• source navigation  • diff markup  • identifier search  • freetext search  • 

Sources/firewall4/tests/06_includes/05_automatic_includes

  1 Testing that /usr/share/nftables.d/ includes are automatically processed.
  2 
  3 -- Testcase --
  4 {%
  5         include("./root/usr/share/firewall4/main.uc", {
  6                 getenv: function(varname) {
  7                         switch (varname) {
  8                         case 'ACTION':
  9                                 return 'print';
 10                         }
 11                 }
 12         })
 13 %}
 14 -- End --
 15 
 16 -- File uci/helpers.json --
 17 {}
 18 -- End --
 19 
 20 -- File fs/open~_sys_class_net_eth0_flags.txt --
 21 0x1103
 22 -- End --
 23 
 24 -- File fs/open~_etc_testinclude1_nft.txt --
 25 # dummy
 26 -- End --
 27 
 28 -- File fs/open~_etc_testinclude2_nft.txt --
 29 # dummy
 30 -- End --
 31 
 32 -- File fs/open~_etc_testinclude3_nft.txt --
 33 # dummy
 34 -- End --
 35 
 36 -- File uci/firewall.json --
 37 {
 38         "zone": [
 39                 {
 40                         "name": "test",
 41                         "device": [ "eth0" ],
 42                         "auto_helper": 0
 43                 }
 44         ],
 45         "include": [
 46                 {
 47                         ".description": "By default, this include should be processed due to implicit enabled 1",
 48                         "path": "/etc/testinclude1.nft",
 49                         "type": "nftables"
 50                 },
 51 
 52                 {
 53                         ".description": "This include should be processed due to explicit enabled 1",
 54                         "path": "/etc/testinclude2.nft",
 55                         "type": "nftables",
 56                         "enabled": "1"
 57                 },
 58 
 59                 {
 60                         ".description": "This include should be skipped due to explicit enabled 0",
 61                         "path": "/etc/testinclude3.nft",
 62                         "type": "nftables",
 63                         "enabled": "0"
 64                 }
 65         ]
 66 }
 67 -- End --
 68 
 69 -- Expect stderr --
 70 [!] Section @include[2] is disabled, ignoring section
 71 -- End --
 72 
 73 -- Expect stdout --
 74 table inet fw4
 75 flush table inet fw4
 76 
 77 table inet fw4 {
 78         #
 79         # Defines
 80         #
 81 
 82         define test_devices = { "eth0" }
 83         define test_subnets = {  }
 84 
 85 
 86         #
 87         # User includes
 88         #
 89 
 90         include "/etc/nftables.d/*.nft"
 91 
 92 
 93         #
 94         # Filter rules
 95         #
 96 
 97         chain input {
 98                 type filter hook input priority filter; policy drop;
 99 
100                 iif "lo" accept comment "!fw4: Accept traffic from loopback"
101 
102                 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
103                 iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic"
104         }
105 
106         chain forward {
107                 type filter hook forward priority filter; policy drop;
108 
109                 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
110                 iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic"
111         }
112 
113         chain output {
114                 type filter hook output priority filter; policy drop;
115 
116                 oif "lo" accept comment "!fw4: Accept traffic towards loopback"
117 
118                 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
119                 oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic"
120         }
121 
122         chain prerouting {
123                 type filter hook prerouting priority filter; policy accept;
124         }
125 
126         chain handle_reject {
127                 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
128                 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
129         }
130 
131         chain input_test {
132                 jump drop_from_test
133         }
134 
135         chain output_test {
136                 jump drop_to_test
137         }
138 
139         chain forward_test {
140                 jump drop_to_test
141         }
142 
143         chain drop_from_test {
144                 iifname "eth0" counter drop comment "!fw4: drop test IPv4/IPv6 traffic"
145         }
146 
147         chain drop_to_test {
148                 oifname "eth0" counter drop comment "!fw4: drop test IPv4/IPv6 traffic"
149         }
150 
151 
152         #
153         # NAT rules
154         #
155 
156         chain dstnat {
157                 type nat hook prerouting priority dstnat; policy accept;
158         }
159 
160         chain srcnat {
161                 type nat hook postrouting priority srcnat; policy accept;
162         }
163 
164 
165         #
166         # Raw rules (notrack)
167         #
168 
169         chain raw_prerouting {
170                 type filter hook prerouting priority raw; policy accept;
171         }
172 
173         chain raw_output {
174                 type filter hook output priority raw; policy accept;
175         }
176 
177 
178         #
179         # Mangle rules
180         #
181 
182         chain mangle_prerouting {
183                 type filter hook prerouting priority mangle; policy accept;
184         }
185 
186         chain mangle_postrouting {
187                 type filter hook postrouting priority mangle; policy accept;
188         }
189 
190         chain mangle_input {
191                 type filter hook input priority mangle; policy accept;
192         }
193 
194         chain mangle_output {
195                 type route hook output priority mangle; policy accept;
196         }
197 
198         chain mangle_forward {
199                 type filter hook forward priority mangle; policy accept;
200         }
201 
202         include "/etc/testinclude1.nft"
203         include "/etc/testinclude2.nft"
204 }
205 -- End --

This page was automatically generated by LXR 0.3.1.  •  OpenWrt