projects / project / firewall4.git / blob
? search:


e822fb8a135e3d9812e9e882dcd87f5373fd105a
[project/firewall4.git] / tests / 06_includes / 02_firewall.user_include
1 Testing that /etc/firewall.user is treated specially and requires an extra
2 option to be marked compatible.
3
4 -- Testcase --
5 {%
6 include("./root/usr/share/firewall4/main.uc", {
7 getenv: function(varname) {
8 switch (varname) {
9 case 'ACTION':
10 return 'print';
11 }
12 }
13 })
14 %}
15 -- End --
16
17 -- File uci/helpers.json --
18 {}
19 -- End --
20
21 -- File fs/open~_sys_class_net_eth0_flags.txt --
22 0x1103
23 -- End --
24
25 -- File fs/open~_etc_firewall_user.txt --
26 # dummy
27 -- End --
28
29 -- File fs/open~_usr_share_miniupnpd_firewall_include.txt --
30 # dummy
31 -- End --
32
33 -- File uci/firewall.json --
34 {
35 "zone": [
36 {
37 "name": "test",
38 "device": [ "eth0" ],
39 "auto_helper": 0
40 }
41 ],
42 "include": [
43 {
44 ".description": "By default, this /etc/firewall.user include should be skipped with a warning",
45 "path": "/etc/firewall.user"
46 },
47
48 {
49 ".description": "This /etc/firewall.user include should be added due to the compatible flag",
50 "path": "/etc/firewall.user",
51 "fw4_compatible": 1
52 },
53
54 {
55 ".description": "An include of another path should not require a compatible flag",
56 "path": "/usr/share/miniupnpd/firewall.include"
57 }
58 ]
59 }
60 -- End --
61
62 -- Expect stderr --
63 [!] Section @include[0] is not marked as compatible with fw4, ignoring section
64 [!] Section @include[0] requires 'option fw4_compatible 1' to be considered compatible
65 -- End --
66
67 -- Expect stdout --
68 table inet fw4
69 flush table inet fw4
70
71 table inet fw4 {
72 #
73 # Defines
74 #
75
76 define test_devices = { "eth0" }
77 define test_subnets = { }
78
79
80 #
81 # User includes
82 #
83
84 include "/etc/nftables.d/*.nft"
85
86
87 #
88 # Filter rules
89 #
90
91 chain input {
92 type filter hook input priority filter; policy drop;
93
94 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
95
96 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
97 iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic"
98 }
99
100 chain forward {
101 type filter hook forward priority filter; policy drop;
102
103 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
104 iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic"
105 }
106
107 chain output {
108 type filter hook output priority filter; policy drop;
109
110 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
111
112 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
113 oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic"
114 }
115
116 chain prerouting {
117 type filter hook prerouting priority filter; policy accept;
118 }
119
120 chain handle_reject {
121 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
122 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
123 }
124
125 chain input_test {
126 jump drop_from_test
127 }
128
129 chain output_test {
130 jump drop_to_test
131 }
132
133 chain forward_test {
134 jump drop_to_test
135 }
136
137 chain drop_from_test {
138 iifname "eth0" counter drop comment "!fw4: drop test IPv4/IPv6 traffic"
139 }
140
141 chain drop_to_test {
142 oifname "eth0" counter drop comment "!fw4: drop test IPv4/IPv6 traffic"
143 }
144
145
146 #
147 # NAT rules
148 #
149
150 chain dstnat {
151 type nat hook prerouting priority dstnat; policy accept;
152 }
153
154 chain srcnat {
155 type nat hook postrouting priority srcnat; policy accept;
156 }
157
158
159 #
160 # Raw rules (notrack)
161 #
162
163 chain raw_prerouting {
164 type filter hook prerouting priority raw; policy accept;
165 }
166
167 chain raw_output {
168 type filter hook output priority raw; policy accept;
169 }
170
171
172 #
173 # Mangle rules
174 #
175
176 chain mangle_prerouting {
177 type filter hook prerouting priority mangle; policy accept;
178 }
179
180 chain mangle_postrouting {
181 type filter hook postrouting priority mangle; policy accept;
182 }
183
184 chain mangle_input {
185 type filter hook input priority mangle; policy accept;
186 }
187
188 chain mangle_output {
189 type route hook output priority mangle; policy accept;
190 }
191
192 chain mangle_forward {
193 type filter hook forward priority mangle; policy accept;
194 }
195 }
196 -- End --
OpenWrt nftables firewall