projects / project / firewall4.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
ruleset: reuse zone-jump.uc template for notrack and helper chain jumps
[project/firewall4.git] / tests / 02_zones / 07_helpers
1 Testing zone helper assignments
2
3 -- Testcase --
4 {%
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
7 switch (varname) {
8 case 'ACTION':
9 return 'print';
10 }
11 }
12 })
13 %}
14 -- End --
15
16 -- File fs/open~_sys_class_net_zone1_flags.txt --
17 0x1103
18 -- End --
19
20 -- File fs/open~_sys_class_net_zone2_flags.txt --
21 0x1103
22 -- End --
23
24 -- File fs/open~_sys_class_net_zone3_flags.txt --
25 0x1103
26 -- End --
27
28 -- File fs/open~_sys_class_net_zone4_flags.txt --
29 0x1103
30 -- End --
31
32 -- File fs/open~_sys_class_net_zone5_flags.txt --
33 0x1103
34 -- End --
35
36 -- File uci/firewall.json --
37 {
38 "zone": [
39 {
40 ".description": "Setting masq to true for a zone with a helper should emit a helper chain for the zone with the configured helper",
41 "name": "test1",
42 "device": "zone1",
43 "masq": "1",
44 "helper": [ "tftp" ]
45 },
46 {
47 ".description": "Setting masq6 to true for a zone with a helper should emit a helper chain for the zone with the configured helper",
48 "name": "test2",
49 "device": "zone2",
50 "masq6": "1",
51 "helper": [ "tftp" ]
52 },
53 {
54 ".description": "Disabling both masq and masq6 for a zone with a helper should emit a helper chain for the zone with the configured helper",
55 "name": "test3",
56 "device": "zone3",
57 "masq": "0",
58 "masq6": "0",
59 "helper": [ "tftp" ]
60 },
61 {
62 ".description": "Disabling both masq and masq6 for a zone with a helper should configure default helper assignment",
63 "name": "test4",
64 "device": "zone4",
65 "masq": "0",
66 "masq6": "0",
67 },
68 {
69 ".description": "Specifying an invalid helper should write a warning to stderr",
70 "name": "test5",
71 "device": "zone5",
72 "masq": "0",
73 "masq6": "0",
74 "helper": [ "foo" ]
75 }
76 ]
77 }
78 -- End --
79
80 -- Expect stdout --
81 table inet fw4
82 flush table inet fw4
83
84 table inet fw4 {
85 #
86 # CT helper definitions
87 #
88
89 ct helper amanda {
90 type "amanda" protocol udp;
91 }
92
93 ct helper ftp {
94 type "ftp" protocol tcp;
95 }
96
97 ct helper RAS {
98 type "RAS" protocol udp;
99 }
100
101 ct helper Q.931 {
102 type "Q.931" protocol tcp;
103 }
104
105 ct helper irc {
106 type "irc" protocol tcp;
107 }
108
109 ct helper netbios-ns {
110 type "netbios-ns" protocol udp;
111 }
112
113 ct helper pptp {
114 type "pptp" protocol tcp;
115 }
116
117 ct helper sane {
118 type "sane" protocol tcp;
119 }
120
121 ct helper sip {
122 type "sip" protocol udp;
123 }
124
125 ct helper snmp {
126 type "snmp" protocol udp;
127 }
128
129 ct helper tftp {
130 type "tftp" protocol udp;
131 }
132
133 ct helper rtsp {
134 type "rtsp" protocol tcp;
135 }
136
137
138 #
139 # Set definitions
140 #
141
142
143 #
144 # Defines
145 #
146
147 define test1_devices = { "zone1" }
148 define test2_devices = { "zone2" }
149 define test3_devices = { "zone3" }
150 define test4_devices = { "zone4" }
151
152 #
153 # User includes
154 #
155
156 include "/etc/nftables.d/*.nft"
157
158
159 #
160 # Filter rules
161 #
162
163 chain input {
164 type filter hook input priority filter; policy drop;
165
166 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
167
168 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
169 iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
170 iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
171 iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic"
172 iifname "zone4" jump input_test4 comment "!fw4: Handle test4 IPv4/IPv6 input traffic"
173 }
174
175 chain forward {
176 type filter hook forward priority filter; policy drop;
177
178 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
179 iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
180 iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
181 iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic"
182 iifname "zone4" jump forward_test4 comment "!fw4: Handle test4 IPv4/IPv6 forward traffic"
183 }
184
185 chain output {
186 type filter hook output priority filter; policy drop;
187
188 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
189
190 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
191 oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
192 oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
193 oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic"
194 oifname "zone4" jump output_test4 comment "!fw4: Handle test4 IPv4/IPv6 output traffic"
195 }
196
197 chain prerouting {
198 type filter hook prerouting priority filter; policy accept;
199 iifname "zone1" jump helper_test1 comment "!fw4: Handle test1 IPv4/IPv6 helper assignment"
200 iifname "zone2" jump helper_test2 comment "!fw4: Handle test2 IPv4/IPv6 helper assignment"
201 iifname "zone3" jump helper_test3 comment "!fw4: Handle test3 IPv4/IPv6 helper assignment"
202 iifname "zone4" jump helper_test4 comment "!fw4: Handle test4 IPv4/IPv6 helper assignment"
203 }
204
205 chain handle_reject {
206 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
207 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
208 }
209
210 chain input_test1 {
211 jump drop_from_test1
212 }
213
214 chain output_test1 {
215 jump drop_to_test1
216 }
217
218 chain forward_test1 {
219 jump drop_to_test1
220 }
221
222 chain helper_test1 {
223 meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
224 }
225
226 chain drop_from_test1 {
227 iifname "zone1" counter drop comment "!fw4: drop test1 IPv4/IPv6 traffic"
228 }
229
230 chain drop_to_test1 {
231 oifname "zone1" counter drop comment "!fw4: drop test1 IPv4/IPv6 traffic"
232 }
233
234 chain input_test2 {
235 jump drop_from_test2
236 }
237
238 chain output_test2 {
239 jump drop_to_test2
240 }
241
242 chain forward_test2 {
243 jump drop_to_test2
244 }
245
246 chain helper_test2 {
247 meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
248 }
249
250 chain drop_from_test2 {
251 iifname "zone2" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic"
252 }
253
254 chain drop_to_test2 {
255 oifname "zone2" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic"
256 }
257
258 chain input_test3 {
259 jump drop_from_test3
260 }
261
262 chain output_test3 {
263 jump drop_to_test3
264 }
265
266 chain forward_test3 {
267 jump drop_to_test3
268 }
269
270 chain helper_test3 {
271 meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
272 }
273
274 chain drop_from_test3 {
275 iifname "zone3" counter drop comment "!fw4: drop test3 IPv4/IPv6 traffic"
276 }
277
278 chain drop_to_test3 {
279 oifname "zone3" counter drop comment "!fw4: drop test3 IPv4/IPv6 traffic"
280 }
281
282 chain input_test4 {
283 jump drop_from_test4
284 }
285
286 chain output_test4 {
287 jump drop_to_test4
288 }
289
290 chain forward_test4 {
291 jump drop_to_test4
292 }
293
294 chain helper_test4 {
295 meta l4proto udp udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
296 meta l4proto tcp tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking"
297 meta l4proto udp udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
298 meta l4proto tcp tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
299 meta nfproto ipv4 meta l4proto tcp tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
300 meta nfproto ipv4 meta l4proto udp udp dport 137 ct helper set "netbios-ns" comment "!fw4: NetBIOS name service broadcast tracking"
301 meta nfproto ipv4 meta l4proto tcp tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
302 meta l4proto tcp tcp dport 6566 ct helper set "sane" comment "!fw4: SANE scanner connection tracking"
303 meta l4proto udp udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
304 meta nfproto ipv4 meta l4proto udp udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
305 meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
306 meta nfproto ipv4 meta l4proto tcp tcp dport 554 ct helper set "rtsp" comment "!fw4: RTSP connection tracking"
307 }
308
309 chain drop_from_test4 {
310 iifname "zone4" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
311 }
312
313 chain drop_to_test4 {
314 oifname "zone4" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
315 }
316
317
318 #
319 # NAT rules
320 #
321
322 chain dstnat {
323 type nat hook prerouting priority dstnat; policy accept;
324 }
325
326 chain srcnat {
327 type nat hook postrouting priority srcnat; policy accept;
328 oifname "zone1" jump srcnat_test1 comment "!fw4: Handle test1 IPv4/IPv6 srcnat traffic"
329 oifname "zone2" jump srcnat_test2 comment "!fw4: Handle test2 IPv4/IPv6 srcnat traffic"
330 }
331
332 chain srcnat_test1 {
333 meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 test1 traffic"
334 }
335
336 chain srcnat_test2 {
337 meta nfproto ipv6 masquerade comment "!fw4: Masquerade IPv6 test2 traffic"
338 }
339
340
341 #
342 # Raw rules (notrack)
343 #
344
345 chain raw_prerouting {
346 type filter hook prerouting priority raw; policy accept;
347 }
348
349 chain raw_output {
350 type filter hook output priority raw; policy accept;
351 }
352
353
354 #
355 # Mangle rules
356 #
357
358 chain mangle_prerouting {
359 type filter hook prerouting priority mangle; policy accept;
360 }
361
362 chain mangle_postrouting {
363 type filter hook postrouting priority mangle; policy accept;
364 }
365
366 chain mangle_input {
367 type filter hook input priority mangle; policy accept;
368 }
369
370 chain mangle_output {
371 type route hook output priority mangle; policy accept;
372 }
373
374 chain mangle_forward {
375 type filter hook forward priority mangle; policy accept;
376 }
377 }
378 -- End --
379
380 -- Expect stderr --
381 [!] Section @zone[4] (test5) option 'helper' specifies invalid value 'foo'
382 [!] Section @zone[4] (test5) skipped due to invalid options
383 -- End --
OpenWrt nftables firewall