1 Testing an ipset declaration. 2 3 -- Testcase -- 4 {% 5 include("./root/usr/share/firewall4/main.uc", { 6 getenv: function(varname) { 7 switch (varname) { 8 case 'ACTION': 9 return 'print'; 10 } 11 } 12 }) 13 %} 14 -- End -- 15 16 -- File uci/helpers.json -- 17 {} 18 -- End -- 19 20 -- File fs/open~set-entries_txt.txt -- 21 10.11.12.13 53 22 172.16.27.1 443 23 -- End -- 24 25 -- File uci/firewall.json -- 26 { 27 "ipset": [ 28 { 29 "name": "test-set", 30 "comment": "A simple set", 31 "counters": "1", 32 "family": "IPv4", 33 "match": [ "src_ip", "dest_port" ], 34 "timeout": "600", 35 "maxelem": "1000", 36 "entry": [ 37 "1.2.3.4 80", 38 "5.6.7.8 22" 39 ], 40 "loadfile": "set-entries.txt" 41 } 42 ] 43 } 44 -- End -- 45 46 -- Expect stdout -- 47 table inet fw4 48 flush table inet fw4 49 50 table inet fw4 { 51 # 52 # Set definitions 53 # 54 55 set test-set { 56 comment "A simple set" 57 type ipv4_addr . inet_service 58 size 1000 59 timeout 600s 60 flags timeout 61 elements = { 62 1.2.3.4 . 80, 63 5.6.7.8 . 22, 64 10.11.12.13 . 53, 65 172.16.27.1 . 443, 66 } 67 } 68 69 70 # 71 # Defines 72 # 73 74 75 # 76 # User includes 77 # 78 79 include "/etc/nftables.d/*.nft" 80 81 82 # 83 # Filter rules 84 # 85 86 chain input { 87 type filter hook input priority filter; policy drop; 88 89 iif "lo" accept comment "!fw4: Accept traffic from loopback" 90 91 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 92 } 93 94 chain forward { 95 type filter hook forward priority filter; policy drop; 96 97 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 98 } 99 100 chain output { 101 type filter hook output priority filter; policy drop; 102 103 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 104 105 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 106 } 107 108 chain prerouting { 109 type filter hook prerouting priority filter; policy accept; 110 } 111 112 chain handle_reject { 113 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 114 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 115 } 116 117 118 # 119 # NAT rules 120 # 121 122 chain dstnat { 123 type nat hook prerouting priority dstnat; policy accept; 124 } 125 126 chain srcnat { 127 type nat hook postrouting priority srcnat; policy accept; 128 } 129 130 131 # 132 # Raw rules (notrack) 133 # 134 135 chain raw_prerouting { 136 type filter hook prerouting priority raw; policy accept; 137 } 138 139 chain raw_output { 140 type filter hook output priority raw; policy accept; 141 } 142 143 144 # 145 # Mangle rules 146 # 147 148 chain mangle_prerouting { 149 type filter hook prerouting priority mangle; policy accept; 150 } 151 152 chain mangle_postrouting { 153 type filter hook postrouting priority mangle; policy accept; 154 } 155 156 chain mangle_input { 157 type filter hook input priority mangle; policy accept; 158 } 159 160 chain mangle_output { 161 type route hook output priority mangle; policy accept; 162 } 163 164 chain mangle_forward { 165 type filter hook forward priority mangle; policy accept; 166 } 167 } 168 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt