1 Testing that `option log 1` enables rule logging and sets the rule name as 2 log prefix. Also testing that setting settin `option log` to a non-boolean 3 string uses that string verbatim as log prefix. 4 5 -- Testcase -- 6 {% 7 include("./root/usr/share/firewall4/main.uc", { 8 getenv: function(varname) { 9 switch (varname) { 10 case 'ACTION': 11 return 'print'; 12 } 13 } 14 }) 15 %} 16 -- End -- 17 18 -- File uci/helpers.json -- 19 {} 20 -- End -- 21 22 -- File uci/firewall.json -- 23 { 24 "zone": [ 25 { 26 "name": "wan" 27 } 28 ], 29 "rule": [ 30 { 31 "proto": "any", 32 "log": "1" 33 }, 34 { 35 "name": "Explicit rule name", 36 "proto": "any", 37 "log": "1" 38 }, 39 { "proto": "any", 40 "log": "Explicit prefix: " 41 } 42 ], 43 "redirect": [ 44 { 45 "proto": "tcp", 46 "src": "wan", 47 "dest_ip": "10.0.0.2", 48 "dest_port": "22", 49 "log": "1" 50 }, 51 { 52 "name": "Explicit redirect name", 53 "proto": "tcp", 54 "src": "wan", 55 "dest_ip": "10.0.0.3", 56 "dest_port": "23", 57 "log": "1" 58 }, 59 { 60 "proto": "tcp", 61 "src": "wan", 62 "dest_ip": "10.0.0.4", 63 "dest_port": "24", 64 "log": "Explicit prefix: " 65 } 66 ], 67 "nat": [ 68 { 69 "src": "wan", 70 "target": "MASQUERADE", 71 "log": "1" 72 }, 73 { 74 "name": "Explicit nat name", 75 "src": "wan", 76 "target": "MASQUERADE", 77 "log": "1" 78 }, 79 { 80 "src": "wan", 81 "target": "MASQUERADE", 82 "log": "Explicit log prefix: " 83 } 84 ] 85 } 86 -- End -- 87 88 -- Expect stdout -- 89 table inet fw4 90 flush table inet fw4 91 92 table inet fw4 { 93 # 94 # Defines 95 # 96 97 define wan_devices = { } 98 define wan_subnets = { } 99 100 101 # 102 # User includes 103 # 104 105 include "/etc/nftables.d/*.nft" 106 107 108 # 109 # Filter rules 110 # 111 112 chain input { 113 type filter hook input priority filter; policy drop; 114 115 iif "lo" accept comment "!fw4: Accept traffic from loopback" 116 117 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 118 } 119 120 chain forward { 121 type filter hook forward priority filter; policy drop; 122 123 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 124 } 125 126 chain output { 127 type filter hook output priority filter; policy drop; 128 129 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 130 131 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 132 counter log prefix "@rule[0]: " comment "!fw4: @rule[0]" 133 counter log prefix "Explicit rule name: " comment "!fw4: Explicit rule name" 134 counter log prefix "Explicit prefix: " comment "!fw4: @rule[2]" 135 } 136 137 chain prerouting { 138 type filter hook prerouting priority filter; policy accept; 139 } 140 141 chain handle_reject { 142 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 143 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 144 } 145 146 chain input_wan { 147 ct status dnat accept comment "!fw4: Accept port redirections" 148 jump drop_from_wan 149 } 150 151 chain output_wan { 152 jump drop_to_wan 153 } 154 155 chain forward_wan { 156 ct status dnat accept comment "!fw4: Accept port forwards" 157 jump drop_to_wan 158 } 159 160 chain helper_wan { 161 } 162 163 chain drop_from_wan { 164 } 165 166 chain drop_to_wan { 167 } 168 169 170 # 171 # NAT rules 172 # 173 174 chain dstnat { 175 type nat hook prerouting priority dstnat; policy accept; 176 } 177 178 chain srcnat { 179 type nat hook postrouting priority srcnat; policy accept; 180 } 181 182 chain dstnat_wan { 183 meta nfproto ipv4 counter log prefix "@redirect[0]: " dnat 10.0.0.2:22 comment "!fw4: @redirect[0]" 184 meta nfproto ipv4 counter log prefix "Explicit redirect name: " dnat 10.0.0.3:23 comment "!fw4: Explicit redirect name" 185 meta nfproto ipv4 counter log prefix "Explicit prefix: " dnat 10.0.0.4:24 comment "!fw4: @redirect[2]" 186 } 187 188 chain srcnat_wan { 189 meta nfproto ipv4 counter log prefix "@nat[0]: " masquerade comment "!fw4: @nat[0]" 190 meta nfproto ipv4 counter log prefix "Explicit nat name: " masquerade comment "!fw4: Explicit nat name" 191 meta nfproto ipv4 counter log prefix "Explicit log prefix: " masquerade comment "!fw4: @nat[2]" 192 } 193 194 195 # 196 # Raw rules (notrack) 197 # 198 199 chain raw_prerouting { 200 type filter hook prerouting priority raw; policy accept; 201 } 202 203 chain raw_output { 204 type filter hook output priority raw; policy accept; 205 } 206 207 208 # 209 # Mangle rules 210 # 211 212 chain mangle_prerouting { 213 type filter hook prerouting priority mangle; policy accept; 214 } 215 216 chain mangle_postrouting { 217 type filter hook postrouting priority mangle; policy accept; 218 } 219 220 chain mangle_input { 221 type filter hook input priority mangle; policy accept; 222 } 223 224 chain mangle_output { 225 type route hook output priority mangle; policy accept; 226 } 227 228 chain mangle_forward { 229 type filter hook forward priority mangle; policy accept; 230 } 231 } 232 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt