• source navigation  • diff markup  • identifier search  • freetext search  • 

Sources/firewall4/tests/03_rules/04_icmp

  1 Testing handling of ICMP related options.
  2 
  3 -- Testcase --
  4 {%
  5         include("./root/usr/share/firewall4/main.uc", {
  6                 getenv: function(varname) {
  7                         switch (varname) {
  8                         case 'ACTION':
  9                                 return 'print';
 10                         }
 11                 }
 12         })
 13 %}
 14 -- End --
 15 
 16 -- File uci/helpers.json --
 17 {}
 18 -- End --
 19 
 20 -- File uci/firewall.json --
 21 {
 22         "rule": [
 23                 {
 24                         ".description": "Proto 'icmp' maps to a single IPv4 and IPv6 rule",
 25                         "proto": "icmp",
 26                         "name": "ICMP rule #1"
 27                 },
 28                 {
 29                         ".description": "Proto 'icmpv6' maps to IPv6 rule only",
 30                         "proto": "icmpv6",
 31                         "name": "ICMP rule #2",
 32                 },
 33                 {
 34                         ".description": "Proto 'ipv6-icmp' is an alias for 'icmpv6'",
 35                         "proto": "ipv6-icmp",
 36                         "name": "ICMP rule #3",
 37                 },
 38                 {
 39                         ".description": "Proto 'icmp' with IPv4 specific types inhibits IPv6 rule",
 40                         "proto": "icmp",
 41                         "name": "ICMP rule #4",
 42                         "icmp_type": [ "ip-header-bad" ]
 43                 },
 44                 {
 45                         ".description": "Proto 'icmp' with IPv6 specific types inhibits IPv4 rule",
 46                         "proto": "icmp",
 47                         "name": "ICMP rule #5",
 48                         "icmp_type": [ "neighbour-advertisement" ]
 49                 }
 50         ]
 51 }
 52 -- End --
 53 
 54 -- Expect stdout --
 55 table inet fw4
 56 flush table inet fw4
 57 
 58 table inet fw4 {
 59         #
 60         # Defines
 61         #
 62 
 63 
 64         #
 65         # User includes
 66         #
 67 
 68         include "/etc/nftables.d/*.nft"
 69 
 70 
 71         #
 72         # Filter rules
 73         #
 74 
 75         chain input {
 76                 type filter hook input priority filter; policy drop;
 77 
 78                 iif "lo" accept comment "!fw4: Accept traffic from loopback"
 79 
 80                 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
 81         }
 82 
 83         chain forward {
 84                 type filter hook forward priority filter; policy drop;
 85 
 86                 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
 87         }
 88 
 89         chain output {
 90                 type filter hook output priority filter; policy drop;
 91 
 92                 oif "lo" accept comment "!fw4: Accept traffic towards loopback"
 93 
 94                 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
 95                 meta l4proto { "icmp", "ipv6-icmp" } counter comment "!fw4: ICMP rule #1"
 96                 meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #2"
 97                 meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #3"
 98                 meta nfproto ipv4 icmp type . icmp code { 12 . 0 } counter comment "!fw4: ICMP rule #4"
 99                 meta nfproto ipv6 icmpv6 type . icmpv6 code { 136 . 0 } counter comment "!fw4: ICMP rule #5"
100         }
101 
102         chain prerouting {
103                 type filter hook prerouting priority filter; policy accept;
104         }
105 
106         chain handle_reject {
107                 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
108                 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
109         }
110 
111 
112         #
113         # NAT rules
114         #
115 
116         chain dstnat {
117                 type nat hook prerouting priority dstnat; policy accept;
118         }
119 
120         chain srcnat {
121                 type nat hook postrouting priority srcnat; policy accept;
122         }
123 
124 
125         #
126         # Raw rules (notrack)
127         #
128 
129         chain raw_prerouting {
130                 type filter hook prerouting priority raw; policy accept;
131         }
132 
133         chain raw_output {
134                 type filter hook output priority raw; policy accept;
135         }
136 
137 
138         #
139         # Mangle rules
140         #
141 
142         chain mangle_prerouting {
143                 type filter hook prerouting priority mangle; policy accept;
144         }
145 
146         chain mangle_postrouting {
147                 type filter hook postrouting priority mangle; policy accept;
148         }
149 
150         chain mangle_input {
151                 type filter hook input priority mangle; policy accept;
152         }
153 
154         chain mangle_output {
155                 type route hook output priority mangle; policy accept;
156         }
157 
158         chain mangle_forward {
159                 type filter hook forward priority mangle; policy accept;
160         }
161 }
162 -- End --

This page was automatically generated by LXR 0.3.1.  •  OpenWrt