1 Testing that rule declarations are mapped to the proper chains depending 2 on src and dest options. 3 4 -- Testcase -- 5 {% 6 include("./root/usr/share/firewall4/main.uc", { 7 getenv: function(varname) { 8 switch (varname) { 9 case 'ACTION': 10 return 'print'; 11 } 12 } 13 }) 14 %} 15 -- End -- 16 17 -- File uci/helpers.json -- 18 {} 19 -- End -- 20 21 -- File uci/firewall.json -- 22 { 23 "rule": [ 24 { 25 ".description": "Neither source, nor dest => should result in an output rule", 26 "proto": "any" 27 }, 28 { 29 ".description": "Source any, no dest => should result in an input rule", 30 "proto": "any", 31 "src": "*" 32 }, 33 { 34 ".description": "Dest any, no source => should result in an output rule", 35 "proto": "any", 36 "dest": "*" 37 }, 38 { 39 ".description": "Source any, dest any => should result in a forward rule", 40 "proto": "any", 41 "src": "*", 42 "dest": "*" 43 } 44 ] 45 } 46 -- End -- 47 48 -- Expect stdout -- 49 table inet fw4 50 flush table inet fw4 51 52 table inet fw4 { 53 # 54 # Defines 55 # 56 57 58 # 59 # User includes 60 # 61 62 include "/etc/nftables.d/*.nft" 63 64 65 # 66 # Filter rules 67 # 68 69 chain input { 70 type filter hook input priority filter; policy drop; 71 72 iif "lo" accept comment "!fw4: Accept traffic from loopback" 73 74 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 75 counter comment "!fw4: @rule[1]" 76 } 77 78 chain forward { 79 type filter hook forward priority filter; policy drop; 80 81 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 82 counter comment "!fw4: @rule[3]" 83 } 84 85 chain output { 86 type filter hook output priority filter; policy drop; 87 88 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 89 90 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 91 counter comment "!fw4: @rule[0]" 92 counter comment "!fw4: @rule[2]" 93 } 94 95 chain prerouting { 96 type filter hook prerouting priority filter; policy accept; 97 } 98 99 chain handle_reject { 100 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 101 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 102 } 103 104 105 # 106 # NAT rules 107 # 108 109 chain dstnat { 110 type nat hook prerouting priority dstnat; policy accept; 111 } 112 113 chain srcnat { 114 type nat hook postrouting priority srcnat; policy accept; 115 } 116 117 118 # 119 # Raw rules (notrack) 120 # 121 122 chain raw_prerouting { 123 type filter hook prerouting priority raw; policy accept; 124 } 125 126 chain raw_output { 127 type filter hook output priority raw; policy accept; 128 } 129 130 131 # 132 # Mangle rules 133 # 134 135 chain mangle_prerouting { 136 type filter hook prerouting priority mangle; policy accept; 137 } 138 139 chain mangle_postrouting { 140 type filter hook postrouting priority mangle; policy accept; 141 } 142 143 chain mangle_input { 144 type filter hook input priority mangle; policy accept; 145 } 146 147 chain mangle_output { 148 type route hook output priority mangle; policy accept; 149 } 150 151 chain mangle_forward { 152 type filter hook forward priority mangle; policy accept; 153 } 154 } 155 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt