1 Test that non-contiguous subnet masks are properly handled in rule source 2 or destination IP expressions. Such masks need to be translated into 3 bitwise expressions which may not appear as part of sets, so various 4 permutations of rules need to be emitted. 5 6 -- Testcase -- 7 {% 8 include("./root/usr/share/firewall4/main.uc", { 9 getenv: function(varname) { 10 switch (varname) { 11 case 'ACTION': 12 return 'print'; 13 } 14 } 15 }) 16 %} 17 -- End -- 18 19 -- File uci/helpers.json -- 20 {} 21 -- End -- 22 23 -- File uci/firewall.json -- 24 { 25 "zone": [ 26 { 27 "name": "wan", 28 "network": "wan6", 29 "masq6": 1 30 }, 31 { 32 "name": "lan", 33 "network": "lan", 34 "auto_helper": 0 35 }, 36 { 37 "name": "guest", 38 "network": "guest", 39 "auto_helper": 0 40 } 41 ], 42 "rule": [ 43 { 44 ".description": "Ensure that IPs with non-contiguous masks are properly translated", 45 "proto": "all", 46 "name": "Mask rule #1", 47 "src_ip": "::1/::ffff", 48 "dest_ip": "!::2/::ffff" 49 }, 50 { 51 ".description": "Ensure that combinations of multiple masked and not masked IPs yield the proper rule permutations", 52 "proto": "all", 53 "name": "Mask rule #2", 54 "src_ip": [ 55 "::1/::ffff", 56 "::2/::ffff", 57 "::3/128", 58 "::4/128", 59 "!::5/::ffff", 60 "!::6/::ffff", 61 "!::7/128", 62 "!::8/128" 63 ], 64 "dest_ip": [ 65 "::9/::ffff", 66 "::10/::ffff", 67 "::11/128", 68 "::12/128", 69 "!::13/::ffff", 70 "!::14/::ffff", 71 "!::15/128", 72 "!::16/128" 73 ] 74 }, 75 { 76 ".description": "Ensure that CIDRs with negative bitcount are properly translated", 77 "proto": "all", 78 "name": "Mask rule #3", 79 "src_ip": "::1/-64", 80 "dest_ip": "!::2/-64" 81 } 82 ], 83 "redirect": [ 84 { 85 ".description": "Ensure that masked IPs are properly handled in reflection rules", 86 "proto": "all", 87 "name": "Mask rule #3", 88 "src": "wan", 89 "dest": "lan", 90 "src_ip": "::1/::ffff", 91 "src_dip": "::9/::ffff", 92 "dest_ip": "::99", 93 "dest_port": "22", 94 "target": "DNAT", 95 "reflection_zone": [ "lan", "guest" ] 96 } 97 ] 98 } 99 -- End -- 100 101 -- Expect stdout -- 102 table inet fw4 103 flush table inet fw4 104 105 table inet fw4 { 106 # 107 # Defines 108 # 109 110 define wan_devices = { "pppoe-wan" } 111 define wan_subnets = { 2001:db8:54:321::/64 } 112 113 define lan_devices = { "br-lan" } 114 define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 } 115 116 define guest_devices = { "br-guest" } 117 define guest_subnets = { 10.1.0.0/24, 192.168.27.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 } 118 119 120 # 121 # User includes 122 # 123 124 include "/etc/nftables.d/*.nft" 125 126 127 # 128 # Filter rules 129 # 130 131 chain input { 132 type filter hook input priority filter; policy drop; 133 134 iif "lo" accept comment "!fw4: Accept traffic from loopback" 135 136 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 137 iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" 138 iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" 139 iifname "br-guest" jump input_guest comment "!fw4: Handle guest IPv4/IPv6 input traffic" 140 } 141 142 chain forward { 143 type filter hook forward priority filter; policy drop; 144 145 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 146 iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" 147 iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" 148 iifname "br-guest" jump forward_guest comment "!fw4: Handle guest IPv4/IPv6 forward traffic" 149 } 150 151 chain output { 152 type filter hook output priority filter; policy drop; 153 154 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 155 156 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 157 ip6 saddr & ::ffff == ::1 ip6 daddr & ::ffff != ::2 counter comment "!fw4: Mask rule #1" 158 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::9 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" 159 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::10 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" 160 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr { ::11, ::12 } ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" 161 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::9 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" 162 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::10 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" 163 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr { ::11, ::12 } ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" 164 ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::9 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" 165 ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::10 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" 166 ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr { ::11, ::12 } ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" 167 ip6 saddr & ::ffff:ffff:ffff:ffff == ::1 ip6 daddr & ::ffff:ffff:ffff:ffff != ::2 counter comment "!fw4: Mask rule #3" 168 oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" 169 oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" 170 oifname "br-guest" jump output_guest comment "!fw4: Handle guest IPv4/IPv6 output traffic" 171 } 172 173 chain prerouting { 174 type filter hook prerouting priority filter; policy accept; 175 } 176 177 chain handle_reject { 178 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 179 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 180 } 181 182 chain input_wan { 183 ct status dnat accept comment "!fw4: Accept port redirections" 184 jump drop_from_wan 185 } 186 187 chain output_wan { 188 jump drop_to_wan 189 } 190 191 chain forward_wan { 192 ct status dnat accept comment "!fw4: Accept port forwards" 193 jump drop_to_wan 194 } 195 196 chain drop_from_wan { 197 iifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic" 198 } 199 200 chain drop_to_wan { 201 oifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic" 202 } 203 204 chain input_lan { 205 ct status dnat accept comment "!fw4: Accept port redirections" 206 jump drop_from_lan 207 } 208 209 chain output_lan { 210 jump drop_to_lan 211 } 212 213 chain forward_lan { 214 ct status dnat accept comment "!fw4: Accept port forwards" 215 jump drop_to_lan 216 } 217 218 chain drop_from_lan { 219 iifname "br-lan" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic" 220 } 221 222 chain drop_to_lan { 223 oifname "br-lan" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic" 224 } 225 226 chain input_guest { 227 ct status dnat accept comment "!fw4: Accept port redirections" 228 jump drop_from_guest 229 } 230 231 chain output_guest { 232 jump drop_to_guest 233 } 234 235 chain forward_guest { 236 ct status dnat accept comment "!fw4: Accept port forwards" 237 jump drop_to_guest 238 } 239 240 chain drop_from_guest { 241 iifname "br-guest" counter drop comment "!fw4: drop guest IPv4/IPv6 traffic" 242 } 243 244 chain drop_to_guest { 245 oifname "br-guest" counter drop comment "!fw4: drop guest IPv4/IPv6 traffic" 246 } 247 248 249 # 250 # NAT rules 251 # 252 253 chain dstnat { 254 type nat hook prerouting priority dstnat; policy accept; 255 iifname "pppoe-wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic" 256 iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic" 257 iifname "br-guest" jump dstnat_guest comment "!fw4: Handle guest IPv4/IPv6 dstnat traffic" 258 } 259 260 chain srcnat { 261 type nat hook postrouting priority srcnat; policy accept; 262 oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic" 263 oifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic" 264 oifname "br-guest" jump srcnat_guest comment "!fw4: Handle guest IPv4/IPv6 srcnat traffic" 265 } 266 267 chain dstnat_wan { 268 ip6 saddr & ::ffff == ::1 ip6 daddr & ::ffff == ::9 counter dnat ::99 comment "!fw4: Mask rule #3" 269 } 270 271 chain srcnat_wan { 272 meta nfproto ipv6 masquerade comment "!fw4: Masquerade IPv6 wan traffic" 273 } 274 275 chain dstnat_lan { 276 ip6 saddr { 2001:db8:1000::/60, fd63:e2f:f706::/60 } ip6 daddr & ::ffff == ::9 dnat ::99 comment "!fw4: Mask rule #3 (reflection)" 277 } 278 279 chain srcnat_lan { 280 ip6 saddr { 2001:db8:1000::/60, fd63:e2f:f706::/60 } ip6 daddr ::99 snat 2001:db8:1000:1::1 comment "!fw4: Mask rule #3 (reflection)" 281 } 282 283 chain dstnat_guest { 284 ip6 saddr { 2001:db8:1000::/60, fd63:e2f:f706::/60 } ip6 daddr & ::ffff == ::9 dnat ::99 comment "!fw4: Mask rule #3 (reflection)" 285 } 286 287 chain srcnat_guest { 288 ip6 saddr { 2001:db8:1000::/60, fd63:e2f:f706::/60 } ip6 daddr ::99 snat 2001:db8:1000:2::1 comment "!fw4: Mask rule #3 (reflection)" 289 } 290 291 292 # 293 # Raw rules (notrack) 294 # 295 296 chain raw_prerouting { 297 type filter hook prerouting priority raw; policy accept; 298 } 299 300 chain raw_output { 301 type filter hook output priority raw; policy accept; 302 } 303 304 305 # 306 # Mangle rules 307 # 308 309 chain mangle_prerouting { 310 type filter hook prerouting priority mangle; policy accept; 311 } 312 313 chain mangle_postrouting { 314 type filter hook postrouting priority mangle; policy accept; 315 } 316 317 chain mangle_input { 318 type filter hook input priority mangle; policy accept; 319 } 320 321 chain mangle_output { 322 type route hook output priority mangle; policy accept; 323 } 324 325 chain mangle_forward { 326 type filter hook forward priority mangle; policy accept; 327 } 328 } 329 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt