tests/01_configuration/02_rule_order

   1 Testing that `config rule` rules are rendered before `config forwarding` ones
   2 and that rules are rendered in the order they're declared.
   3
   4 -- Testcase --
   5 {%
   6         include("./root/usr/share/firewall4/main.uc", {
   7                 TRACE_CALLS: "stderr",
   8
   9                 getenv: function(varname) {
  10                         switch (varname) {
  11                         case 'ACTION':
  12                                 return 'print';
  13                         }
  14                 }
  15         })
  16 %}
  17 -- End --
  18
  19 -- File uci/helpers.json --
  20 {}
  21 -- End --
  22
  23 -- File uci/firewall.json --
  24 {
  25         "zone": [
  26                 {
  27                         "name": "lan",
  28                         "network": "lan",
  29                         "auto_helper": 0
  30                 },
  31                 {
  32                         "name": "wan",
  33                         "network": "wan",
  34                         "auto_helper": 0
  35                 }
  36         ],
  37         "forwarding": [
  38                 {
  39                         "src": "lan",
  40                         "dest": "wan"
  41                 }
  42         ],
  43         "rule": [
  44                 {
  45                         "name": "Deny rule #1",
  46                         "proto": "any",
  47                         "src": "lan",
  48                         "dest": "wan",
  49                         "src_ip": [ "192.168.1.2" ],
  50                         "target": "drop"
  51                 },
  52                 {
  53                         "name": "Deny rule #2",
  54                         "proto": "icmp",
  55                         "src": "lan",
  56                         "dest": "wan",
  57                         "src_ip": [ "192.168.1.3" ],
  58                         "target": "drop"
  59                 }
  60         ]
  61 }
  62 -- End --
  63
  64 -- Expect stdout --
  65 table inet fw4
  66 flush table inet fw4
  67
  68 table inet fw4 {
  69         #
  70         # Set definitions
  71         #
  72
  73
  74         #
  75         # Defines
  76         #
  77
  78         define lan_devices = { "br-lan" }
  79         define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
  80         define wan_devices = { "eth1" }
  81         define wan_subnets = { 10.11.12.0/24 }
  82
  83         #
  84         # User includes
  85         #
  86
  87         include "/etc/nftables.d/*.nft"
  88
  89
  90         #
  91         # Filter rules
  92         #
  93
  94         chain input {
  95                 type filter hook input priority filter; policy drop;
  96
  97                 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
  98
  99                 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
 100                 iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
 101                 iifname "eth1" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
 102         }
 103
 104         chain forward {
 105                 type filter hook forward priority filter; policy drop;
 106
 107                 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
 108                 iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
 109                 iifname "eth1" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
 110         }
 111
 112         chain output {
 113                 type filter hook output priority filter; policy drop;
 114
 115                 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 116
 117                 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
 118                 oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
 119                 oifname "eth1" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
 120         }
 121
 122         chain handle_reject {
 123                 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
 124                 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
 125         }
 126
 127         chain input_lan {
 128                 jump drop_from_lan
 129         }
 130
 131         chain output_lan {
 132                 jump drop_to_lan
 133         }
 134
 135         chain forward_lan {
 136                 ip saddr 192.168.1.2 counter jump drop_to_wan comment "!fw4: Deny rule #1"
 137                 meta l4proto icmp ip saddr 192.168.1.3 counter jump drop_to_wan comment "!fw4: Deny rule #2"
 138                 jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
 139                 jump drop_to_lan
 140         }
 141
 142         chain drop_from_lan {
 143                 iifname "br-lan" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
 144         }
 145
 146         chain drop_to_lan {
 147                 oifname "br-lan" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
 148         }
 149
 150         chain input_wan {
 151                 jump drop_from_wan
 152         }
 153
 154         chain output_wan {
 155                 jump drop_to_wan
 156         }
 157
 158         chain forward_wan {
 159                 jump drop_to_wan
 160         }
 161
 162         chain accept_to_wan {
 163                 oifname "eth1" counter accept comment "!fw4: accept wan IPv4/IPv6 traffic"
 164         }
 165
 166         chain drop_from_wan {
 167                 iifname "eth1" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
 168         }
 169
 170         chain drop_to_wan {
 171                 oifname "eth1" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
 172         }
 173
 174
 175         #
 176         # NAT rules
 177         #
 178
 179         chain dstnat {
 180                 type nat hook prerouting priority dstnat; policy accept;
 181         }
 182
 183         chain srcnat {
 184                 type nat hook postrouting priority srcnat; policy accept;
 185         }
 186
 187
 188         #
 189         # Raw rules (notrack & helper)
 190         #
 191
 192         chain raw_prerouting {
 193                 type filter hook prerouting priority raw; policy accept;
 194         }
 195
 196         chain raw_output {
 197                 type filter hook output priority raw; policy accept;
 198         }
 199
 200
 201         #
 202         # Mangle rules
 203         #
 204
 205         chain mangle_prerouting {
 206                 type filter hook prerouting priority mangle; policy accept;
 207         }
 208
 209         chain mangle_postrouting {
 210                 type filter hook postrouting priority mangle; policy accept;
 211         }
 212
 213         chain mangle_input {
 214                 type filter hook input priority mangle; policy accept;
 215         }
 216
 217         chain mangle_output {
 218                 type filter hook output priority mangle; policy accept;
 219         }
 220
 221         chain mangle_forward {
 222                 type filter hook forward priority mangle; policy accept;
 223         }
 224 }
 225 -- End --
 226
 227 -- Expect stderr --
 228 [call] ctx.call object <network.interface> method <dump> args <null>
 229 [call] ctx.call object <service> method <get_data> args <{ "type": "firewall" }>
 230 [call] fs.open path </proc/version> mode <r>
 231 [call] fs.popen cmdline </usr/sbin/nft --terse --json list flowtables inet> mode <r>
 232 -- End --