 meta nfproto ipv4 meta l4proto tcp tcp dport 554 ct helper set "rtsp" comment "!fw4: RTSP connection tracking" 310 } 311 312 chain drop_from_test4 { 313 iifname "zone4" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic" 314 } 315 316 chain drop_to_test4 { 317 oifname "zone4" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic" 318 } 319 320 321 # 322 # NAT rules 323 # 324 325 chain dstnat { 326 type nat hook prerouting priority dstnat; policy accept; 327 } 328 329 chain srcnat { 330 type nat hook postrouting priority srcnat; policy accept; 331 oifname "zone1" jump srcnat_test1 comment "!fw4: Handle test1 IPv4/IPv6 srcnat traffic" 332 oifname "zone2" jump srcnat_test2 comment "!fw4: Handle test2 IPv4/IPv6 srcnat traffic" 333 } 334 335 chain srcnat_test1 { 336 meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 test1 traffic" 337 } 338 339 chain srcnat_test2 { 340 meta nfproto ipv6 masquerade comment "!fw4: Masquerade IPv6 test2 traffic" 341 } 342 343 344 # 345 # Raw rules (notrack) 346 # 347 348 chain raw_prerouting { 349 type filter hook prerouting priority raw; policy accept; 350 } 351 352 chain raw_output { 353 type filter hook output priority raw; policy accept; 354 } 355 356 357 # 358 # Mangle rules 359 # 360 361 chain mangle_prerouting { 362 type filter hook prerouting priority mangle; policy accept; 363 } 364 365 chain mangle_postrouting { 366 type filter hook postrouting priority mangle; policy accept; 367 } 368 369 chain mangle_input { 370 type filter hook input priority mangle; policy accept; 371 } 372 373 chain mangle_output { 374 type route hook output priority mangle; policy accept; 375 } 376 377 chain mangle_forward { 378 type filter hook forward priority mangle; policy accept; 379 } 380 } 381 -- End -- 382 383 -- Expect stderr -- 384 [!] Section @zone[4] (test5) option 'helper' specifies invalid value 'foo' 385 [!] Section @zone[4] (test5) skipped due to invalid options 386 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt