1 Test that the zone family is honoured when setting up inter-zone forwarding rules. 2 3 -- Testcase -- 4 {% 5 include("./root/usr/share/firewall4/main.uc", { 6 getenv: function(varname) { 7 switch (varname) { 8 case 'ACTION': 9 return 'print'; 10 } 11 } 12 }) 13 %} 14 -- End -- 15 16 -- File uci/helpers.json -- 17 {} 18 -- End -- 19 20 -- File uci/firewall.json -- 21 { 22 "zone": [ 23 { 24 "name": "wanA", 25 "device": [ "eth0" ], 26 "auto_helper": 0 27 }, 28 29 { 30 "name": "wanB", 31 "device": [ "eth1" ], 32 "auto_helper": 0 33 }, 34 35 { 36 "name": "lan", 37 "device": [ "eth2" ], 38 "auto_helper": 0 39 } 40 ], 41 42 "forwarding": [ 43 { 44 ".description": "This should only allow IPv6 forwarding from lan to wanA", 45 "src": "lan", 46 "dest": "wanA", 47 "family": "IPv6" 48 }, 49 50 { 51 ".description": "This should only allow IPv4 forwarding from lan to wanB", 52 "src": "lan", 53 "dest": "wanB", 54 "family": "IPv4" 55 } 56 ] 57 } 58 -- End -- 59 60 -- Expect stdout -- 61 table inet fw4 62 flush table inet fw4 63 64 table inet fw4 { 65 # 66 # Defines 67 # 68 69 define wanA_devices = { "eth0" } 70 define wanA_subnets = { } 71 72 define wanB_devices = { "eth1" } 73 define wanB_subnets = { } 74 75 define lan_devices = { "eth2" } 76 define lan_subnets = { } 77 78 79 # 80 # User includes 81 # 82 83 include "/etc/nftables.d/*.nft" 84 85 86 # 87 # Filter rules 88 # 89 90 chain input { 91 type filter hook input priority filter; policy drop; 92 93 iif "lo" accept comment "!fw4: Accept traffic from loopback" 94 95 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 96 iifname "eth0" jump input_wanA comment "!fw4: Handle wanA IPv4/IPv6 input traffic" 97 iifname "eth1" jump input_wanB comment "!fw4: Handle wanB IPv4/IPv6 input traffic" 98 iifname "eth2" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" 99 } 100 101 chain forward { 102 type filter hook forward priority filter; policy drop; 103 104 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 105 iifname "eth0" jump forward_wanA comment "!fw4: Handle wanA IPv4/IPv6 forward traffic" 106 iifname "eth1" jump forward_wanB comment "!fw4: Handle wanB IPv4/IPv6 forward traffic" 107 iifname "eth2" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" 108 } 109 110 chain output { 111 type filter hook output priority filter; policy drop; 112 113 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 114 115 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 116 oifname "eth0" jump output_wanA comment "!fw4: Handle wanA IPv4/IPv6 output traffic" 117 oifname "eth1" jump output_wanB comment "!fw4: Handle wanB IPv4/IPv6 output traffic" 118 oifname "eth2" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" 119 } 120 121 chain prerouting { 122 type filter hook prerouting priority filter; policy accept; 123 } 124 125 chain handle_reject { 126 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 127 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 128 } 129 130 chain input_wanA { 131 jump drop_from_wanA 132 } 133 134 chain output_wanA { 135 jump drop_to_wanA 136 } 137 138 chain forward_wanA { 139 jump drop_to_wanA 140 } 141 142 chain accept_to_wanA { 143 oifname "eth0" counter accept comment "!fw4: accept wanA IPv4/IPv6 traffic" 144 } 145 146 chain drop_from_wanA { 147 iifname "eth0" counter drop comment "!fw4: drop wanA IPv4/IPv6 traffic" 148 } 149 150 chain drop_to_wanA { 151 oifname "eth0" counter drop comment "!fw4: drop wanA IPv4/IPv6 traffic" 152 } 153 154 chain input_wanB { 155 jump drop_from_wanB 156 } 157 158 chain output_wanB { 159 jump drop_to_wanB 160 } 161 162 chain forward_wanB { 163 jump drop_to_wanB 164 } 165 166 chain accept_to_wanB { 167 oifname "eth1" counter accept comment "!fw4: accept wanB IPv4/IPv6 traffic" 168 } 169 170 chain drop_from_wanB { 171 iifname "eth1" counter drop comment "!fw4: drop wanB IPv4/IPv6 traffic" 172 } 173 174 chain drop_to_wanB { 175 oifname "eth1" counter drop comment "!fw4: drop wanB IPv4/IPv6 traffic" 176 } 177 178 chain input_lan { 179 jump drop_from_lan 180 } 181 182 chain output_lan { 183 jump drop_to_lan 184 } 185 186 chain forward_lan { 187 meta nfproto ipv6 jump accept_to_wanA comment "!fw4: Accept lan to wanA IPv6 forwarding" 188 meta nfproto ipv4 jump accept_to_wanB comment "!fw4: Accept lan to wanB IPv4 forwarding" 189 jump drop_to_lan 190 } 191 192 chain drop_from_lan { 193 iifname "eth2" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic" 194 } 195 196 chain drop_to_lan { 197 oifname "eth2" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic" 198 } 199 200 201 # 202 # NAT rules 203 # 204 205 chain dstnat { 206 type nat hook prerouting priority dstnat; policy accept; 207 } 208 209 chain srcnat { 210 type nat hook postrouting priority srcnat; policy accept; 211 } 212 213 214 # 215 # Raw rules (notrack) 216 # 217 218 chain raw_prerouting { 219 type filter hook prerouting priority raw; policy accept; 220 } 221 222 chain raw_output { 223 type filter hook output priority raw; policy accept; 224 } 225 226 227 # 228 # Mangle rules 229 # 230 231 chain mangle_prerouting { 232 type filter hook prerouting priority mangle; policy accept; 233 } 234 235 chain mangle_postrouting { 236 type filter hook postrouting priority mangle; policy accept; 237 } 238 239 chain mangle_input { 240 type filter hook input priority mangle; policy accept; 241 } 242 243 chain mangle_output { 244 type route hook output priority mangle; policy accept; 245 } 246 247 chain mangle_forward { 248 type filter hook forward priority mangle; policy accept; 249 } 250 } 251 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt