• source navigation  • diff markup  • identifier search  • freetext search  • 

Sources/firewall4/tests/03_rules/07_redirect

  1 Test various address selection rules in redirect rules.
  2 
  3 -- Testcase --
  4 {%
  5         include("./root/usr/share/firewall4/main.uc", {
  6                 getenv: function(varname) {
  7                         switch (varname) {
  8                         case 'ACTION':
  9                                 return 'print';
 10                         }
 11                 }
 12         })
 13 %}
 14 -- End --
 15 
 16 -- File uci/helpers.json --
 17 {}
 18 -- End --
 19 
 20 -- File uci/firewall.json --
 21 {
 22         "zone": [
 23                 {
 24                         "name": "wan",
 25                         "network": [ "wan", "wan6" ],
 26                         "masq": 1,
 27                         "masq6": 1
 28                 },
 29                 {
 30                         "name": "lan",
 31                         "network": "lan",
 32                         "auto_helper": 0
 33                 },
 34                 {
 35                         "name": "noaddr",
 36                         "network": [ "noaddr" ],
 37                         "masq": 1,
 38                         "masq6": 1
 39                 }
 40         ],
 41         "redirect": [
 42                 {
 43                         ".description": "Ensure unspecified family with no src, dest or rewrite address is treated as IPv4 only",
 44                         "name": "Redirect test #1",
 45                         "src": "lan",
 46                         "dest": "wan",
 47                         "proto": "udp",
 48                         "src_dport": "53",
 49                         "dest_port": "53",
 50                         "target": "dnat"
 51                 },
 52                 {
 53                         ".description": "Ensure that explicit family any with no src, dest or rewrite address is treated as IPv4/IPv6",
 54                         "name": "Redirect test #2",
 55                         "family": "any",
 56                         "src": "lan",
 57                         "dest": "wan",
 58                         "proto": "udp",
 59                         "src_dport": "53",
 60                         "dest_port": "53",
 61                         "target": "dnat"
 62                 },
 63                 {
 64                         ".description": "Ensure that a DNAT without explicit dest zone infers the zone from the rewrite address",
 65                         "name": "Redirect test #3",
 66                         "src": "wan",
 67                         "proto": "tcp",
 68                         "src_dport": "22",
 69                         "dest_ip": "192.168.26.100"
 70                 },
 71                 {
 72                         ".description": "Ensure that external reflection source uses the src zone addr as reflection source IP",
 73                         "name": "Redirect test #4",
 74                         "src": "wan",
 75                         "proto": "tcp",
 76                         "src_dport": "23",
 77                         "dest_ip": "192.168.26.100",
 78                         "reflection_src": "external"
 79                 },
 80                 {
 81                         ".description": "Ensure that reflection is disabled if external address cannot be determined",
 82                         "name": "Redirect test #5",
 83                         "src": "noaddr",
 84                         "dest": "lan",
 85                         "proto": "tcp",
 86                         "src_dport": "24",
 87                         "dest_ip": "192.168.26.100"
 88                 },
 89                 {
 90                         ".description": "Ensure that the rewrite IPv6 address is using bracket notation when a port is specified",
 91                         "name": "Redirect test #6",
 92                         "family": "ipv6",
 93                         "src": "wan",
 94                         "dest": "lan",
 95                         "proto": "tcp",
 96                         "src_dport": "25",
 97                         "dest_ip": "2001:db8:1000:1::1234",
 98                         "dest_port": "25",
 99                         "target": "dnat"
100                 },
101                 {
102                         ".description": "Ensure that family restricted redirect rules work properly",
103                         "name": "Redirect test #7",
104                         "family": "ipv4",
105                         "src": "wan",
106                         "dest": "lan",
107                         "proto": "tcp",
108                         "src_dport": "26",
109                         "dest_port": "26",
110                         "target": "dnat"
111                 },
112                 {
113                         ".description": "Ensure that family restricted redirect rules work properly",
114                         "name": "Redirect test #8",
115                         "family": "ipv6",
116                         "src": "wan",
117                         "dest": "lan",
118                         "proto": "tcp",
119                         "src_dport": "27",
120                         "dest_port": "27",
121                         "target": "dnat"
122                 }
123         ]
124 }
125 -- End --
126 
127 -- Expect stderr --
128 [!] Section @redirect[2] (Redirect test #3) does not specify a destination, assuming 'lan'
129 [!] Section @redirect[3] (Redirect test #4) does not specify a destination, assuming 'lan'
130 [!] Section @redirect[4] (Redirect test #5) external address range cannot be determined, disabling reflection
131 -- End --
132 
133 -- Expect stdout --
134 table inet fw4
135 flush table inet fw4
136 
137 table inet fw4 {
138         #
139         # Defines
140         #
141 
142         define wan_devices = { "pppoe-wan" }
143         define wan_subnets = { 10.11.12.0/24, 2001:db8:54:321::/64 }
144 
145         define lan_devices = { "br-lan" }
146         define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
147 
148         define noaddr_devices = { "wwan0" }
149         define noaddr_subnets = {  }
150 
151 
152         #
153         # User includes
154         #
155 
156         include "/etc/nftables.d/*.nft"
157 
158 
159         #
160         # Filter rules
161         #
162 
163         chain input {
164                 type filter hook input priority filter; policy drop;
165 
166                 iif "lo" accept comment "!fw4: Accept traffic from loopback"
167 
168                 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
169                 iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
170                 iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
171                 iifname "wwan0" jump input_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 input traffic"
172         }
173 
174         chain forward {
175                 type filter hook forward priority filter; policy drop;
176 
177                 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
178                 iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
179                 iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
180                 iifname "wwan0" jump forward_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 forward traffic"
181         }
182 
183         chain output {
184                 type filter hook output priority filter; policy drop;
185 
186                 oif "lo" accept comment "!fw4: Accept traffic towards loopback"
187 
188                 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
189                 oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
190                 oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
191                 oifname "wwan0" jump output_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 output traffic"
192         }
193 
194         chain prerouting {
195                 type filter hook prerouting priority filter; policy accept;
196         }
197 
198         chain handle_reject {
199                 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
200                 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
201         }
202 
203         chain input_wan {
204                 ct status dnat accept comment "!fw4: Accept port redirections"
205                 jump drop_from_wan
206         }
207 
208         chain output_wan {
209                 jump drop_to_wan
210         }
211 
212         chain forward_wan {
213                 ct status dnat accept comment "!fw4: Accept port forwards"
214                 jump drop_to_wan
215         }
216 
217         chain drop_from_wan {
218                 iifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
219         }
220 
221         chain drop_to_wan {
222                 oifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
223         }
224 
225         chain input_lan {
226                 ct status dnat accept comment "!fw4: Accept port redirections"
227                 jump drop_from_lan
228         }
229 
230         chain output_lan {
231                 jump drop_to_lan
232         }
233 
234         chain forward_lan {
235                 ct status dnat accept comment "!fw4: Accept port forwards"
236                 jump drop_to_lan
237         }
238 
239         chain accept_to_lan {
240                 oifname "br-lan" counter accept comment "!fw4: accept lan IPv4/IPv6 traffic"
241         }
242 
243         chain drop_from_lan {
244                 iifname "br-lan" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
245         }
246 
247         chain drop_to_lan {
248                 oifname "br-lan" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
249         }
250 
251         chain input_noaddr {
252                 ct status dnat accept comment "!fw4: Accept port redirections"
253                 jump drop_from_noaddr
254         }
255 
256         chain output_noaddr {
257                 jump drop_to_noaddr
258         }
259 
260         chain forward_noaddr {
261                 ct status dnat accept comment "!fw4: Accept port forwards"
262                 jump drop_to_noaddr
263         }
264 
265         chain drop_from_noaddr {
266                 iifname "wwan0" counter drop comment "!fw4: drop noaddr IPv4/IPv6 traffic"
267         }
268 
269         chain drop_to_noaddr {
270                 oifname "wwan0" counter drop comment "!fw4: drop noaddr IPv4/IPv6 traffic"
271         }
272 
273 
274         #
275         # NAT rules
276         #
277 
278         chain dstnat {
279                 type nat hook prerouting priority dstnat; policy accept;
280                 iifname "pppoe-wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
281                 iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
282                 iifname "wwan0" jump dstnat_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 dstnat traffic"
283         }
284 
285         chain srcnat {
286                 type nat hook postrouting priority srcnat; policy accept;
287                 oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
288                 oifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
289                 oifname "wwan0" jump srcnat_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 srcnat traffic"
290         }
291 
292         chain dstnat_wan {
293                 meta nfproto ipv4 tcp dport 22 counter dnat 192.168.26.100:22 comment "!fw4: Redirect test #3"
294                 meta nfproto ipv4 tcp dport 23 counter dnat 192.168.26.100:23 comment "!fw4: Redirect test #4"
295                 meta nfproto ipv6 tcp dport 25 counter dnat [2001:db8:1000:1::1234]:25 comment "!fw4: Redirect test #6"
296                 meta nfproto ipv4 tcp dport 26 counter redirect to 26 comment "!fw4: Redirect test #7"
297                 meta nfproto ipv6 tcp dport 27 counter redirect to 27 comment "!fw4: Redirect test #8"
298         }
299 
300         chain srcnat_wan {
301                 meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
302                 meta nfproto ipv6 masquerade comment "!fw4: Masquerade IPv6 wan traffic"
303         }
304 
305         chain dstnat_lan {
306                 meta nfproto ipv4 udp dport 53 counter redirect to 53 comment "!fw4: Redirect test #1"
307                 udp dport 53 counter redirect to 53 comment "!fw4: Redirect test #2"
308                 ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.11.12.194 tcp dport 22 dnat 192.168.26.100:22 comment "!fw4: Redirect test #3 (reflection)"
309                 ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.11.12.194 tcp dport 23 dnat 192.168.26.100:23 comment "!fw4: Redirect test #4 (reflection)"
310                 ip6 saddr { 2001:db8:1000::/60, fd63:e2f:f706::/60 } ip6 daddr 2001:db8:54:321::2 tcp dport 25 dnat [2001:db8:1000:1::1234]:25 comment "!fw4: Redirect test #6 (reflection)"
311         }
312 
313         chain srcnat_lan {
314                 ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 192.168.26.100 tcp dport 22 snat 192.168.26.1 comment "!fw4: Redirect test #3 (reflection)"
315                 ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 192.168.26.100 tcp dport 23 snat 10.11.12.194 comment "!fw4: Redirect test #4 (reflection)"
316                 ip6 saddr { 2001:db8:1000::/60, fd63:e2f:f706::/60 } ip6 daddr 2001:db8:1000:1::1234 tcp dport 25 snat 2001:db8:1000:1::1 comment "!fw4: Redirect test #6 (reflection)"
317         }
318 
319         chain dstnat_noaddr {
320                 meta nfproto ipv4 tcp dport 24 counter dnat 192.168.26.100:24 comment "!fw4: Redirect test #5"
321         }
322 
323         chain srcnat_noaddr {
324                 meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 noaddr traffic"
325                 meta nfproto ipv6 masquerade comment "!fw4: Masquerade IPv6 noaddr traffic"
326         }
327 
328 
329         #
330         # Raw rules (notrack)
331         #
332 
333         chain raw_prerouting {
334                 type filter hook prerouting priority raw; policy accept;
335         }
336 
337         chain raw_output {
338                 type filter hook output priority raw; policy accept;
339         }
340 
341 
342         #
343         # Mangle rules
344         #
345 
346         chain mangle_prerouting {
347                 type filter hook prerouting priority mangle; policy accept;
348         }
349 
350         chain mangle_postrouting {
351                 type filter hook postrouting priority mangle; policy accept;
352         }
353 
354         chain mangle_input {
355                 type filter hook input priority mangle; policy accept;
356         }
357 
358         chain mangle_output {
359                 type route hook output priority mangle; policy accept;
360         }
361 
362         chain mangle_forward {
363                 type filter hook forward priority mangle; policy accept;
364         }
365 }
366 -- End --

This page was automatically generated by LXR 0.3.1.  •  OpenWrt