• source navigation  • diff markup  • identifier search  • freetext search  • 

Sources/firewall4/tests/04_forwardings/01_family_selections

  1 Test that the zone family is honoured when setting up inter-zone forwarding rules.
  2 
  3 -- Testcase --
  4 {%
  5         include("./root/usr/share/firewall4/main.uc", {
  6                 getenv: function(varname) {
  7                         switch (varname) {
  8                         case 'ACTION':
  9                                 return 'print';
 10                         }
 11                 }
 12         })
 13 %}
 14 -- End --
 15 
 16 -- File uci/helpers.json --
 17 {}
 18 -- End --
 19 
 20 -- File uci/firewall.json --
 21 {
 22         "zone": [
 23                 {
 24                         "name": "wanA",
 25                         "device": [ "eth0" ],
 26                         "auto_helper": 0
 27                 },
 28 
 29                 {
 30                         "name": "wanB",
 31                         "device": [ "eth1" ],
 32                         "auto_helper": 0
 33                 },
 34 
 35                 {
 36                         "name": "lan",
 37                         "device": [ "eth2" ],
 38                         "auto_helper": 0
 39                 }
 40         ],
 41 
 42         "forwarding": [
 43                 {
 44                         ".description": "This should only allow IPv6 forwarding from lan to wanA",
 45                         "src": "lan",
 46                         "dest": "wanA",
 47                         "family": "IPv6"
 48                 },
 49 
 50                 {
 51                         ".description": "This should only allow IPv4 forwarding from lan to wanB",
 52                         "src": "lan",
 53                         "dest": "wanB",
 54                         "family": "IPv4"
 55                 }
 56         ]
 57 }
 58 -- End --
 59 
 60 -- Expect stdout --
 61 table inet fw4
 62 flush table inet fw4
 63 
 64 table inet fw4 {
 65         #
 66         # Defines
 67         #
 68 
 69         define wanA_devices = { "eth0" }
 70         define wanA_subnets = {  }
 71 
 72         define wanB_devices = { "eth1" }
 73         define wanB_subnets = {  }
 74 
 75         define lan_devices = { "eth2" }
 76         define lan_subnets = {  }
 77 
 78 
 79         #
 80         # User includes
 81         #
 82 
 83         include "/etc/nftables.d/*.nft"
 84 
 85 
 86         #
 87         # Filter rules
 88         #
 89 
 90         chain input {
 91                 type filter hook input priority filter; policy drop;
 92 
 93                 iif "lo" accept comment "!fw4: Accept traffic from loopback"
 94 
 95                 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
 96                 iifname "eth0" jump input_wanA comment "!fw4: Handle wanA IPv4/IPv6 input traffic"
 97                 iifname "eth1" jump input_wanB comment "!fw4: Handle wanB IPv4/IPv6 input traffic"
 98                 iifname "eth2" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
 99         }
100 
101         chain forward {
102                 type filter hook forward priority filter; policy drop;
103 
104                 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
105                 iifname "eth0" jump forward_wanA comment "!fw4: Handle wanA IPv4/IPv6 forward traffic"
106                 iifname "eth1" jump forward_wanB comment "!fw4: Handle wanB IPv4/IPv6 forward traffic"
107                 iifname "eth2" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
108         }
109 
110         chain output {
111                 type filter hook output priority filter; policy drop;
112 
113                 oif "lo" accept comment "!fw4: Accept traffic towards loopback"
114 
115                 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
116                 oifname "eth0" jump output_wanA comment "!fw4: Handle wanA IPv4/IPv6 output traffic"
117                 oifname "eth1" jump output_wanB comment "!fw4: Handle wanB IPv4/IPv6 output traffic"
118                 oifname "eth2" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
119         }
120 
121         chain prerouting {
122                 type filter hook prerouting priority filter; policy accept;
123         }
124 
125         chain handle_reject {
126                 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
127                 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
128         }
129 
130         chain input_wanA {
131                 jump drop_from_wanA
132         }
133 
134         chain output_wanA {
135                 jump drop_to_wanA
136         }
137 
138         chain forward_wanA {
139                 jump drop_to_wanA
140         }
141 
142         chain accept_to_wanA {
143                 oifname "eth0" counter accept comment "!fw4: accept wanA IPv4/IPv6 traffic"
144         }
145 
146         chain drop_from_wanA {
147                 iifname "eth0" counter drop comment "!fw4: drop wanA IPv4/IPv6 traffic"
148         }
149 
150         chain drop_to_wanA {
151                 oifname "eth0" counter drop comment "!fw4: drop wanA IPv4/IPv6 traffic"
152         }
153 
154         chain input_wanB {
155                 jump drop_from_wanB
156         }
157 
158         chain output_wanB {
159                 jump drop_to_wanB
160         }
161 
162         chain forward_wanB {
163                 jump drop_to_wanB
164         }
165 
166         chain accept_to_wanB {
167                 oifname "eth1" counter accept comment "!fw4: accept wanB IPv4/IPv6 traffic"
168         }
169 
170         chain drop_from_wanB {
171                 iifname "eth1" counter drop comment "!fw4: drop wanB IPv4/IPv6 traffic"
172         }
173 
174         chain drop_to_wanB {
175                 oifname "eth1" counter drop comment "!fw4: drop wanB IPv4/IPv6 traffic"
176         }
177 
178         chain input_lan {
179                 jump drop_from_lan
180         }
181 
182         chain output_lan {
183                 jump drop_to_lan
184         }
185 
186         chain forward_lan {
187                 meta nfproto ipv6 jump accept_to_wanA comment "!fw4: Accept lan to wanA IPv6 forwarding"
188                 meta nfproto ipv4 jump accept_to_wanB comment "!fw4: Accept lan to wanB IPv4 forwarding"
189                 jump drop_to_lan
190         }
191 
192         chain drop_from_lan {
193                 iifname "eth2" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
194         }
195 
196         chain drop_to_lan {
197                 oifname "eth2" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
198         }
199 
200 
201         #
202         # NAT rules
203         #
204 
205         chain dstnat {
206                 type nat hook prerouting priority dstnat; policy accept;
207         }
208 
209         chain srcnat {
210                 type nat hook postrouting priority srcnat; policy accept;
211         }
212 
213 
214         #
215         # Raw rules (notrack)
216         #
217 
218         chain raw_prerouting {
219                 type filter hook prerouting priority raw; policy accept;
220         }
221 
222         chain raw_output {
223                 type filter hook output priority raw; policy accept;
224         }
225 
226 
227         #
228         # Mangle rules
229         #
230 
231         chain mangle_prerouting {
232                 type filter hook prerouting priority mangle; policy accept;
233         }
234 
235         chain mangle_postrouting {
236                 type filter hook postrouting priority mangle; policy accept;
237         }
238 
239         chain mangle_input {
240                 type filter hook input priority mangle; policy accept;
241         }
242 
243         chain mangle_output {
244                 type route hook output priority mangle; policy accept;
245         }
246 
247         chain mangle_forward {
248                 type filter hook forward priority mangle; policy accept;
249         }
250 }
251 -- End --

This page was automatically generated by LXR 0.3.1.  •  OpenWrt