1 Testing various option constraints. 2 3 -- Testcase -- 4 {% 5 include("./root/usr/share/firewall4/main.uc", { 6 getenv: function(varname) { 7 switch (varname) { 8 case 'ACTION': 9 return 'print'; 10 } 11 } 12 }) 13 %} 14 -- End -- 15 16 -- File uci/helpers.json -- 17 {} 18 -- End -- 19 20 -- File uci/firewall.json -- 21 { 22 "zone": [ 23 { 24 "name": "lan" 25 } 26 ], 27 "rule": [ 28 { 29 ".description": "Helper rules require an explicit source zone", 30 "proto": "any", 31 "name": "Helper rule #1", 32 "target": "helper" 33 }, 34 { 35 ".description": "Helper rules require a set_helper option", 36 "proto": "any", 37 "name": "Helper rule #2", 38 "src": "lan", 39 "target": "helper" 40 }, 41 42 { 43 ".description": "Notrack rules require an explicit source zone", 44 "proto": "any", 45 "name": "Notrack rule", 46 "target": "notrack" 47 }, 48 49 { 50 ".description": "DSCP target rules require a set_dscp option", 51 "proto": "any", 52 "name": "DSCP target rule #1", 53 "target": "dscp" 54 }, 55 56 { 57 ".description": "DSCP matches enforce AF specific rules due to required ip/ip6 prefix", 58 "proto": "any", 59 "name": "DSCP match rule #1", 60 "dscp": "0x0" 61 }, 62 63 { 64 ".description": "Mark rules require a set_xmark or set_mark option", 65 "proto": "any", 66 "name": "Mark rule #1", 67 "target": "mark" 68 }, 69 ] 70 } 71 -- End -- 72 73 -- Expect stderr -- 74 [!] Section @rule[0] (Helper rule #1) must specify a source zone for target 'helper' 75 [!] Section @rule[1] (Helper rule #2) must specify option 'set_helper' for target 'helper' 76 [!] Section @rule[2] (Notrack rule) must specify a source zone for target 'notrack' 77 [!] Section @rule[3] (DSCP target rule #1) must specify option 'set_dscp' for target 'dscp' 78 [!] Section @rule[5] (Mark rule #1) must specify option 'set_mark' or 'set_xmark' for target 'mark' 79 -- End -- 80 81 -- Expect stdout -- 82 table inet fw4 83 flush table inet fw4 84 85 table inet fw4 { 86 # 87 # Defines 88 # 89 90 define lan_devices = { } 91 define lan_subnets = { } 92 93 94 # 95 # User includes 96 # 97 98 include "/etc/nftables.d/*.nft" 99 100 101 # 102 # Filter rules 103 # 104 105 chain input { 106 type filter hook input priority filter; policy drop; 107 108 iif "lo" accept comment "!fw4: Accept traffic from loopback" 109 110 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 111 } 112 113 chain forward { 114 type filter hook forward priority filter; policy drop; 115 116 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 117 } 118 119 chain output { 120 type filter hook output priority filter; policy drop; 121 122 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 123 124 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 125 meta nfproto ipv4 ip dscp 0x0 counter comment "!fw4: DSCP match rule #1" 126 meta nfproto ipv6 ip6 dscp 0x0 counter comment "!fw4: DSCP match rule #1" 127 } 128 129 chain prerouting { 130 type filter hook prerouting priority filter; policy accept; 131 } 132 133 chain handle_reject { 134 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 135 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 136 } 137 138 chain input_lan { 139 jump drop_from_lan 140 } 141 142 chain output_lan { 143 jump drop_to_lan 144 } 145 146 chain forward_lan { 147 jump drop_to_lan 148 } 149 150 chain helper_lan { 151 } 152 153 chain drop_from_lan { 154 } 155 156 chain drop_to_lan { 157 } 158 159 160 # 161 # NAT rules 162 # 163 164 chain dstnat { 165 type nat hook prerouting priority dstnat; policy accept; 166 } 167 168 chain srcnat { 169 type nat hook postrouting priority srcnat; policy accept; 170 } 171 172 173 # 174 # Raw rules (notrack) 175 # 176 177 chain raw_prerouting { 178 type filter hook prerouting priority raw; policy accept; 179 } 180 181 chain raw_output { 182 type filter hook output priority raw; policy accept; 183 } 184 185 186 # 187 # Mangle rules 188 # 189 190 chain mangle_prerouting { 191 type filter hook prerouting priority mangle; policy accept; 192 } 193 194 chain mangle_postrouting { 195 type filter hook postrouting priority mangle; policy accept; 196 } 197 198 chain mangle_input { 199 type filter hook input priority mangle; policy accept; 200 } 201 202 chain mangle_output { 203 type route hook output priority mangle; policy accept; 204 } 205 206 chain mangle_forward { 207 type filter hook forward priority mangle; policy accept; 208 } 209 } 210 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt