1 Test that configured zone log limits are honored in emitted log rules. 2 3 -- Testcase -- 4 {% 5 include("./root/usr/share/firewall4/main.uc", { 6 getenv: function(varname) { 7 switch (varname) { 8 case 'ACTION': 9 return 'print'; 10 } 11 } 12 }) 13 %} 14 -- End -- 15 16 -- File uci/firewall.json -- 17 { 18 "zone": [ 19 { 20 ".description": "test zone with log_limit", 21 "name": "lan", 22 "network": "lan", 23 "auto_helper": 0, 24 "log": 3, 25 "log_limit": "1/min" 26 }, 27 { 28 ".description": "test zone with MASQ and log_limit", 29 "name": "wan", 30 "network": "wan", 31 "auto_helper": 0, 32 "family": "ipv4", 33 "masq": 1, 34 "log": 3, 35 "log_limit": "2/min" 36 }, 37 { 38 ".description": "test zone with log_limit and no log", 39 "name": "guest", 40 "network": "guest", 41 "auto_helper": 0, 42 "log_limit": "3/min" 43 }, 44 { 45 ".description": "test zone with log and no limit, should produce multi target rules", 46 "name": "wan6", 47 "network": "wan6", 48 "auto_helper": 0, 49 "family": "ipv6", 50 "log": 1 51 } 52 ], 53 54 "forwarding": [ 55 { 56 "src": "lan", 57 "dest": "wan" 58 } 59 ], 60 61 "rule": [ 62 { 63 ".description": "src lan log", 64 "proto": "tcp", 65 "src": "lan", 66 "dest_port": 1001, 67 "log": 1 68 }, 69 { 70 ".description": "src lan no log", 71 "proto": "tcp", 72 "src": "lan", 73 "dest_port": 1002, 74 "log": 0 75 }, 76 { 77 ".description": "dest lan log", 78 "proto": "tcp", 79 "dest": "lan", 80 "dest_port": 1003, 81 "log": 1 82 }, 83 { 84 ".description": "dest lan no log", 85 "proto": "tcp", 86 "dest": "lan", 87 "dest_port": 1004, 88 "log": 0 89 }, 90 { 91 ".description": "Source any, dest lan, log", 92 "proto": "tcp", 93 "src": "*", 94 "dest": "lan", 95 "dest_port": 1005, 96 "log": 1 97 }, 98 { 99 ".description": "Source any, dest lan, no log", 100 "proto": "tcp", 101 "src": "*", 102 "dest": "lan", 103 "dest_port": 1006, 104 "log": 0 105 }, 106 { 107 ".description": "src any log", 108 "proto": "tcp", 109 "src": "*", 110 "dest_port": 1007, 111 "log": 1 112 }, 113 { 114 ".description": "src any no log", 115 "proto": "tcp", 116 "src": "*", 117 "dest_port": 1008, 118 "log": 0 119 }, 120 { 121 "name": "Deny guest with no log", 122 "proto": "icmp", 123 "dest": "guest", 124 "target": "drop" 125 }, 126 { 127 "name": "Deny guest with log", 128 "proto": "icmp", 129 "dest": "guest", 130 "target": "drop", 131 "log": 1 132 }, 133 { 134 "name": "Deny rule #1", 135 "proto": "any", 136 "src": "lan", 137 "dest": "wan", 138 "src_ip": [ "192.168.1.2" ], 139 "target": "drop" 140 }, 141 { 142 "name": "Deny rule #2", 143 "proto": "icmp", 144 "src": "lan", 145 "dest": "wan", 146 "src_ip": [ "192.168.1.3" ], 147 "target": "drop" 148 }, 149 { 150 ".description": "src any log", 151 "proto": "tcp", 152 "src": "*", 153 "dest_port": 1009, 154 "log": 1, 155 "log_limit": "5/min" 156 } 157 ], 158 "redirect": [ 159 { 160 "proto": "tcp", 161 "src": "wan", 162 "dest": "lan", 163 "dest_ip": "10.0.0.2", 164 "dest_port": "22", 165 "log": "1" 166 }, 167 { 168 "proto": "tcp", 169 "src": "wan", 170 "dest": "lan", 171 "dest_ip": "10.0.0.2", 172 "dest_port": "23", 173 "log": "1", 174 "log_limit": "4/min" 175 } 176 177 ] 178 } 179 -- End -- 180 181 -- File uci/helpers.json -- 182 {} 183 -- End -- 184 185 -- Expect stdout -- 186 table inet fw4 187 flush table inet fw4 188 189 table inet fw4 { 190 # 191 # Defines 192 # 193 194 define lan_devices = { "br-lan" } 195 define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 } 196 197 define wan_devices = { "pppoe-wan" } 198 define wan_subnets = { 10.11.12.0/24 } 199 200 define guest_devices = { "br-guest" } 201 define guest_subnets = { 10.1.0.0/24, 192.168.27.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 } 202 203 define wan6_devices = { "pppoe-wan" } 204 define wan6_subnets = { 2001:db8:54:321::/64 } 205 206 207 # 208 # Limits 209 # 210 211 limit lan.log_limit { 212 comment "lan log limit" 213 rate 1/minute 214 } 215 216 limit wan.log_limit { 217 comment "wan log limit" 218 rate 2/minute 219 } 220 221 limit guest.log_limit { 222 comment "guest log limit" 223 rate 3/minute 224 } 225 226 227 # 228 # User includes 229 # 230 231 include "/etc/nftables.d/*.nft" 232 233 234 # 235 # Filter rules 236 # 237 238 chain input { 239 type filter hook input priority filter; policy drop; 240 241 iif "lo" accept comment "!fw4: Accept traffic from loopback" 242 243 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 244 tcp dport 1007 counter log prefix "@rule[6]: " comment "!fw4: @rule[6]" 245 tcp dport 1008 counter comment "!fw4: @rule[7]" 246 tcp dport 1009 limit rate 5/minute log prefix "@rule[12]: " 247 tcp dport 1009 counter comment "!fw4: @rule[12]" 248 iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" 249 meta nfproto ipv4 iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4 input traffic" 250 iifname "br-guest" jump input_guest comment "!fw4: Handle guest IPv4/IPv6 input traffic" 251 meta nfproto ipv6 iifname "pppoe-wan" jump input_wan6 comment "!fw4: Handle wan6 IPv6 input traffic" 252 } 253 254 chain forward { 255 type filter hook forward priority filter; policy drop; 256 257 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 258 tcp dport 1005 limit name "lan.log_limit" log prefix "@rule[4]: " 259 tcp dport 1005 counter comment "!fw4: @rule[4]" 260 tcp dport 1006 counter comment "!fw4: @rule[5]" 261 iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" 262 meta nfproto ipv4 iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4 forward traffic" 263 iifname "br-guest" jump forward_guest comment "!fw4: Handle guest IPv4/IPv6 forward traffic" 264 meta nfproto ipv6 iifname "pppoe-wan" jump forward_wan6 comment "!fw4: Handle wan6 IPv6 forward traffic" 265 } 266 267 chain output { 268 type filter hook output priority filter; policy drop; 269 270 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 271 272 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 273 oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" 274 meta nfproto ipv4 oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4 output traffic" 275 oifname "br-guest" jump output_guest comment "!fw4: Handle guest IPv4/IPv6 output traffic" 276 meta nfproto ipv6 oifname "pppoe-wan" jump output_wan6 comment "!fw4: Handle wan6 IPv6 output traffic" 277 } 278 279 chain prerouting { 280 type filter hook prerouting priority filter; policy accept; 281 } 282 283 chain handle_reject { 284 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 285 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 286 } 287 288 chain input_lan { 289 tcp dport 1001 limit name "lan.log_limit" log prefix "@rule[0]: " 290 tcp dport 1001 counter comment "!fw4: @rule[0]" 291 tcp dport 1002 counter comment "!fw4: @rule[1]" 292 ct status dnat accept comment "!fw4: Accept port redirections" 293 jump drop_from_lan 294 } 295 296 chain output_lan { 297 tcp dport 1003 limit name "lan.log_limit" log prefix "@rule[2]: " 298 tcp dport 1003 counter comment "!fw4: @rule[2]" 299 tcp dport 1004 counter comment "!fw4: @rule[3]" 300 jump drop_to_lan 301 } 302 303 chain forward_lan { 304 ip saddr 192.168.1.2 counter jump drop_to_wan comment "!fw4: Deny rule #1" 305 meta l4proto icmp ip saddr 192.168.1.3 counter jump drop_to_wan comment "!fw4: Deny rule #2" 306 meta nfproto ipv4 jump accept_to_wan comment "!fw4: Accept lan to wan IPv4 forwarding" 307 ct status dnat accept comment "!fw4: Accept port forwards" 308 jump drop_to_lan 309 limit name "lan.log_limit" log prefix "drop lan forward: " 310 } 311 312 chain accept_to_lan { 313 oifname "br-lan" counter accept comment "!fw4: accept lan IPv4/IPv6 traffic" 314 } 315 316 chain drop_from_lan { 317 iifname "br-lan" limit name "lan.log_limit" log prefix "drop lan in: " 318 iifname "br-lan" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic" 319 } 320 321 chain drop_to_lan { 322 oifname "br-lan" limit name "lan.log_limit" log prefix "drop lan out: " 323 oifname "br-lan" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic" 324 } 325 326 chain input_wan { 327 ct status dnat accept comment "!fw4: Accept port redirections" 328 jump drop_from_wan 329 } 330 331 chain output_wan { 332 jump drop_to_wan 333 } 334 335 chain forward_wan { 336 ct status dnat accept comment "!fw4: Accept port forwards" 337 jump drop_to_wan 338 limit name "wan.log_limit" log prefix "drop wan forward: " 339 } 340 341 chain accept_to_wan { 342 meta nfproto ipv4 oifname "pppoe-wan" ct state invalid limit name "wan.log_limit" log prefix "drop wan invalid ct state: " 343 meta nfproto ipv4 oifname "pppoe-wan" ct state invalid counter drop comment "!fw4: Prevent NAT leakage" 344 meta nfproto ipv4 oifname "pppoe-wan" counter accept comment "!fw4: accept wan IPv4 traffic" 345 } 346 347 chain drop_from_wan { 348 meta nfproto ipv4 iifname "pppoe-wan" limit name "wan.log_limit" log prefix "drop wan in: " 349 meta nfproto ipv4 iifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4 traffic" 350 } 351 352 chain drop_to_wan { 353 meta nfproto ipv4 oifname "pppoe-wan" limit name "wan.log_limit" log prefix "drop wan out: " 354 meta nfproto ipv4 oifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4 traffic" 355 } 356 357 chain input_guest { 358 jump drop_from_guest 359 } 360 361 chain output_guest { 362 meta l4proto { "icmp", "ipv6-icmp" } counter jump drop_to_guest comment "!fw4: Deny guest with no log" 363 meta l4proto { "icmp", "ipv6-icmp" } limit name "guest.log_limit" log prefix "Deny guest with log: " 364 meta l4proto { "icmp", "ipv6-icmp" } counter jump drop_to_guest comment "!fw4: Deny guest with log" 365 jump drop_to_guest 366 } 367 368 chain forward_guest { 369 jump drop_to_guest 370 } 371 372 chain drop_from_guest { 373 iifname "br-guest" counter drop comment "!fw4: drop guest IPv4/IPv6 traffic" 374 } 375 376 chain drop_to_guest { 377 oifname "br-guest" counter drop comment "!fw4: drop guest IPv4/IPv6 traffic" 378 } 379 380 chain input_wan6 { 381 jump drop_from_wan6 382 } 383 384 chain output_wan6 { 385 jump drop_to_wan6 386 } 387 388 chain forward_wan6 { 389 jump drop_to_wan6 390 log prefix "drop wan6 forward: " 391 } 392 393 chain drop_from_wan6 { 394 meta nfproto ipv6 iifname "pppoe-wan" counter log prefix "drop wan6 in: " drop comment "!fw4: drop wan6 IPv6 traffic" 395 } 396 397 chain drop_to_wan6 { 398 meta nfproto ipv6 oifname "pppoe-wan" counter log prefix "drop wan6 out: " drop comment "!fw4: drop wan6 IPv6 traffic" 399 } 400 401 402 # 403 # NAT rules 404 # 405 406 chain dstnat { 407 type nat hook prerouting priority dstnat; policy accept; 408 iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic" 409 meta nfproto ipv4 iifname "pppoe-wan" jump dstnat_wan comment "!fw4: Handle wan IPv4 dstnat traffic" 410 } 411 412 chain srcnat { 413 type nat hook postrouting priority srcnat; policy accept; 414 oifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic" 415 meta nfproto ipv4 oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4 srcnat traffic" 416 } 417 418 chain dstnat_lan { 419 ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.11.12.194 dnat 10.0.0.2:22 comment "!fw4: @redirect[0] (reflection)" 420 ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.11.12.194 dnat 10.0.0.2:23 comment "!fw4: @redirect[1] (reflection)" 421 } 422 423 chain srcnat_lan { 424 ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.0.0.2 tcp dport 22 snat 10.0.0.1 comment "!fw4: @redirect[0] (reflection)" 425 ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.0.0.2 tcp dport 23 snat 10.0.0.1 comment "!fw4: @redirect[1] (reflection)" 426 } 427 428 chain dstnat_wan { 429 meta nfproto ipv4 limit name "wan.log_limit" log prefix "@redirect[0]: " 430 meta nfproto ipv4 counter dnat 10.0.0.2:22 comment "!fw4: @redirect[0]" 431 meta nfproto ipv4 limit rate 4/minute log prefix "@redirect[1]: " 432 meta nfproto ipv4 counter dnat 10.0.0.2:23 comment "!fw4: @redirect[1]" 433 } 434 435 chain srcnat_wan { 436 meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic" 437 } 438 439 440 # 441 # Raw rules (notrack) 442 # 443 444 chain raw_prerouting { 445 type filter hook prerouting priority raw; policy accept; 446 } 447 448 chain raw_output { 449 type filter hook output priority raw; policy accept; 450 } 451 452 453 # 454 # Mangle rules 455 # 456 457 chain mangle_prerouting { 458 type filter hook prerouting priority mangle; policy accept; 459 } 460 461 chain mangle_postrouting { 462 type filter hook postrouting priority mangle; policy accept; 463 } 464 465 chain mangle_input { 466 type filter hook input priority mangle; policy accept; 467 } 468 469 chain mangle_output { 470 type route hook output priority mangle; policy accept; 471 } 472 473 chain mangle_forward { 474 type filter hook forward priority mangle; policy accept; 475 } 476 } 477 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt