1 Ensure that DSCP and MARK target rules end up in the appropriate chains, 2 depending on the src and dest options. 3 4 -- Testcase -- 5 {% 6 include("./root/usr/share/firewall4/main.uc", { 7 getenv: function(varname) { 8 switch (varname) { 9 case 'ACTION': 10 return 'print'; 11 } 12 } 13 }) 14 %} 15 -- End -- 16 17 -- File uci/helpers.json -- 18 {} 19 -- End -- 20 21 -- File fs/open~_sys_class_net_eth0_flags.txt -- 22 0x1103 23 -- End -- 24 25 -- File fs/open~_sys_class_net_eth1_flags.txt -- 26 0x1103 27 -- End -- 28 29 -- File fs/open~_sys_class_net_eth2_flags.txt -- 30 0x1103 31 -- End -- 32 33 -- File fs/open~_sys_class_net_eth3_flags.txt -- 34 0x1103 35 -- End -- 36 37 -- File uci/firewall.json -- 38 { 39 "zone": [ 40 { 41 "name": "lan", 42 "device": [ "eth0", "eth1" ] 43 }, 44 { 45 "name": "wan", 46 "device": [ "eth2", "eth3" ] 47 } 48 ], 49 "rule": [ 50 { 51 ".description": "Source '*' and destination '*' should result in a forward rule", 52 "name": "Mangle rule #1", 53 "src": "*", 54 "dest": "*", 55 "target": "DSCP", 56 "set_dscp": "1" 57 }, 58 { 59 ".description": "Source zone and destination zone should result in a forward rule", 60 "name": "Mangle rule #2", 61 "src": "lan", 62 "dest": "wan", 63 "target": "DSCP", 64 "set_dscp": "1" 65 }, 66 { 67 ".description": "Any source zone and specific destination zone should result in a postrouting rule", 68 "name": "Mangle rule #3", 69 "src": "*", 70 "dest": "wan", 71 "target": "DSCP", 72 "set_dscp": "1" 73 }, 74 { 75 ".description": "Specific source zone and any destination zone should result in a prerouting rule", 76 "name": "Mangle rule #4", 77 "src": "lan", 78 "dest": "*", 79 "target": "DSCP", 80 "set_dscp": "1" 81 }, 82 { 83 ".description": "Specific source zone and no destination zone should result in an input rule", 84 "name": "Mangle rule #5", 85 "src": "lan", 86 "target": "DSCP", 87 "set_dscp": "1" 88 }, 89 { 90 ".description": "Any source zone and no destination zone should result in an input rule", 91 "name": "Mangle rule #6", 92 "src": "*", 93 "target": "DSCP", 94 "set_dscp": "1" 95 }, 96 { 97 ".description": "No source zone and no destination zone should result in an output rule", 98 "name": "Mangle rule #7", 99 "target": "DSCP", 100 "set_dscp": "1" 101 }, 102 { 103 ".description": "No source zone and any destination zone should result in an output rule", 104 "name": "Mangle rule #8", 105 "dest": "*", 106 "target": "DSCP", 107 "set_dscp": "1" 108 }, 109 { 110 ".description": "No source zone and specific destination zone should result in an output rule", 111 "name": "Mangle rule #9", 112 "dest": "wan", 113 "target": "DSCP", 114 "set_dscp": "1" 115 }, 116 { 117 ".description": "Option device with no direction should override inbound ifname match", 118 "name": "Mangle rule #10", 119 "src": "*", 120 "dest": "wan", 121 "target": "DSCP", 122 "set_dscp": "1", 123 "device": "eth4" 124 }, 125 { 126 ".description": "Option device with direction 'in' should override inbound ifname match", 127 "name": "Mangle rule #11", 128 "src": "*", 129 "dest": "wan", 130 "target": "DSCP", 131 "set_dscp": "1", 132 "device": "eth4", 133 "direction": "in" 134 }, 135 { 136 ".description": "Option device with direction 'out' should override outbound ifname match", 137 "name": "Mangle rule #12", 138 "src": "*", 139 "dest": "wan", 140 "target": "DSCP", 141 "set_dscp": "1", 142 "device": "eth5", 143 "direction": "out" 144 } 145 ] 146 } 147 -- End -- 148 149 -- Expect stdout -- 150 table inet fw4 151 flush table inet fw4 152 153 table inet fw4 { 154 # 155 # Defines 156 # 157 158 define lan_devices = { "eth0", "eth1" } 159 define lan_subnets = { } 160 161 define wan_devices = { "eth2", "eth3" } 162 define wan_subnets = { } 163 164 165 # 166 # User includes 167 # 168 169 include "/etc/nftables.d/*.nft" 170 171 172 # 173 # Filter rules 174 # 175 176 chain input { 177 type filter hook input priority filter; policy drop; 178 179 iif "lo" accept comment "!fw4: Accept traffic from loopback" 180 181 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 182 iifname { "eth0", "eth1" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" 183 iifname { "eth2", "eth3" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" 184 } 185 186 chain forward { 187 type filter hook forward priority filter; policy drop; 188 189 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 190 iifname { "eth0", "eth1" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" 191 iifname { "eth2", "eth3" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" 192 } 193 194 chain output { 195 type filter hook output priority filter; policy drop; 196 197 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 198 199 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 200 oifname { "eth0", "eth1" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" 201 oifname { "eth2", "eth3" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" 202 } 203 204 chain prerouting { 205 type filter hook prerouting priority filter; policy accept; 206 iifname { "eth0", "eth1" } jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment" 207 iifname { "eth2", "eth3" } jump helper_wan comment "!fw4: Handle wan IPv4/IPv6 helper assignment" 208 } 209 210 chain handle_reject { 211 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 212 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 213 } 214 215 chain input_lan { 216 jump drop_from_lan 217 } 218 219 chain output_lan { 220 jump drop_to_lan 221 } 222 223 chain forward_lan { 224 jump drop_to_lan 225 } 226 227 chain helper_lan { 228 } 229 230 chain drop_from_lan { 231 iifname { "eth0", "eth1" } counter drop comment "!fw4: drop lan IPv4/IPv6 traffic" 232 } 233 234 chain drop_to_lan { 235 oifname { "eth0", "eth1" } counter drop comment "!fw4: drop lan IPv4/IPv6 traffic" 236 } 237 238 chain input_wan { 239 jump drop_from_wan 240 } 241 242 chain output_wan { 243 jump drop_to_wan 244 } 245 246 chain forward_wan { 247 jump drop_to_wan 248 } 249 250 chain helper_wan { 251 } 252 253 chain drop_from_wan { 254 iifname { "eth2", "eth3" } counter drop comment "!fw4: drop wan IPv4/IPv6 traffic" 255 } 256 257 chain drop_to_wan { 258 oifname { "eth2", "eth3" } counter drop comment "!fw4: drop wan IPv4/IPv6 traffic" 259 } 260 261 262 # 263 # NAT rules 264 # 265 266 chain dstnat { 267 type nat hook prerouting priority dstnat; policy accept; 268 } 269 270 chain srcnat { 271 type nat hook postrouting priority srcnat; policy accept; 272 } 273 274 275 # 276 # Raw rules (notrack) 277 # 278 279 chain raw_prerouting { 280 type filter hook prerouting priority raw; policy accept; 281 } 282 283 chain raw_output { 284 type filter hook output priority raw; policy accept; 285 } 286 287 288 # 289 # Mangle rules 290 # 291 292 chain mangle_prerouting { 293 type filter hook prerouting priority mangle; policy accept; 294 meta nfproto ipv4 meta l4proto tcp iifname { "eth0", "eth1" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #4" 295 meta nfproto ipv6 meta l4proto tcp iifname { "eth0", "eth1" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #4" 296 meta nfproto ipv4 meta l4proto udp iifname { "eth0", "eth1" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #4" 297 meta nfproto ipv6 meta l4proto udp iifname { "eth0", "eth1" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #4" 298 } 299 300 chain mangle_postrouting { 301 type filter hook postrouting priority mangle; policy accept; 302 meta nfproto ipv4 meta l4proto tcp oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #3" 303 meta nfproto ipv6 meta l4proto tcp oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #3" 304 meta nfproto ipv4 meta l4proto udp oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #3" 305 meta nfproto ipv6 meta l4proto udp oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #3" 306 meta nfproto ipv4 meta l4proto tcp iifname "eth4" oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #10" 307 meta nfproto ipv6 meta l4proto tcp iifname "eth4" oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #10" 308 meta nfproto ipv4 meta l4proto udp iifname "eth4" oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #10" 309 meta nfproto ipv6 meta l4proto udp iifname "eth4" oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #10" 310 meta nfproto ipv4 meta l4proto tcp iifname "eth4" oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #11" 311 meta nfproto ipv6 meta l4proto tcp iifname "eth4" oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #11" 312 meta nfproto ipv4 meta l4proto udp iifname "eth4" oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #11" 313 meta nfproto ipv6 meta l4proto udp iifname "eth4" oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #11" 314 meta nfproto ipv4 meta l4proto tcp oifname "eth5" counter ip dscp set 0x1 comment "!fw4: Mangle rule #12" 315 meta nfproto ipv6 meta l4proto tcp oifname "eth5" counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #12" 316 meta nfproto ipv4 meta l4proto udp oifname "eth5" counter ip dscp set 0x1 comment "!fw4: Mangle rule #12" 317 meta nfproto ipv6 meta l4proto udp oifname "eth5" counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #12" 318 } 319 320 chain mangle_input { 321 type filter hook input priority mangle; policy accept; 322 meta nfproto ipv4 meta l4proto tcp iifname { "eth0", "eth1" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #5" 323 meta nfproto ipv6 meta l4proto tcp iifname { "eth0", "eth1" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #5" 324 meta nfproto ipv4 meta l4proto udp iifname { "eth0", "eth1" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #5" 325 meta nfproto ipv6 meta l4proto udp iifname { "eth0", "eth1" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #5" 326 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #6" 327 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #6" 328 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #6" 329 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #6" 330 } 331 332 chain mangle_output { 333 type route hook output priority mangle; policy accept; 334 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #7" 335 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #7" 336 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #7" 337 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #7" 338 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #8" 339 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #8" 340 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #8" 341 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #8" 342 meta nfproto ipv4 meta l4proto tcp oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #9" 343 meta nfproto ipv6 meta l4proto tcp oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #9" 344 meta nfproto ipv4 meta l4proto udp oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #9" 345 meta nfproto ipv6 meta l4proto udp oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #9" 346 } 347 348 chain mangle_forward { 349 type filter hook forward priority mangle; policy accept; 350 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #1" 351 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #1" 352 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #1" 353 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #1" 354 meta nfproto ipv4 meta l4proto tcp iifname { "eth0", "eth1" } oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #2" 355 meta nfproto ipv6 meta l4proto tcp iifname { "eth0", "eth1" } oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #2" 356 meta nfproto ipv4 meta l4proto udp iifname { "eth0", "eth1" } oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #2" 357 meta nfproto ipv6 meta l4proto udp iifname { "eth0", "eth1" } oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #2" 358 } 359 } 360 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt