1 Testing the correct placement of potential include positions. 2 3 -- Testcase -- 4 {% 5 include("./root/usr/share/firewall4/main.uc", { 6 getenv: function(varname) { 7 switch (varname) { 8 case 'ACTION': 9 return 'print'; 10 } 11 } 12 }) 13 %} 14 -- End -- 15 16 -- File uci/helpers.json -- 17 {} 18 -- End -- 19 20 -- File fs/open~_sys_class_net_eth0_flags.txt -- 21 0x1103 22 -- End -- 23 24 -- File fs/open~_usr_share_nftables_d_include-ruleset-start_nft.txt -- 25 # dummy 26 -- End -- 27 28 -- File fs/open~_usr_share_nftables_d_include-table-start_nft.txt -- 29 # dummy 30 -- End -- 31 32 -- File fs/open~_usr_share_nftables_d_include-chain-start-forward_nft.txt -- 33 # dummy 34 -- End -- 35 36 -- File fs/open~_usr_share_nftables_d_include-chain-end-forward_nft.txt -- 37 # dummy 38 -- End -- 39 40 -- File fs/open~_usr_share_nftables_d_include-table-end-1_nft.txt -- 41 # dummy 42 -- End -- 43 44 -- File fs/open~_usr_share_nftables_d_include-table-end-2_nft.txt -- 45 # dummy 46 -- End -- 47 48 -- File fs/open~_usr_share_nftables_d_include-ruleset-end_nft.txt -- 49 # dummy 50 -- End -- 51 52 -- File uci/firewall.json -- 53 { 54 "zone": [ 55 { 56 "name": "test", 57 "device": [ "eth0" ], 58 "auto_helper": 0 59 } 60 ], 61 "include": [ 62 { 63 ".description": "Position 'table-pre' (or 'table-prepend') will place an include before the first chain", 64 "path": "/usr/share/nftables.d/include-table-start.nft", 65 "type": "nftables", 66 "position": "table-pre" 67 }, 68 69 { 70 ".description": "Position defaults to 'table-append', means after the last chain in the table scope", 71 "path": "/usr/share/nftables.d/include-table-end-1.nft", 72 "type": "nftables" 73 }, 74 75 { 76 ".description": "Position 'table-post' (or 'table-postpend') may be used as alias for 'table-append'", 77 "path": "/usr/share/nftables.d/include-table-end-2.nft", 78 "type": "nftables", 79 "position": "table-post" 80 }, 81 82 { 83 ".description": "Position 'ruleset-pre' (or 'ruleset-prepend') will place an include before the table declaration", 84 "path": "/usr/share/nftables.d/include-ruleset-start.nft", 85 "type": "nftables", 86 "position": "ruleset-pre" 87 }, 88 89 { 90 ".description": "Position 'ruleset-post' (or 'ruleset-append') will place an include after the table declaration", 91 "path": "/usr/share/nftables.d/include-ruleset-end.nft", 92 "type": "nftables", 93 "position": "ruleset-post" 94 }, 95 96 { 97 ".description": "Position 'chain-pre' (or 'chain-prepend') will place an include at the top of a specified chain", 98 "path": "/usr/share/nftables.d/include-chain-start-forward.nft", 99 "type": "nftables", 100 "position": "chain-pre", 101 "chain": "forward" 102 }, 103 104 { 105 ".description": "Position 'chain-post' (or 'chain-append') will place an include at the bottom of a specified chain", 106 "path": "/usr/share/nftables.d/include-chain-end-forward.nft", 107 "type": "nftables", 108 "position": "chain-post", 109 "chain": "forward" 110 }, 111 112 { 113 ".description": "Position 'chain-pre' or 'chain-post' without chain option will yield and error", 114 "path": "/usr/share/nftables.d/include-chain-end-forward.nft", 115 "type": "nftables", 116 "position": "chain-post" 117 }, 118 ] 119 } 120 -- End -- 121 122 -- Expect stderr -- 123 [!] Section @include[7] must specify 'chain' for position chain-append, ignoring section 124 -- End -- 125 126 -- Expect stdout -- 127 table inet fw4 128 flush table inet fw4 129 130 include "/usr/share/nftables.d/include-ruleset-start.nft" 131 132 table inet fw4 { 133 # 134 # Defines 135 # 136 137 define test_devices = { "eth0" } 138 define test_subnets = { } 139 140 141 # 142 # User includes 143 # 144 145 include "/etc/nftables.d/*.nft" 146 147 include "/usr/share/nftables.d/include-table-start.nft" 148 149 150 # 151 # Filter rules 152 # 153 154 chain input { 155 type filter hook input priority filter; policy drop; 156 157 iif "lo" accept comment "!fw4: Accept traffic from loopback" 158 159 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 160 iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" 161 } 162 163 chain forward { 164 type filter hook forward priority filter; policy drop; 165 166 include "/usr/share/nftables.d/include-chain-start-forward.nft" 167 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 168 iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic" 169 include "/usr/share/nftables.d/include-chain-end-forward.nft" 170 } 171 172 chain output { 173 type filter hook output priority filter; policy drop; 174 175 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 176 177 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 178 oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" 179 } 180 181 chain prerouting { 182 type filter hook prerouting priority filter; policy accept; 183 } 184 185 chain handle_reject { 186 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 187 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 188 } 189 190 chain input_test { 191 jump drop_from_test 192 } 193 194 chain output_test { 195 jump drop_to_test 196 } 197 198 chain forward_test { 199 jump drop_to_test 200 } 201 202 chain drop_from_test { 203 iifname "eth0" counter drop comment "!fw4: drop test IPv4/IPv6 traffic" 204 } 205 206 chain drop_to_test { 207 oifname "eth0" counter drop comment "!fw4: drop test IPv4/IPv6 traffic" 208 } 209 210 211 # 212 # NAT rules 213 # 214 215 chain dstnat { 216 type nat hook prerouting priority dstnat; policy accept; 217 } 218 219 chain srcnat { 220 type nat hook postrouting priority srcnat; policy accept; 221 } 222 223 224 # 225 # Raw rules (notrack) 226 # 227 228 chain raw_prerouting { 229 type filter hook prerouting priority raw; policy accept; 230 } 231 232 chain raw_output { 233 type filter hook output priority raw; policy accept; 234 } 235 236 237 # 238 # Mangle rules 239 # 240 241 chain mangle_prerouting { 242 type filter hook prerouting priority mangle; policy accept; 243 } 244 245 chain mangle_postrouting { 246 type filter hook postrouting priority mangle; policy accept; 247 } 248 249 chain mangle_input { 250 type filter hook input priority mangle; policy accept; 251 } 252 253 chain mangle_output { 254 type route hook output priority mangle; policy accept; 255 } 256 257 chain mangle_forward { 258 type filter hook forward priority mangle; policy accept; 259 } 260 261 include "/usr/share/nftables.d/include-table-end-1.nft" 262 include "/usr/share/nftables.d/include-table-end-2.nft" 263 } 264 265 include "/usr/share/nftables.d/include-ruleset-end.nft" 266 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt