projects / project / firewall4.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
ruleset: dispatch ct states using verdict map
[project/firewall4.git] / tests / 01_configuration / 02_rule_order
1 Testing that `config rule` rules are rendered before `config forwarding` ones
2 and that rules are rendered in the order they're declared.
3
4 -- Testcase --
5 {%
6 include("./root/usr/share/firewall4/main.uc", {
7 TRACE_CALLS: "stderr",
8
9 getenv: function(varname) {
10 switch (varname) {
11 case 'ACTION':
12 return 'print';
13 }
14 }
15 })
16 %}
17 -- End --
18
19 -- File uci/helpers.json --
20 {}
21 -- End --
22
23 -- File uci/firewall.json --
24 {
25 "zone": [
26 {
27 "name": "lan",
28 "network": "lan",
29 "auto_helper": 0
30 },
31 {
32 "name": "wan",
33 "network": "wan",
34 "auto_helper": 0
35 }
36 ],
37 "forwarding": [
38 {
39 "src": "lan",
40 "dest": "wan"
41 }
42 ],
43 "rule": [
44 {
45 "name": "Deny rule #1",
46 "proto": "any",
47 "src": "lan",
48 "dest": "wan",
49 "src_ip": [ "192.168.1.2" ],
50 "target": "drop"
51 },
52 {
53 "name": "Deny rule #2",
54 "proto": "icmp",
55 "src": "lan",
56 "dest": "wan",
57 "src_ip": [ "192.168.1.3" ],
58 "target": "drop"
59 }
60 ]
61 }
62 -- End --
63
64 -- Expect stdout --
65 table inet fw4
66 flush table inet fw4
67
68 table inet fw4 {
69 #
70 # Defines
71 #
72
73 define lan_devices = { "br-lan" }
74 define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
75
76 define wan_devices = { "pppoe-wan" }
77 define wan_subnets = { 10.11.12.0/24 }
78
79
80 #
81 # User includes
82 #
83
84 include "/etc/nftables.d/*.nft"
85
86
87 #
88 # Filter rules
89 #
90
91 chain input {
92 type filter hook input priority filter; policy drop;
93
94 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
95
96 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
97 iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
98 iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
99 }
100
101 chain forward {
102 type filter hook forward priority filter; policy drop;
103
104 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
105 iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
106 iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
107 }
108
109 chain output {
110 type filter hook output priority filter; policy drop;
111
112 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
113
114 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
115 oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
116 oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
117 }
118
119 chain prerouting {
120 type filter hook prerouting priority filter; policy accept;
121 }
122
123 chain handle_reject {
124 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
125 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
126 }
127
128 chain input_lan {
129 jump drop_from_lan
130 }
131
132 chain output_lan {
133 jump drop_to_lan
134 }
135
136 chain forward_lan {
137 ip saddr 192.168.1.2 counter jump drop_to_wan comment "!fw4: Deny rule #1"
138 meta l4proto icmp ip saddr 192.168.1.3 counter jump drop_to_wan comment "!fw4: Deny rule #2"
139 jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
140 jump drop_to_lan
141 }
142
143 chain drop_from_lan {
144 iifname "br-lan" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
145 }
146
147 chain drop_to_lan {
148 oifname "br-lan" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
149 }
150
151 chain input_wan {
152 jump drop_from_wan
153 }
154
155 chain output_wan {
156 jump drop_to_wan
157 }
158
159 chain forward_wan {
160 jump drop_to_wan
161 }
162
163 chain accept_to_wan {
164 oifname "pppoe-wan" counter accept comment "!fw4: accept wan IPv4/IPv6 traffic"
165 }
166
167 chain drop_from_wan {
168 iifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
169 }
170
171 chain drop_to_wan {
172 oifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
173 }
174
175
176 #
177 # NAT rules
178 #
179
180 chain dstnat {
181 type nat hook prerouting priority dstnat; policy accept;
182 }
183
184 chain srcnat {
185 type nat hook postrouting priority srcnat; policy accept;
186 }
187
188
189 #
190 # Raw rules (notrack)
191 #
192
193 chain raw_prerouting {
194 type filter hook prerouting priority raw; policy accept;
195 }
196
197 chain raw_output {
198 type filter hook output priority raw; policy accept;
199 }
200
201
202 #
203 # Mangle rules
204 #
205
206 chain mangle_prerouting {
207 type filter hook prerouting priority mangle; policy accept;
208 }
209
210 chain mangle_postrouting {
211 type filter hook postrouting priority mangle; policy accept;
212 }
213
214 chain mangle_input {
215 type filter hook input priority mangle; policy accept;
216 }
217
218 chain mangle_output {
219 type route hook output priority mangle; policy accept;
220 }
221
222 chain mangle_forward {
223 type filter hook forward priority mangle; policy accept;
224 }
225 }
226 -- End --
227
228 -- Expect stderr --
229 [call] ctx.call object <network.interface> method <dump> args <null>
230 [call] ctx.call object <service> method <get_data> args <{ "type": "firewall" }>
231 [call] fs.open path </proc/version> mode <r>
232 [call] fs.glob pattern </usr/share/nftables.d/ruleset-pre/*.nft>
233 [call] fs.glob pattern </usr/share/nftables.d/ruleset-post/*.nft>
234 [call] fs.glob pattern </usr/share/nftables.d/table-pre/*.nft>
235 [call] fs.glob pattern </usr/share/nftables.d/table-post/*.nft>
236 [call] fs.lsdir path </usr/share/nftables.d/chain-pre>
237 [call] fs.lsdir path </usr/share/nftables.d/chain-post>
238 [call] fs.popen cmdline </usr/sbin/nft --terse --json list flowtables inet> mode <r>
239 -- End --
OpenWrt nftables firewall