1 Testing various option constraints. 2 3 -- Testcase -- 4 {% 5 include("./root/usr/share/firewall4/main.uc", { 6 getenv: function(varname) { 7 switch (varname) { 8 case 'ACTION': 9 return 'print'; 10 } 11 } 12 }) 13 %} 14 -- End -- 15 16 -- File uci/helpers.json -- 17 {} 18 -- End -- 19 20 -- File uci/firewall.json -- 21 { 22 "zone": [ 23 { 24 ".description": "A zone matching only IPv4 subnets is assumed to be an IPv4 only zone", 25 "name": "ipv4only", 26 "subnet": "192.168.1.0/24", 27 "auto_helper": 0 28 }, 29 30 { 31 ".description": "A zone with conflicting family and subnet settings should be skipped", 32 "name": "afconflict", 33 "subnet": "10.0.0.0/8", 34 "family": "IPv6", 35 "auto_helper": 0 36 } 37 ], 38 "ipset": [ 39 { 40 "name": "ipv4set", 41 "match": "src_ip", 42 "entry": [ 43 "10.0.0.2", 44 "10.0.0.3", 45 "10.0.0.4" 46 ] 47 } 48 ], 49 "rule": [ 50 { 51 ".description": "Rules referencing an IPv4 only zone should be restricted to IPv4 themselves", 52 "src": "ipv4only", 53 "proto": "tcp", 54 "dest_port": "22", 55 "name": "Rule #1", 56 "target": "accept" 57 }, 58 59 { 60 ".description": "Rules whose family conflicts with their addresses should be skipped", 61 "proto": "tcp", 62 "src_ip": "10.0.0.1", 63 "dest_port": "22", 64 "name": "Rule #2", 65 "target": "accept", 66 "family": "IPv6" 67 }, 68 69 { 70 ".description": "Rules whose family conflicts with the zone family should be skipped", 71 "src": "ipv4only", 72 "proto": "tcp", 73 "dest_port": "22", 74 "name": "Rule #3", 75 "target": "accept", 76 "family": "IPv6" 77 }, 78 79 { 80 ".description": "Rules whose family conflicts with the referenced set family should be skipped", 81 "src": "ipv4only", 82 "proto": "tcp", 83 "ipset": "ipv4set", 84 "name": "Rule #4", 85 "target": "accept", 86 "family": "IPv6" 87 } 88 ], 89 "redirect": [ 90 { 91 ".description": "Redirects whose family conflicts with the referenced zone family should be skipped", 92 "src": "ipv4only", 93 "proto": "tcp", 94 "src_dport": "22", 95 "dest_ip": "fdca::1", 96 "name": "Redirect #1", 97 "target": "dnat" 98 }, 99 ], 100 "nat": [ 101 { 102 ".description": "NAT rules whose family conflicts with the referenced zone family should be skipped", 103 "name": "NAT #1", 104 "family": "ipv6", 105 "src": "ipv4only", 106 "target": "masquerade" 107 }, 108 109 { 110 ".description": "NAT rules whose family conflicts with their addresses should be skipped", 111 "name": "NAT #2", 112 "family": "ipv4", 113 "src": "*", 114 "src_ip": "fc00::/7", 115 "target": "masquerade" 116 }, 117 118 { 119 ".description": "NAT rules without any AF specific bits and unspecified family should default to IPv4 for backwards compatibility", 120 "name": "NAT #3", 121 "src": "*", 122 "target": "masquerade" 123 }, 124 125 { 126 ".description": "NAT rules without explicit family but IPv6 specific bits should be IPv6", 127 "name": "NAT #4", 128 "src": "*", 129 "src_ip": "fc00::/7", 130 "target": "masquerade" 131 }, 132 133 134 { 135 ".description": "NAT rules with explicit family any should inherit zone restrictions", 136 "name": "NAT #5", 137 "src": "ipv4only", 138 "target": "masquerade" 139 }, 140 141 { 142 ".description": "NAT rules without any AF specific bits but explicit family any should be IPv4/IPv6", 143 "name": "NAT #6", 144 "family": "any", 145 "src": "*", 146 "target": "masquerade" 147 } 148 ] 149 } 150 -- End -- 151 152 -- Expect stderr -- 153 [!] Section @zone[1] (afconflict) is restricted to IPv6 but referenced subnet list is IPv4 only, skipping 154 [!] Section @rule[1] (Rule #2) is restricted to IPv6 but referenced source IP is IPv4 only, skipping 155 [!] Section @rule[2] (Rule #3) is restricted to IPv6 but referenced source zone is IPv4 only, skipping 156 [!] Section @rule[3] (Rule #4) is restricted to IPv6 but referenced set match is IPv4 only, skipping 157 [!] Section @redirect[0] (Redirect #1) is restricted to IPv6 but referenced source zone is IPv4 only, skipping 158 [!] Section @nat[0] (NAT #1) is restricted to IPv6 but referenced source zone is IPv4 only, skipping 159 [!] Section @nat[1] (NAT #2) is restricted to IPv4 but referenced source IP is IPv6 only, skipping 160 -- End -- 161 162 -- Expect stdout -- 163 table inet fw4 164 flush table inet fw4 165 166 table inet fw4 { 167 # 168 # Set definitions 169 # 170 171 set ipv4set { 172 type ipv4_addr 173 elements = { 174 10.0.0.2, 175 10.0.0.3, 176 10.0.0.4, 177 } 178 } 179 180 181 # 182 # Defines 183 # 184 185 define ipv4only_devices = { } 186 define ipv4only_subnets = { 192.168.1.0/24 } 187 188 189 # 190 # User includes 191 # 192 193 include "/etc/nftables.d/*.nft" 194 195 196 # 197 # Filter rules 198 # 199 200 chain input { 201 type filter hook input priority filter; policy drop; 202 203 iif "lo" accept comment "!fw4: Accept traffic from loopback" 204 205 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 206 meta nfproto ipv4 ip saddr 192.168.1.0/24 jump input_ipv4only comment "!fw4: Handle ipv4only IPv4 input traffic" 207 } 208 209 chain forward { 210 type filter hook forward priority filter; policy drop; 211 212 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 213 meta nfproto ipv4 ip saddr 192.168.1.0/24 jump forward_ipv4only comment "!fw4: Handle ipv4only IPv4 forward traffic" 214 } 215 216 chain output { 217 type filter hook output priority filter; policy drop; 218 219 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 220 221 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 222 meta nfproto ipv4 ip daddr 192.168.1.0/24 jump output_ipv4only comment "!fw4: Handle ipv4only IPv4 output traffic" 223 } 224 225 chain prerouting { 226 type filter hook prerouting priority filter; policy accept; 227 } 228 229 chain handle_reject { 230 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 231 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 232 } 233 234 chain input_ipv4only { 235 meta nfproto ipv4 tcp dport 22 counter accept comment "!fw4: Rule #1" 236 ct status dnat accept comment "!fw4: Accept port redirections" 237 jump drop_from_ipv4only 238 } 239 240 chain output_ipv4only { 241 jump drop_to_ipv4only 242 } 243 244 chain forward_ipv4only { 245 ct status dnat accept comment "!fw4: Accept port forwards" 246 jump drop_to_ipv4only 247 } 248 249 chain drop_from_ipv4only { 250 meta nfproto ipv4 ip saddr 192.168.1.0/24 counter drop comment "!fw4: drop ipv4only IPv4 traffic" 251 } 252 253 chain drop_to_ipv4only { 254 meta nfproto ipv4 ip daddr 192.168.1.0/24 counter drop comment "!fw4: drop ipv4only IPv4 traffic" 255 } 256 257 258 # 259 # NAT rules 260 # 261 262 chain dstnat { 263 type nat hook prerouting priority dstnat; policy accept; 264 meta nfproto ipv4 ip saddr 192.168.1.0/24 jump dstnat_ipv4only comment "!fw4: Handle ipv4only IPv4 dstnat traffic" 265 } 266 267 chain srcnat { 268 type nat hook postrouting priority srcnat; policy accept; 269 meta nfproto ipv4 counter masquerade comment "!fw4: NAT #3" 270 ip6 saddr fc00::/7 counter masquerade comment "!fw4: NAT #4" 271 counter masquerade comment "!fw4: NAT #6" 272 meta nfproto ipv4 ip daddr 192.168.1.0/24 jump srcnat_ipv4only comment "!fw4: Handle ipv4only IPv4 srcnat traffic" 273 } 274 275 chain dstnat_ipv4only { 276 } 277 278 chain srcnat_ipv4only { 279 meta nfproto ipv4 counter masquerade comment "!fw4: NAT #5" 280 } 281 282 283 # 284 # Raw rules (notrack) 285 # 286 287 chain raw_prerouting { 288 type filter hook prerouting priority raw; policy accept; 289 } 290 291 chain raw_output { 292 type filter hook output priority raw; policy accept; 293 } 294 295 296 # 297 # Mangle rules 298 # 299 300 chain mangle_prerouting { 301 type filter hook prerouting priority mangle; policy accept; 302 } 303 304 chain mangle_postrouting { 305 type filter hook postrouting priority mangle; policy accept; 306 } 307 308 chain mangle_input { 309 type filter hook input priority mangle; policy accept; 310 } 311 312 chain mangle_output { 313 type route hook output priority mangle; policy accept; 314 } 315 316 chain mangle_forward { 317 type filter hook forward priority mangle; policy accept; 318 } 319 } 320 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt