1 Test matching an ipset in rules. 2 3 -- Testcase -- 4 {% 5 include("./root/usr/share/firewall4/main.uc", { 6 getenv: function(varname) { 7 switch (varname) { 8 case 'ACTION': 9 return 'print'; 10 } 11 } 12 }) 13 %} 14 -- End -- 15 16 -- File uci/helpers.json -- 17 {} 18 -- End -- 19 20 -- File fs/open~_proc_version.txt -- 21 Linux version 5.10.113 (jow@j7) (mipsel-openwrt-linux-musl-gcc (OpenWrt GCC 11.2.0 r17858+262-2c3e8bed3f) 11.2.0, GNU ld (GNU Binutils) 2.37) #0 SMP Tue May 17 19:05:07 2022 22 -- End -- 23 24 -- File uci/firewall.json -- 25 { 26 "ipset": [ 27 { 28 "name": "test-set-1", 29 "comment": "Test set #1 with traffic direction in type declaration", 30 "match": [ "src_ip", "dest_port" ], 31 "entry": [ 32 "1.2.3.4 80", 33 "5.6.7.8 22" 34 ] 35 }, 36 { 37 "name": "test-set-2", 38 "comment": "Test set #2 with unspecified traffic direction", 39 "match": [ "ip", "port" ], 40 "entry": [ 41 "1.2.3.4 80", 42 "5.6.7.8 22" 43 ] 44 }, 45 { 46 "name": "test-set-3", 47 "comment": "Test set #3 with IPv6 addresses", 48 "family": "IPv6", 49 "match": [ "net", "net", "port" ], 50 "entry": [ 51 "db80:1234:4567::1/64 db80:1234:abcd::1/64 80", 52 "db80:8765:aaaa::1/64 db80:8765:ffff::1/64 22", 53 "db80:1:2:3:4:0:0:1 0:0:0:0:0:0:0:0/0 443", 54 ] 55 } 56 ], 57 "rule": [ 58 { 59 "name": "Rule using test set #1", 60 "src": "*", 61 "dest": "*", 62 "proto": "tcp", 63 "ipset": "test-set-1" 64 }, 65 { 66 "name": "Rule using test set #2, match direction should default to 'source'", 67 "src": "*", 68 "dest": "*", 69 "proto": "tcp", 70 "ipset": "test-set-2" 71 }, 72 { 73 "name": "Rule using test set #1, overriding match direction", 74 "src": "*", 75 "dest": "*", 76 "proto": "tcp", 77 "ipset": "test-set-1 dst src" 78 }, 79 { 80 "name": "Rule using test set #2, specifiying match direction", 81 "src": "*", 82 "dest": "*", 83 "proto": "tcp", 84 "ipset": "test-set-2 dst dst" 85 }, 86 { 87 "name": "Rule using test set #1, overriding direction and inverting match", 88 "src": "*", 89 "dest": "*", 90 "proto": "tcp", 91 "ipset": "!test-set-1 dst src" 92 }, 93 { 94 "name": "Rule using test set #3 with alternative direction notation, should inherit IPv6 family", 95 "src": "*", 96 "dest": "*", 97 "proto": "tcp", 98 "ipset": "test-set-3 src,dest,dest" 99 }, 100 ] 101 } 102 -- End -- 103 104 -- Expect stdout -- 105 table inet fw4 106 flush table inet fw4 107 108 table inet fw4 { 109 # 110 # Set definitions 111 # 112 113 set test-set-1 { 114 comment "Test set #1 with traffic direction in type declaration" 115 type ipv4_addr . inet_service 116 elements = { 117 1.2.3.4 . 80, 118 5.6.7.8 . 22, 119 } 120 } 121 122 set test-set-2 { 123 comment "Test set #2 with unspecified traffic direction" 124 type ipv4_addr . inet_service 125 elements = { 126 1.2.3.4 . 80, 127 5.6.7.8 . 22, 128 } 129 } 130 131 set test-set-3 { 132 comment "Test set #3 with IPv6 addresses" 133 type ipv6_addr . ipv6_addr . inet_service 134 auto-merge 135 flags interval 136 elements = { 137 db80:1234:4567::1/64 . db80:1234:abcd::1/64 . 80, 138 db80:8765:aaaa::1/64 . db80:8765:ffff::1/64 . 22, 139 db80:1:2:3:4::1/128 . ::/0 . 443, 140 } 141 } 142 143 144 # 145 # Defines 146 # 147 148 149 # 150 # User includes 151 # 152 153 include "/etc/nftables.d/*.nft" 154 155 156 # 157 # Filter rules 158 # 159 160 chain input { 161 type filter hook input priority filter; policy drop; 162 163 iif "lo" accept comment "!fw4: Accept traffic from loopback" 164 165 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 166 } 167 168 chain forward { 169 type filter hook forward priority filter; policy drop; 170 171 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 172 meta nfproto ipv4 meta l4proto tcp ip saddr . tcp dport @test-set-1 counter comment "!fw4: Rule using test set #1" 173 meta nfproto ipv4 meta l4proto tcp ip saddr . tcp sport @test-set-2 counter comment "!fw4: Rule using test set #2, match direction should default to 'source'" 174 meta nfproto ipv4 meta l4proto tcp ip daddr . tcp sport @test-set-1 counter comment "!fw4: Rule using test set #1, overriding match direction" 175 meta nfproto ipv4 meta l4proto tcp ip daddr . tcp dport @test-set-2 counter comment "!fw4: Rule using test set #2, specifiying match direction" 176 meta nfproto ipv4 meta l4proto tcp ip daddr . tcp sport != @test-set-1 counter comment "!fw4: Rule using test set #1, overriding direction and inverting match" 177 meta nfproto ipv6 meta l4proto tcp ip6 saddr . ip6 daddr . tcp dport @test-set-3 counter comment "!fw4: Rule using test set #3 with alternative direction notation, should inherit IPv6 family" 178 } 179 180 chain output { 181 type filter hook output priority filter; policy drop; 182 183 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 184 185 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 186 } 187 188 chain prerouting { 189 type filter hook prerouting priority filter; policy accept; 190 } 191 192 chain handle_reject { 193 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 194 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 195 } 196 197 198 # 199 # NAT rules 200 # 201 202 chain dstnat { 203 type nat hook prerouting priority dstnat; policy accept; 204 } 205 206 chain srcnat { 207 type nat hook postrouting priority srcnat; policy accept; 208 } 209 210 211 # 212 # Raw rules (notrack) 213 # 214 215 chain raw_prerouting { 216 type filter hook prerouting priority raw; policy accept; 217 } 218 219 chain raw_output { 220 type filter hook output priority raw; policy accept; 221 } 222 223 224 # 225 # Mangle rules 226 # 227 228 chain mangle_prerouting { 229 type filter hook prerouting priority mangle; policy accept; 230 } 231 232 chain mangle_postrouting { 233 type filter hook postrouting priority mangle; policy accept; 234 } 235 236 chain mangle_input { 237 type filter hook input priority mangle; policy accept; 238 } 239 240 chain mangle_output { 241 type route hook output priority mangle; policy accept; 242 } 243 244 chain mangle_forward { 245 type filter hook forward priority mangle; policy accept; 246 } 247 } 248 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt