1 Test various address selection rules in redirect rules. 2 3 -- Testcase -- 4 {% 5 include("./root/usr/share/firewall4/main.uc", { 6 getenv: function(varname) { 7 switch (varname) { 8 case 'ACTION': 9 return 'print'; 10 } 11 } 12 }) 13 %} 14 -- End -- 15 16 -- File uci/helpers.json -- 17 {} 18 -- End -- 19 20 -- File uci/firewall.json -- 21 { 22 "zone": [ 23 { 24 "name": "wan", 25 "network": [ "wan", "wan6" ], 26 "masq": 1, 27 "masq6": 1 28 }, 29 { 30 "name": "lan", 31 "network": "lan", 32 "auto_helper": 0 33 }, 34 { 35 "name": "noaddr", 36 "network": [ "noaddr" ], 37 "masq": 1, 38 "masq6": 1 39 } 40 ], 41 "redirect": [ 42 { 43 ".description": "Ensure unspecified family with no src, dest or rewrite address is treated as IPv4 only", 44 "name": "Redirect test #1", 45 "src": "lan", 46 "dest": "wan", 47 "proto": "udp", 48 "src_dport": "53", 49 "dest_port": "53", 50 "target": "dnat" 51 }, 52 { 53 ".description": "Ensure that explicit family any with no src, dest or rewrite address is treated as IPv4/IPv6", 54 "name": "Redirect test #2", 55 "family": "any", 56 "src": "lan", 57 "dest": "wan", 58 "proto": "udp", 59 "src_dport": "53", 60 "dest_port": "53", 61 "target": "dnat" 62 }, 63 { 64 ".description": "Ensure that a DNAT without explicit dest zone infers the zone from the rewrite address", 65 "name": "Redirect test #3", 66 "src": "wan", 67 "proto": "tcp", 68 "src_dport": "22", 69 "dest_ip": "192.168.26.100" 70 }, 71 { 72 ".description": "Ensure that external reflection source uses the src zone addr as reflection source IP", 73 "name": "Redirect test #4", 74 "src": "wan", 75 "proto": "tcp", 76 "src_dport": "23", 77 "dest_ip": "192.168.26.100", 78 "reflection_src": "external" 79 }, 80 { 81 ".description": "Ensure that reflection is disabled if external address cannot be determined", 82 "name": "Redirect test #5", 83 "src": "noaddr", 84 "dest": "lan", 85 "proto": "tcp", 86 "src_dport": "24", 87 "dest_ip": "192.168.26.100" 88 }, 89 { 90 ".description": "Ensure that the rewrite IPv6 address is using bracket notation when a port is specified", 91 "name": "Redirect test #6", 92 "family": "ipv6", 93 "src": "wan", 94 "dest": "lan", 95 "proto": "tcp", 96 "src_dport": "25", 97 "dest_ip": "2001:db8:1000:1::1234", 98 "dest_port": "25", 99 "target": "dnat" 100 }, 101 { 102 ".description": "Ensure that family restricted redirect rules work properly", 103 "name": "Redirect test #7", 104 "family": "ipv4", 105 "src": "wan", 106 "dest": "lan", 107 "proto": "tcp", 108 "src_dport": "26", 109 "dest_port": "26", 110 "target": "dnat" 111 }, 112 { 113 ".description": "Ensure that family restricted redirect rules work properly", 114 "name": "Redirect test #8", 115 "family": "ipv6", 116 "src": "wan", 117 "dest": "lan", 118 "proto": "tcp", 119 "src_dport": "27", 120 "dest_port": "27", 121 "target": "dnat" 122 } 123 ] 124 } 125 -- End -- 126 127 -- Expect stderr -- 128 [!] Section @redirect[2] (Redirect test #3) does not specify a destination, assuming 'lan' 129 [!] Section @redirect[3] (Redirect test #4) does not specify a destination, assuming 'lan' 130 [!] Section @redirect[4] (Redirect test #5) external address range cannot be determined, disabling reflection 131 -- End -- 132 133 -- Expect stdout -- 134 table inet fw4 135 flush table inet fw4 136 137 table inet fw4 { 138 # 139 # Defines 140 # 141 142 define wan_devices = { "pppoe-wan" } 143 define wan_subnets = { 10.11.12.0/24, 2001:db8:54:321::/64 } 144 145 define lan_devices = { "br-lan" } 146 define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 } 147 148 define noaddr_devices = { "wwan0" } 149 define noaddr_subnets = { } 150 151 152 # 153 # User includes 154 # 155 156 include "/etc/nftables.d/*.nft" 157 158 159 # 160 # Filter rules 161 # 162 163 chain input { 164 type filter hook input priority filter; policy drop; 165 166 iif "lo" accept comment "!fw4: Accept traffic from loopback" 167 168 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 169 iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" 170 iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" 171 iifname "wwan0" jump input_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 input traffic" 172 } 173 174 chain forward { 175 type filter hook forward priority filter; policy drop; 176 177 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 178 iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" 179 iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" 180 iifname "wwan0" jump forward_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 forward traffic" 181 } 182 183 chain output { 184 type filter hook output priority filter; policy drop; 185 186 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 187 188 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 189 oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" 190 oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" 191 oifname "wwan0" jump output_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 output traffic" 192 } 193 194 chain prerouting { 195 type filter hook prerouting priority filter; policy accept; 196 } 197 198 chain handle_reject { 199 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 200 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 201 } 202 203 chain input_wan { 204 ct status dnat accept comment "!fw4: Accept port redirections" 205 jump drop_from_wan 206 } 207 208 chain output_wan { 209 jump drop_to_wan 210 } 211 212 chain forward_wan { 213 ct status dnat accept comment "!fw4: Accept port forwards" 214 jump drop_to_wan 215 } 216 217 chain drop_from_wan { 218 iifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic" 219 } 220 221 chain drop_to_wan { 222 oifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic" 223 } 224 225 chain input_lan { 226 ct status dnat accept comment "!fw4: Accept port redirections" 227 jump drop_from_lan 228 } 229 230 chain output_lan { 231 jump drop_to_lan 232 } 233 234 chain forward_lan { 235 ct status dnat accept comment "!fw4: Accept port forwards" 236 jump drop_to_lan 237 } 238 239 chain accept_to_lan { 240 oifname "br-lan" counter accept comment "!fw4: accept lan IPv4/IPv6 traffic" 241 } 242 243 chain drop_from_lan { 244 iifname "br-lan" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic" 245 } 246 247 chain drop_to_lan { 248 oifname "br-lan" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic" 249 } 250 251 chain input_noaddr { 252 ct status dnat accept comment "!fw4: Accept port redirections" 253 jump drop_from_noaddr 254 } 255 256 chain output_noaddr { 257 jump drop_to_noaddr 258 } 259 260 chain forward_noaddr { 261 ct status dnat accept comment "!fw4: Accept port forwards" 262 jump drop_to_noaddr 263 } 264 265 chain drop_from_noaddr { 266 iifname "wwan0" counter drop comment "!fw4: drop noaddr IPv4/IPv6 traffic" 267 } 268 269 chain drop_to_noaddr { 270 oifname "wwan0" counter drop comment "!fw4: drop noaddr IPv4/IPv6 traffic" 271 } 272 273 274 # 275 # NAT rules 276 # 277 278 chain dstnat { 279 type nat hook prerouting priority dstnat; policy accept; 280 iifname "pppoe-wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic" 281 iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic" 282 iifname "wwan0" jump dstnat_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 dstnat traffic" 283 } 284 285 chain srcnat { 286 type nat hook postrouting priority srcnat; policy accept; 287 oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic" 288 oifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic" 289 oifname "wwan0" jump srcnat_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 srcnat traffic" 290 } 291 292 chain dstnat_wan { 293 meta nfproto ipv4 tcp dport 22 counter dnat 192.168.26.100:22 comment "!fw4: Redirect test #3" 294 meta nfproto ipv4 tcp dport 23 counter dnat 192.168.26.100:23 comment "!fw4: Redirect test #4" 295 meta nfproto ipv6 tcp dport 25 counter dnat [2001:db8:1000:1::1234]:25 comment "!fw4: Redirect test #6" 296 meta nfproto ipv4 tcp dport 26 counter redirect to 26 comment "!fw4: Redirect test #7" 297 meta nfproto ipv6 tcp dport 27 counter redirect to 27 comment "!fw4: Redirect test #8" 298 } 299 300 chain srcnat_wan { 301 meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic" 302 meta nfproto ipv6 masquerade comment "!fw4: Masquerade IPv6 wan traffic" 303 } 304 305 chain dstnat_lan { 306 meta nfproto ipv4 udp dport 53 counter redirect to 53 comment "!fw4: Redirect test #1" 307 udp dport 53 counter redirect to 53 comment "!fw4: Redirect test #2" 308 ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.11.12.194 tcp dport 22 dnat 192.168.26.100:22 comment "!fw4: Redirect test #3 (reflection)" 309 ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.11.12.194 tcp dport 23 dnat 192.168.26.100:23 comment "!fw4: Redirect test #4 (reflection)" 310 ip6 saddr { 2001:db8:1000::/60, fd63:e2f:f706::/60 } ip6 daddr 2001:db8:54:321::2 tcp dport 25 dnat [2001:db8:1000:1::1234]:25 comment "!fw4: Redirect test #6 (reflection)" 311 } 312 313 chain srcnat_lan { 314 ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 192.168.26.100 tcp dport 22 snat 192.168.26.1 comment "!fw4: Redirect test #3 (reflection)" 315 ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 192.168.26.100 tcp dport 23 snat 10.11.12.194 comment "!fw4: Redirect test #4 (reflection)" 316 ip6 saddr { 2001:db8:1000::/60, fd63:e2f:f706::/60 } ip6 daddr 2001:db8:1000:1::1234 tcp dport 25 snat 2001:db8:1000:1::1 comment "!fw4: Redirect test #6 (reflection)" 317 } 318 319 chain dstnat_noaddr { 320 meta nfproto ipv4 tcp dport 24 counter dnat 192.168.26.100:24 comment "!fw4: Redirect test #5" 321 } 322 323 chain srcnat_noaddr { 324 meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 noaddr traffic" 325 meta nfproto ipv6 masquerade comment "!fw4: Masquerade IPv6 noaddr traffic" 326 } 327 328 329 # 330 # Raw rules (notrack) 331 # 332 333 chain raw_prerouting { 334 type filter hook prerouting priority raw; policy accept; 335 } 336 337 chain raw_output { 338 type filter hook output priority raw; policy accept; 339 } 340 341 342 # 343 # Mangle rules 344 # 345 346 chain mangle_prerouting { 347 type filter hook prerouting priority mangle; policy accept; 348 } 349 350 chain mangle_postrouting { 351 type filter hook postrouting priority mangle; policy accept; 352 } 353 354 chain mangle_input { 355 type filter hook input priority mangle; policy accept; 356 } 357 358 chain mangle_output { 359 type route hook output priority mangle; policy accept; 360 } 361 362 chain mangle_forward { 363 type filter hook forward priority mangle; policy accept; 364 } 365 } 366 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt