tests/02_zones/04_masq_allow_invalid

   1 Testing that dropping of invalid conntrack state traffic can be inhibited.
   2
   3 -- Testcase --
   4 {%
   5         include("./root/usr/share/firewall4/main.uc", {
   6                 getenv: function(varname) {
   7                         switch (varname) {
   8                         case 'ACTION':
   9                                 return 'print';
  10                         }
  11                 }
  12         })
  13 %}
  14 -- End --
  15
  16 -- File uci/helpers.json --
  17 {}
  18 -- End --
  19
  20 -- File fs/open~_sys_class_net_zone1_flags.txt --
  21 0x1103
  22 -- End --
  23
  24 -- File fs/open~_sys_class_net_zone2_flags.txt --
  25 0x1103
  26 -- End --
  27
  28 -- File uci/firewall.json --
  29 {
  30         "zone": [
  31                 {
  32                         ".description": "No ct state invalid drop rule should be generated",
  33                         "name": "test1",
  34                         "input": "ACCEPT",
  35                         "output": "ACCEPT",
  36                         "forward": "ACCEPT",
  37                         "device": "zone1",
  38                         "masq": "1",
  39                         "masq_allow_invalid": 1
  40                 }
  41         ]
  42 }
  43 -- End --
  44
  45 -- Expect stdout --
  46 table inet fw4
  47 flush table inet fw4
  48
  49 table inet fw4 {
  50         #
  51         # Defines
  52         #
  53
  54         define test1_devices = { "zone1" }
  55         define test1_subnets = {  }
  56
  57
  58         #
  59         # User includes
  60         #
  61
  62         include "/etc/nftables.d/*.nft"
  63
  64
  65         #
  66         # Filter rules
  67         #
  68
  69         chain input {
  70                 type filter hook input priority filter; policy drop;
  71
  72                 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
  73
  74                 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
  75                 iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
  76         }
  77
  78         chain forward {
  79                 type filter hook forward priority filter; policy drop;
  80
  81                 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
  82                 iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
  83         }
  84
  85         chain output {
  86                 type filter hook output priority filter; policy drop;
  87
  88                 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
  89
  90                 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
  91                 oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
  92         }
  93
  94         chain prerouting {
  95                 type filter hook prerouting priority filter; policy accept;
  96         }
  97
  98         chain handle_reject {
  99                 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
 100                 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
 101         }
 102
 103         chain input_test1 {
 104                 jump accept_from_test1
 105         }
 106
 107         chain output_test1 {
 108                 jump accept_to_test1
 109         }
 110
 111         chain forward_test1 {
 112                 jump accept_to_test1
 113         }
 114
 115         chain accept_from_test1 {
 116                 iifname "zone1" counter accept comment "!fw4: accept test1 IPv4/IPv6 traffic"
 117         }
 118
 119         chain accept_to_test1 {
 120                 oifname "zone1" counter accept comment "!fw4: accept test1 IPv4/IPv6 traffic"
 121         }
 122
 123
 124         #
 125         # NAT rules
 126         #
 127
 128         chain dstnat {
 129                 type nat hook prerouting priority dstnat; policy accept;
 130         }
 131
 132         chain srcnat {
 133                 type nat hook postrouting priority srcnat; policy accept;
 134                 oifname "zone1" jump srcnat_test1 comment "!fw4: Handle test1 IPv4/IPv6 srcnat traffic"
 135         }
 136
 137         chain srcnat_test1 {
 138                 meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 test1 traffic"
 139         }
 140
 141
 142         #
 143         # Raw rules (notrack)
 144         #
 145
 146         chain raw_prerouting {
 147                 type filter hook prerouting priority raw; policy accept;
 148         }
 149
 150         chain raw_output {
 151                 type filter hook output priority raw; policy accept;
 152         }
 153
 154
 155         #
 156         # Mangle rules
 157         #
 158
 159         chain mangle_prerouting {
 160                 type filter hook prerouting priority mangle; policy accept;
 161         }
 162
 163         chain mangle_postrouting {
 164                 type filter hook postrouting priority mangle; policy accept;
 165         }
 166
 167         chain mangle_input {
 168                 type filter hook input priority mangle; policy accept;
 169         }
 170
 171         chain mangle_output {
 172                 type route hook output priority mangle; policy accept;
 173         }
 174
 175         chain mangle_forward {
 176                 type filter hook forward priority mangle; policy accept;
 177         }
 178 }
 179 -- End --