1 Ensure that NOTRACK rules end up in the appropriate chains, depending on 2 the src and dest options. 3 4 -- Testcase -- 5 {% 6 include("./root/usr/share/firewall4/main.uc", { 7 getenv: function(varname) { 8 switch (varname) { 9 case 'ACTION': 10 return 'print'; 11 } 12 } 13 }) 14 %} 15 -- End -- 16 17 -- File uci/helpers.json -- 18 {} 19 -- End -- 20 21 -- File fs/open~_sys_class_net_eth0_flags.txt -- 22 0x1103 23 -- End -- 24 25 -- File fs/open~_sys_class_net_lo_flags.txt -- 26 0x9 27 -- End -- 28 29 -- File uci/firewall.json -- 30 { 31 "zone": [ 32 { 33 "name": "zone1", 34 "device": [ "eth0" ], 35 "auto_helper": 0 36 }, 37 { 38 "name": "zone2", 39 "device": [ "lo" ], 40 "auto_helper": 0 41 }, 42 { 43 "name": "zone3", 44 "subnet": [ "127.0.0.1/8", "::1/128" ], 45 "auto_helper": 0 46 } 47 ], 48 "rule": [ 49 { 50 ".description": "An ordinary notrack rule should end up in the raw_prerouting chain", 51 "name": "Notrack rule #1", 52 "src": "zone1", 53 "target": "NOTRACK" 54 }, 55 { 56 ".description": "A notrack rule with loopback source device should end up in the raw_output chain", 57 "name": "Notrack rule #2", 58 "src": "zone2", 59 "target": "NOTRACK" 60 }, 61 { 62 ".description": "A notrack rule with loopback source address should end up in the raw_output chain", 63 "name": "Notrack rule #3", 64 "src": "zone3", 65 "target": "NOTRACK" 66 } 67 ] 68 } 69 -- End -- 70 71 -- Expect stdout -- 72 table inet fw4 73 flush table inet fw4 74 75 table inet fw4 { 76 # 77 # Defines 78 # 79 80 define zone1_devices = { "eth0" } 81 define zone1_subnets = { } 82 83 define zone2_devices = { "lo" } 84 define zone2_subnets = { } 85 86 define zone3_devices = { } 87 define zone3_subnets = { 127.0.0.0/8, ::1 } 88 89 90 # 91 # User includes 92 # 93 94 include "/etc/nftables.d/*.nft" 95 96 97 # 98 # Filter rules 99 # 100 101 chain input { 102 type filter hook input priority filter; policy drop; 103 104 iif "lo" accept comment "!fw4: Accept traffic from loopback" 105 106 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 107 iifname "eth0" jump input_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 input traffic" 108 iifname "lo" jump input_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 input traffic" 109 meta nfproto ipv4 ip saddr 127.0.0.0/8 jump input_zone3 comment "!fw4: Handle zone3 IPv4 input traffic" 110 meta nfproto ipv6 ip6 saddr ::1 jump input_zone3 comment "!fw4: Handle zone3 IPv6 input traffic" 111 } 112 113 chain forward { 114 type filter hook forward priority filter; policy drop; 115 116 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 117 iifname "eth0" jump forward_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 forward traffic" 118 iifname "lo" jump forward_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 forward traffic" 119 meta nfproto ipv4 ip saddr 127.0.0.0/8 jump forward_zone3 comment "!fw4: Handle zone3 IPv4 forward traffic" 120 meta nfproto ipv6 ip6 saddr ::1 jump forward_zone3 comment "!fw4: Handle zone3 IPv6 forward traffic" 121 } 122 123 chain output { 124 type filter hook output priority filter; policy drop; 125 126 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 127 128 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 129 oifname "eth0" jump output_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 output traffic" 130 oifname "lo" jump output_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 output traffic" 131 meta nfproto ipv4 ip daddr 127.0.0.0/8 jump output_zone3 comment "!fw4: Handle zone3 IPv4 output traffic" 132 meta nfproto ipv6 ip6 daddr ::1 jump output_zone3 comment "!fw4: Handle zone3 IPv6 output traffic" 133 } 134 135 chain prerouting { 136 type filter hook prerouting priority filter; policy accept; 137 } 138 139 chain handle_reject { 140 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 141 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 142 } 143 144 chain input_zone1 { 145 jump drop_from_zone1 146 } 147 148 chain output_zone1 { 149 jump drop_to_zone1 150 } 151 152 chain forward_zone1 { 153 jump drop_to_zone1 154 } 155 156 chain drop_from_zone1 { 157 iifname "eth0" counter drop comment "!fw4: drop zone1 IPv4/IPv6 traffic" 158 } 159 160 chain drop_to_zone1 { 161 oifname "eth0" counter drop comment "!fw4: drop zone1 IPv4/IPv6 traffic" 162 } 163 164 chain input_zone2 { 165 jump drop_from_zone2 166 } 167 168 chain output_zone2 { 169 jump drop_to_zone2 170 } 171 172 chain forward_zone2 { 173 jump drop_to_zone2 174 } 175 176 chain drop_from_zone2 { 177 iifname "lo" counter drop comment "!fw4: drop zone2 IPv4/IPv6 traffic" 178 } 179 180 chain drop_to_zone2 { 181 oifname "lo" counter drop comment "!fw4: drop zone2 IPv4/IPv6 traffic" 182 } 183 184 chain input_zone3 { 185 jump drop_from_zone3 186 } 187 188 chain output_zone3 { 189 jump drop_to_zone3 190 } 191 192 chain forward_zone3 { 193 jump drop_to_zone3 194 } 195 196 chain drop_from_zone3 { 197 meta nfproto ipv4 ip saddr 127.0.0.0/8 counter drop comment "!fw4: drop zone3 IPv4 traffic" 198 meta nfproto ipv6 ip6 saddr ::1 counter drop comment "!fw4: drop zone3 IPv6 traffic" 199 } 200 201 chain drop_to_zone3 { 202 meta nfproto ipv4 ip daddr 127.0.0.0/8 counter drop comment "!fw4: drop zone3 IPv4 traffic" 203 meta nfproto ipv6 ip6 daddr ::1 counter drop comment "!fw4: drop zone3 IPv6 traffic" 204 } 205 206 207 # 208 # NAT rules 209 # 210 211 chain dstnat { 212 type nat hook prerouting priority dstnat; policy accept; 213 } 214 215 chain srcnat { 216 type nat hook postrouting priority srcnat; policy accept; 217 } 218 219 220 # 221 # Raw rules (notrack) 222 # 223 224 chain raw_prerouting { 225 type filter hook prerouting priority raw; policy accept; 226 iifname "eth0" jump notrack_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 notrack traffic" 227 } 228 229 chain raw_output { 230 type filter hook output priority raw; policy accept; 231 iifname "lo" jump notrack_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 notrack traffic" 232 meta nfproto ipv4 ip saddr 127.0.0.0/8 jump notrack_zone3 comment "!fw4: Handle zone3 IPv4 notrack traffic" 233 meta nfproto ipv6 ip6 saddr ::1 jump notrack_zone3 comment "!fw4: Handle zone3 IPv6 notrack traffic" 234 } 235 236 chain notrack_zone1 { 237 meta l4proto tcp counter notrack comment "!fw4: Notrack rule #1" 238 meta l4proto udp counter notrack comment "!fw4: Notrack rule #1" 239 } 240 241 chain notrack_zone2 { 242 meta l4proto tcp counter notrack comment "!fw4: Notrack rule #2" 243 meta l4proto udp counter notrack comment "!fw4: Notrack rule #2" 244 } 245 246 chain notrack_zone3 { 247 meta l4proto tcp counter notrack comment "!fw4: Notrack rule #3" 248 meta l4proto udp counter notrack comment "!fw4: Notrack rule #3" 249 } 250 251 252 # 253 # Mangle rules 254 # 255 256 chain mangle_prerouting { 257 type filter hook prerouting priority mangle; policy accept; 258 } 259 260 chain mangle_postrouting { 261 type filter hook postrouting priority mangle; policy accept; 262 } 263 264 chain mangle_input { 265 type filter hook input priority mangle; policy accept; 266 } 267 268 chain mangle_output { 269 type route hook output priority mangle; policy accept; 270 } 271 272 chain mangle_forward { 273 type filter hook forward priority mangle; policy accept; 274 } 275 } 276 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt