ruleset: drop ctstate invalid traffic for masq-enabled zones

[project/firewall4.git] / tests / 01_configuration / 01_ruleset

diff --git a/tests/01_configuration/01_ruleset b/tests/01_configuration/01_ruleset
index 06249f257910040eb704e7d611bad69dc55d7131..c4fd5b48bdff32fe0bae205bdd5962619a26d590 100644 (file)
--- a/tests/01_configuration/01_ruleset
+++ b/tests/01_configuration/01_ruleset
@@ -213,6 +213,7 @@ table inet fw4 {
        }
 
        chain accept_to_wan {
+               meta nfproto ipv4 oifname "pppoe-wan" ct state invalid counter drop comment "!fw4: Prevent NAT leakage"
                oifname "pppoe-wan" counter accept comment "!fw4: accept wan IPv4/IPv6 traffic"
        }
 
@@ -303,10 +304,10 @@ table inet fw4 {
 [!] Section @defaults[0] specifies unknown option 'unknown_defaults_option'
 [!] Section @rule[9] (Test-Deprecated-Rule-Option) option '_name' is deprecated by fw4
 [!] Section @rule[9] (Test-Deprecated-Rule-Option) specifies unknown option 'unknown_rule_option'
-[call] fs.glob pattern </usr/share/nftables.d/ruleset-pre//*.nft>
-[call] fs.glob pattern </usr/share/nftables.d/ruleset-post//*.nft>
-[call] fs.glob pattern </usr/share/nftables.d/table-pre//*.nft>
-[call] fs.glob pattern </usr/share/nftables.d/table-post//*.nft>
+[call] fs.glob pattern </usr/share/nftables.d/ruleset-pre/*.nft>
+[call] fs.glob pattern </usr/share/nftables.d/ruleset-post/*.nft>
+[call] fs.glob pattern </usr/share/nftables.d/table-pre/*.nft>
+[call] fs.glob pattern </usr/share/nftables.d/table-post/*.nft>
 [call] fs.lsdir path </usr/share/nftables.d/chain-pre>
 [call] fs.lsdir path </usr/share/nftables.d/chain-post>
 [call] ctx.call object <network.device> method <status> args <null>