1 Testing that /usr/share/nftables.d/ includes are automatically processed. 2 3 -- Testcase -- 4 {% 5 include("./root/usr/share/firewall4/main.uc", { 6 getenv: function(varname) { 7 switch (varname) { 8 case 'ACTION': 9 return 'print'; 10 } 11 } 12 }) 13 %} 14 -- End -- 15 16 -- File uci/helpers.json -- 17 {} 18 -- End -- 19 20 -- File fs/open~_sys_class_net_eth0_flags.txt -- 21 0x1103 22 -- End -- 23 24 -- File fs/open~_etc_testinclude1_nft.txt -- 25 # dummy 26 -- End -- 27 28 -- File fs/open~_etc_testinclude2_nft.txt -- 29 # dummy 30 -- End -- 31 32 -- File fs/open~_etc_testinclude3_nft.txt -- 33 # dummy 34 -- End -- 35 36 -- File uci/firewall.json -- 37 { 38 "zone": [ 39 { 40 "name": "test", 41 "device": [ "eth0" ], 42 "auto_helper": 0 43 } 44 ], 45 "include": [ 46 { 47 ".description": "By default, this include should be processed due to implicit enabled 1", 48 "path": "/etc/testinclude1.nft", 49 "type": "nftables" 50 }, 51 52 { 53 ".description": "This include should be processed due to explicit enabled 1", 54 "path": "/etc/testinclude2.nft", 55 "type": "nftables", 56 "enabled": "1" 57 }, 58 59 { 60 ".description": "This include should be skipped due to explicit enabled 0", 61 "path": "/etc/testinclude3.nft", 62 "type": "nftables", 63 "enabled": "0" 64 } 65 ] 66 } 67 -- End -- 68 69 -- Expect stderr -- 70 [!] Section @include[2] is disabled, ignoring section 71 -- End -- 72 73 -- Expect stdout -- 74 table inet fw4 75 flush table inet fw4 76 77 table inet fw4 { 78 # 79 # Defines 80 # 81 82 define test_devices = { "eth0" } 83 define test_subnets = { } 84 85 86 # 87 # User includes 88 # 89 90 include "/etc/nftables.d/*.nft" 91 92 93 # 94 # Filter rules 95 # 96 97 chain input { 98 type filter hook input priority filter; policy drop; 99 100 iif "lo" accept comment "!fw4: Accept traffic from loopback" 101 102 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" 103 iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" 104 } 105 106 chain forward { 107 type filter hook forward priority filter; policy drop; 108 109 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" 110 iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic" 111 } 112 113 chain output { 114 type filter hook output priority filter; policy drop; 115 116 oif "lo" accept comment "!fw4: Accept traffic towards loopback" 117 118 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" 119 oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" 120 } 121 122 chain prerouting { 123 type filter hook prerouting priority filter; policy accept; 124 } 125 126 chain handle_reject { 127 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" 128 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" 129 } 130 131 chain input_test { 132 jump drop_from_test 133 } 134 135 chain output_test { 136 jump drop_to_test 137 } 138 139 chain forward_test { 140 jump drop_to_test 141 } 142 143 chain drop_from_test { 144 iifname "eth0" counter drop comment "!fw4: drop test IPv4/IPv6 traffic" 145 } 146 147 chain drop_to_test { 148 oifname "eth0" counter drop comment "!fw4: drop test IPv4/IPv6 traffic" 149 } 150 151 152 # 153 # NAT rules 154 # 155 156 chain dstnat { 157 type nat hook prerouting priority dstnat; policy accept; 158 } 159 160 chain srcnat { 161 type nat hook postrouting priority srcnat; policy accept; 162 } 163 164 165 # 166 # Raw rules (notrack) 167 # 168 169 chain raw_prerouting { 170 type filter hook prerouting priority raw; policy accept; 171 } 172 173 chain raw_output { 174 type filter hook output priority raw; policy accept; 175 } 176 177 178 # 179 # Mangle rules 180 # 181 182 chain mangle_prerouting { 183 type filter hook prerouting priority mangle; policy accept; 184 } 185 186 chain mangle_postrouting { 187 type filter hook postrouting priority mangle; policy accept; 188 } 189 190 chain mangle_input { 191 type filter hook input priority mangle; policy accept; 192 } 193 194 chain mangle_output { 195 type route hook output priority mangle; policy accept; 196 } 197 198 chain mangle_forward { 199 type filter hook forward priority mangle; policy accept; 200 } 201 202 include "/etc/testinclude1.nft" 203 include "/etc/testinclude2.nft" 204 } 205 -- End --
This page was automatically generated by LXR 0.3.1. • OpenWrt