• source navigation  • diff markup  • identifier search  • freetext search  • 

Sources/firewall4/tests/03_rules/03_constraints

  1 Testing various option constraints.
  2 
  3 -- Testcase --
  4 {%
  5         include("./root/usr/share/firewall4/main.uc", {
  6                 getenv: function(varname) {
  7                         switch (varname) {
  8                         case 'ACTION':
  9                                 return 'print';
 10                         }
 11                 }
 12         })
 13 %}
 14 -- End --
 15 
 16 -- File uci/helpers.json --
 17 {}
 18 -- End --
 19 
 20 -- File uci/firewall.json --
 21 {
 22         "zone": [
 23                 {
 24                         "name": "lan"
 25                 }
 26         ],
 27         "rule": [
 28                 {
 29                         ".description": "Helper rules require an explicit source zone",
 30                         "proto": "any",
 31                         "name": "Helper rule #1",
 32                         "target": "helper"
 33                 },
 34                 {
 35                         ".description": "Helper rules require a set_helper option",
 36                         "proto": "any",
 37                         "name": "Helper rule #2",
 38                         "src": "lan",
 39                         "target": "helper"
 40                 },
 41 
 42                 {
 43                         ".description": "Notrack rules require an explicit source zone",
 44                         "proto": "any",
 45                         "name": "Notrack rule",
 46                         "target": "notrack"
 47                 },
 48 
 49                 {
 50                         ".description": "DSCP target rules require a set_dscp option",
 51                         "proto": "any",
 52                         "name": "DSCP target rule #1",
 53                         "target": "dscp"
 54                 },
 55 
 56                 {
 57                         ".description": "DSCP matches enforce AF specific rules due to required ip/ip6 prefix",
 58                         "proto": "any",
 59                         "name": "DSCP match rule #1",
 60                         "dscp": "0x0"
 61                 },
 62 
 63                 {
 64                         ".description": "Mark rules require a set_xmark or set_mark option",
 65                         "proto": "any",
 66                         "name": "Mark rule #1",
 67                         "target": "mark"
 68                 },
 69         ]
 70 }
 71 -- End --
 72 
 73 -- Expect stderr --
 74 [!] Section @rule[0] (Helper rule #1) must specify a source zone for target 'helper'
 75 [!] Section @rule[1] (Helper rule #2) must specify option 'set_helper' for target 'helper'
 76 [!] Section @rule[2] (Notrack rule) must specify a source zone for target 'notrack'
 77 [!] Section @rule[3] (DSCP target rule #1) must specify option 'set_dscp' for target 'dscp'
 78 [!] Section @rule[5] (Mark rule #1) must specify option 'set_mark' or 'set_xmark' for target 'mark'
 79 -- End --
 80 
 81 -- Expect stdout --
 82 table inet fw4
 83 flush table inet fw4
 84 
 85 table inet fw4 {
 86         #
 87         # Defines
 88         #
 89 
 90         define lan_devices = {  }
 91         define lan_subnets = {  }
 92 
 93 
 94         #
 95         # User includes
 96         #
 97 
 98         include "/etc/nftables.d/*.nft"
 99 
100 
101         #
102         # Filter rules
103         #
104 
105         chain input {
106                 type filter hook input priority filter; policy drop;
107 
108                 iif "lo" accept comment "!fw4: Accept traffic from loopback"
109 
110                 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
111         }
112 
113         chain forward {
114                 type filter hook forward priority filter; policy drop;
115 
116                 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
117         }
118 
119         chain output {
120                 type filter hook output priority filter; policy drop;
121 
122                 oif "lo" accept comment "!fw4: Accept traffic towards loopback"
123 
124                 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
125                 meta nfproto ipv4 ip dscp 0x0 counter comment "!fw4: DSCP match rule #1"
126                 meta nfproto ipv6 ip6 dscp 0x0 counter comment "!fw4: DSCP match rule #1"
127         }
128 
129         chain prerouting {
130                 type filter hook prerouting priority filter; policy accept;
131         }
132 
133         chain handle_reject {
134                 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
135                 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
136         }
137 
138         chain input_lan {
139                 jump drop_from_lan
140         }
141 
142         chain output_lan {
143                 jump drop_to_lan
144         }
145 
146         chain forward_lan {
147                 jump drop_to_lan
148         }
149 
150         chain helper_lan {
151         }
152 
153         chain drop_from_lan {
154         }
155 
156         chain drop_to_lan {
157         }
158 
159 
160         #
161         # NAT rules
162         #
163 
164         chain dstnat {
165                 type nat hook prerouting priority dstnat; policy accept;
166         }
167 
168         chain srcnat {
169                 type nat hook postrouting priority srcnat; policy accept;
170         }
171 
172 
173         #
174         # Raw rules (notrack)
175         #
176 
177         chain raw_prerouting {
178                 type filter hook prerouting priority raw; policy accept;
179         }
180 
181         chain raw_output {
182                 type filter hook output priority raw; policy accept;
183         }
184 
185 
186         #
187         # Mangle rules
188         #
189 
190         chain mangle_prerouting {
191                 type filter hook prerouting priority mangle; policy accept;
192         }
193 
194         chain mangle_postrouting {
195                 type filter hook postrouting priority mangle; policy accept;
196         }
197 
198         chain mangle_input {
199                 type filter hook input priority mangle; policy accept;
200         }
201 
202         chain mangle_output {
203                 type route hook output priority mangle; policy accept;
204         }
205 
206         chain mangle_forward {
207                 type filter hook forward priority mangle; policy accept;
208         }
209 }
210 -- End --

This page was automatically generated by LXR 0.3.1.  •  OpenWrt