projects / project / firewall4.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
ruleset: dispatch ct states using verdict map
[project/firewall4.git] / tests / 03_rules / 01_direction
1 Testing that rule declarations are mapped to the proper chains depending
2 on src and dest options.
3
4 -- Testcase --
5 {%
6 include("./root/usr/share/firewall4/main.uc", {
7 getenv: function(varname) {
8 switch (varname) {
9 case 'ACTION':
10 return 'print';
11 }
12 }
13 })
14 %}
15 -- End --
16
17 -- File uci/helpers.json --
18 {}
19 -- End --
20
21 -- File uci/firewall.json --
22 {
23 "rule": [
24 {
25 ".description": "Neither source, nor dest => should result in an output rule",
26 "proto": "any"
27 },
28 {
29 ".description": "Source any, no dest => should result in an input rule",
30 "proto": "any",
31 "src": "*"
32 },
33 {
34 ".description": "Dest any, no source => should result in an output rule",
35 "proto": "any",
36 "dest": "*"
37 },
38 {
39 ".description": "Source any, dest any => should result in a forward rule",
40 "proto": "any",
41 "src": "*",
42 "dest": "*"
43 }
44 ]
45 }
46 -- End --
47
48 -- Expect stdout --
49 table inet fw4
50 flush table inet fw4
51
52 table inet fw4 {
53 #
54 # Defines
55 #
56
57
58 #
59 # User includes
60 #
61
62 include "/etc/nftables.d/*.nft"
63
64
65 #
66 # Filter rules
67 #
68
69 chain input {
70 type filter hook input priority filter; policy drop;
71
72 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
73
74 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
75 counter comment "!fw4: @rule[1]"
76 }
77
78 chain forward {
79 type filter hook forward priority filter; policy drop;
80
81 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
82 counter comment "!fw4: @rule[3]"
83 }
84
85 chain output {
86 type filter hook output priority filter; policy drop;
87
88 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
89
90 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
91 counter comment "!fw4: @rule[0]"
92 counter comment "!fw4: @rule[2]"
93 }
94
95 chain prerouting {
96 type filter hook prerouting priority filter; policy accept;
97 }
98
99 chain handle_reject {
100 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
101 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
102 }
103
104
105 #
106 # NAT rules
107 #
108
109 chain dstnat {
110 type nat hook prerouting priority dstnat; policy accept;
111 }
112
113 chain srcnat {
114 type nat hook postrouting priority srcnat; policy accept;
115 }
116
117
118 #
119 # Raw rules (notrack)
120 #
121
122 chain raw_prerouting {
123 type filter hook prerouting priority raw; policy accept;
124 }
125
126 chain raw_output {
127 type filter hook output priority raw; policy accept;
128 }
129
130
131 #
132 # Mangle rules
133 #
134
135 chain mangle_prerouting {
136 type filter hook prerouting priority mangle; policy accept;
137 }
138
139 chain mangle_postrouting {
140 type filter hook postrouting priority mangle; policy accept;
141 }
142
143 chain mangle_input {
144 type filter hook input priority mangle; policy accept;
145 }
146
147 chain mangle_output {
148 type route hook output priority mangle; policy accept;
149 }
150
151 chain mangle_forward {
152 type filter hook forward priority mangle; policy accept;
153 }
154 }
155 -- End --
OpenWrt nftables firewall