projects / project / firewall4.git / blob
? search:


9a6aa59365805c423050bd872a7e694dbf031bac
[project/firewall4.git] / tests / 03_rules / 08_family_inheritance
1 Testing various option constraints.
2
3 -- Testcase --
4 {%
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
7 switch (varname) {
8 case 'ACTION':
9 return 'print';
10 }
11 }
12 })
13 %}
14 -- End --
15
16 -- File uci/helpers.json --
17 {}
18 -- End --
19
20 -- File uci/firewall.json --
21 {
22 "zone": [
23 {
24 ".description": "A zone matching only IPv4 subnets is assumed to be an IPv4 only zone",
25 "name": "ipv4only",
26 "subnet": "192.168.1.0/24",
27 "auto_helper": 0
28 },
29
30 {
31 ".description": "A zone with conflicting family and subnet settings should be skipped",
32 "name": "afconflict",
33 "subnet": "10.0.0.0/8",
34 "family": "IPv6",
35 "auto_helper": 0
36 }
37 ],
38 "ipset": [
39 {
40 "name": "ipv4set",
41 "match": "src_ip",
42 "entry": [
43 "10.0.0.2",
44 "10.0.0.3",
45 "10.0.0.4"
46 ]
47 }
48 ],
49 "rule": [
50 {
51 ".description": "Rules referencing an IPv4 only zone should be restricted to IPv4 themselves",
52 "src": "ipv4only",
53 "proto": "tcp",
54 "dest_port": "22",
55 "name": "Rule #1",
56 "target": "accept"
57 },
58
59 {
60 ".description": "Rules whose family conflicts with their addresses should be skipped",
61 "proto": "tcp",
62 "src_ip": "10.0.0.1",
63 "dest_port": "22",
64 "name": "Rule #2",
65 "target": "accept",
66 "family": "IPv6"
67 },
68
69 {
70 ".description": "Rules whose family conflicts with the zone family should be skipped",
71 "src": "ipv4only",
72 "proto": "tcp",
73 "dest_port": "22",
74 "name": "Rule #3",
75 "target": "accept",
76 "family": "IPv6"
77 },
78
79 {
80 ".description": "Rules whose family conflicts with the referenced set family should be skipped",
81 "src": "ipv4only",
82 "proto": "tcp",
83 "ipset": "ipv4set",
84 "name": "Rule #4",
85 "target": "accept",
86 "family": "IPv6"
87 }
88 ],
89 "redirect": [
90 {
91 ".description": "Redirects rhose family conflicts with the referenced zone family should be skipped",
92 "src": "ipv4only",
93 "proto": "tcp",
94 "src_dport": "22",
95 "dest_ip": "fdca::1",
96 "name": "Redirect #1",
97 "target": "dnat"
98 },
99 ]
100 }
101 -- End --
102
103 -- Expect stderr --
104 [!] Section @zone[1] (afconflict) is restricted to IPv6 but referenced subnet list is IPv4 only, skipping
105 [!] Section @rule[1] (Rule #2) is restricted to IPv6 but referenced source IP is IPv4 only, skipping
106 [!] Section @rule[2] (Rule #3) is restricted to IPv6 but referenced source zone is IPv4 only, skipping
107 [!] Section @rule[3] (Rule #4) is restricted to IPv6 but referenced set match is IPv4 only, skipping
108 [!] Section @redirect[0] (Redirect #1) is restricted to IPv6 but referenced source zone is IPv4 only, skipping
109 -- End --
110
111 -- Expect stdout --
112 table inet fw4
113 flush table inet fw4
114
115 table inet fw4 {
116 #
117 # Set definitions
118 #
119
120 set ipv4set {
121 type ipv4_addr
122 elements = {
123 10.0.0.2,
124 10.0.0.3,
125 10.0.0.4,
126 }
127 }
128
129
130 #
131 # Defines
132 #
133
134 define ipv4only_subnets = { 192.168.1.0/24 }
135
136 #
137 # User includes
138 #
139
140 include "/etc/nftables.d/*.nft"
141
142
143 #
144 # Filter rules
145 #
146
147 chain input {
148 type filter hook input priority filter; policy drop;
149
150 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
151
152 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
153 meta nfproto ipv4 ip saddr 192.168.1.0/24 jump input_ipv4only comment "!fw4: Handle ipv4only IPv4 input traffic"
154 }
155
156 chain forward {
157 type filter hook forward priority filter; policy drop;
158
159 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
160 meta nfproto ipv4 ip saddr 192.168.1.0/24 jump forward_ipv4only comment "!fw4: Handle ipv4only IPv4 forward traffic"
161 }
162
163 chain output {
164 type filter hook output priority filter; policy drop;
165
166 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
167
168 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
169 meta nfproto ipv4 ip daddr 192.168.1.0/24 jump output_ipv4only comment "!fw4: Handle ipv4only IPv4 output traffic"
170 }
171
172 chain handle_reject {
173 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
174 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
175 }
176
177 chain input_ipv4only {
178 meta nfproto ipv4 tcp dport 22 counter accept comment "!fw4: Rule #1"
179 ct status dnat accept comment "!fw4: Accept port redirections"
180 jump drop_from_ipv4only
181 }
182
183 chain output_ipv4only {
184 jump drop_to_ipv4only
185 }
186
187 chain forward_ipv4only {
188 ct status dnat accept comment "!fw4: Accept port forwards"
189 jump drop_to_ipv4only
190 }
191
192 chain drop_from_ipv4only {
193 meta nfproto ipv4 ip saddr 192.168.1.0/24 counter drop comment "!fw4: drop ipv4only IPv4 traffic"
194 }
195
196 chain drop_to_ipv4only {
197 meta nfproto ipv4 ip daddr 192.168.1.0/24 counter drop comment "!fw4: drop ipv4only IPv4 traffic"
198 }
199
200
201 #
202 # NAT rules
203 #
204
205 chain dstnat {
206 type nat hook prerouting priority dstnat; policy accept;
207 meta nfproto ipv4 ip saddr 192.168.1.0/24 jump dstnat_ipv4only comment "!fw4: Handle ipv4only IPv4 dstnat traffic"
208 }
209
210 chain srcnat {
211 type nat hook postrouting priority srcnat; policy accept;
212 }
213
214 chain dstnat_ipv4only {
215 }
216
217
218 #
219 # Raw rules (notrack & helper)
220 #
221
222 chain raw_prerouting {
223 type filter hook prerouting priority raw; policy accept;
224 }
225
226 chain raw_output {
227 type filter hook output priority raw; policy accept;
228 }
229
230
231 #
232 # Mangle rules
233 #
234
235 chain mangle_prerouting {
236 type filter hook prerouting priority mangle; policy accept;
237 }
238
239 chain mangle_postrouting {
240 type filter hook postrouting priority mangle; policy accept;
241 }
242
243 chain mangle_input {
244 type filter hook input priority mangle; policy accept;
245 }
246
247 chain mangle_output {
248 type filter hook output priority mangle; policy accept;
249 }
250
251 chain mangle_forward {
252 type filter hook forward priority mangle; policy accept;
253 }
254 }
255 -- End --
OpenWrt nftables firewall