tests/05_includes/01_nft_includes

   1 Testing the correct placement of potential include positions.
   2
   3 -- Testcase --
   4 {%
   5         include("./root/usr/share/firewall4/main.uc", {
   6                 getenv: function(varname) {
   7                         switch (varname) {
   8                         case 'ACTION':
   9                                 return 'print';
  10                         }
  11                 }
  12         })
  13 %}
  14 -- End --
  15
  16 -- File uci/helpers.json --
  17 {}
  18 -- End --
  19
  20 -- File fs/open~_sys_class_net_eth0_flags.txt --
  21 0x1103
  22 -- End --
  23
  24 -- File fs/open~_usr_share_nftables_d_include-ruleset-start_nft.txt --
  25 # dummy
  26 -- End --
  27
  28 -- File fs/open~_usr_share_nftables_d_include-table-start_nft.txt --
  29 # dummy
  30 -- End --
  31
  32 -- File fs/open~_usr_share_nftables_d_include-chain-start-forward_nft.txt --
  33 # dummy
  34 -- End --
  35
  36 -- File fs/open~_usr_share_nftables_d_include-chain-end-forward_nft.txt --
  37 # dummy
  38 -- End --
  39
  40 -- File fs/open~_usr_share_nftables_d_include-table-end-1_nft.txt --
  41 # dummy
  42 -- End --
  43
  44 -- File fs/open~_usr_share_nftables_d_include-table-end-2_nft.txt --
  45 # dummy
  46 -- End --
  47
  48 -- File fs/open~_usr_share_nftables_d_include-ruleset-end_nft.txt --
  49 # dummy
  50 -- End --
  51
  52 -- File uci/firewall.json --
  53 {
  54         "zone": [
  55                 {
  56                         "name": "test",
  57                         "device": [ "eth0" ],
  58                         "auto_helper": 0
  59                 }
  60         ],
  61         "include": [
  62                 {
  63                         ".description": "Position 'table-pre' (or 'table-prepend') will place an include before the first chain",
  64                         "path": "/usr/share/nftables.d/include-table-start.nft",
  65                         "type": "nftables",
  66                         "position": "table-pre"
  67                 },
  68
  69                 {
  70                         ".description": "Position defaults to 'table-append', means after the last chain in the table scope",
  71                         "path": "/usr/share/nftables.d/include-table-end-1.nft",
  72                         "type": "nftables"
  73                 },
  74
  75                 {
  76                         ".description": "Position 'table-post' (or 'table-postpend') may be used as alias for 'table-append'",
  77                         "path": "/usr/share/nftables.d/include-table-end-2.nft",
  78                         "type": "nftables",
  79                         "position": "table-post"
  80                 },
  81
  82                 {
  83                         ".description": "Position 'ruleset-pre' (or 'ruleset-prepend') will place an include before the table declaration",
  84                         "path": "/usr/share/nftables.d/include-ruleset-start.nft",
  85                         "type": "nftables",
  86                         "position": "ruleset-pre"
  87                 },
  88
  89                 {
  90                         ".description": "Position 'ruleset-post' (or 'ruleset-append') will place an include after the table declaration",
  91                         "path": "/usr/share/nftables.d/include-ruleset-end.nft",
  92                         "type": "nftables",
  93                         "position": "ruleset-post"
  94                 },
  95
  96                 {
  97                         ".description": "Position 'chain-pre' (or 'chain-prepend') will place an include at the top of a specified chain",
  98                         "path": "/usr/share/nftables.d/include-chain-start-forward.nft",
  99                         "type": "nftables",
 100                         "position": "chain-pre",
 101                         "chain": "forward"
 102                 },
 103
 104                 {
 105                         ".description": "Position 'chain-post' (or 'chain-append') will place an include at the bottom of a specified chain",
 106                         "path": "/usr/share/nftables.d/include-chain-end-forward.nft",
 107                         "type": "nftables",
 108                         "position": "chain-post",
 109                         "chain": "forward"
 110                 },
 111
 112                 {
 113                         ".description": "Position 'chain-pre' or 'chain-post' without chain option will yield and error",
 114                         "path": "/usr/share/nftables.d/include-chain-end-forward.nft",
 115                         "type": "nftables",
 116                         "position": "chain-post"
 117                 },
 118         ]
 119 }
 120 -- End --
 121
 122 -- Expect stderr --
 123 [!] Section @include[7] must specify 'chain' for position chain-append, ignoring section
 124 -- End --
 125
 126 -- Expect stdout --
 127 table inet fw4
 128 flush table inet fw4
 129
 130 include "/usr/share/nftables.d/include-ruleset-start.nft"
 131
 132 table inet fw4 {
 133         #
 134         # Defines
 135         #
 136
 137         define test_devices = { "eth0" }
 138         define test_subnets = {  }
 139
 140
 141         #
 142         # User includes
 143         #
 144
 145         include "/etc/nftables.d/*.nft"
 146
 147         include "/usr/share/nftables.d/include-table-start.nft"
 148
 149
 150         #
 151         # Filter rules
 152         #
 153
 154         chain input {
 155                 type filter hook input priority filter; policy drop;
 156
 157                 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 158
 159                 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
 160                 iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic"
 161         }
 162
 163         chain forward {
 164                 type filter hook forward priority filter; policy drop;
 165
 166                 include "/usr/share/nftables.d/include-chain-start-forward.nft"
 167                 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
 168                 iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic"
 169                 include "/usr/share/nftables.d/include-chain-end-forward.nft"
 170         }
 171
 172         chain output {
 173                 type filter hook output priority filter; policy drop;
 174
 175                 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 176
 177                 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
 178                 oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic"
 179         }
 180
 181         chain prerouting {
 182                 type filter hook prerouting priority filter; policy accept;
 183         }
 184
 185         chain handle_reject {
 186                 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
 187                 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
 188         }
 189
 190         chain input_test {
 191                 jump drop_from_test
 192         }
 193
 194         chain output_test {
 195                 jump drop_to_test
 196         }
 197
 198         chain forward_test {
 199                 jump drop_to_test
 200         }
 201
 202         chain drop_from_test {
 203                 iifname "eth0" counter drop comment "!fw4: drop test IPv4/IPv6 traffic"
 204         }
 205
 206         chain drop_to_test {
 207                 oifname "eth0" counter drop comment "!fw4: drop test IPv4/IPv6 traffic"
 208         }
 209
 210
 211         #
 212         # NAT rules
 213         #
 214
 215         chain dstnat {
 216                 type nat hook prerouting priority dstnat; policy accept;
 217         }
 218
 219         chain srcnat {
 220                 type nat hook postrouting priority srcnat; policy accept;
 221         }
 222
 223
 224         #
 225         # Raw rules (notrack)
 226         #
 227
 228         chain raw_prerouting {
 229                 type filter hook prerouting priority raw; policy accept;
 230         }
 231
 232         chain raw_output {
 233                 type filter hook output priority raw; policy accept;
 234         }
 235
 236
 237         #
 238         # Mangle rules
 239         #
 240
 241         chain mangle_prerouting {
 242                 type filter hook prerouting priority mangle; policy accept;
 243         }
 244
 245         chain mangle_postrouting {
 246                 type filter hook postrouting priority mangle; policy accept;
 247         }
 248
 249         chain mangle_input {
 250                 type filter hook input priority mangle; policy accept;
 251         }
 252
 253         chain mangle_output {
 254                 type route hook output priority mangle; policy accept;
 255         }
 256
 257         chain mangle_forward {
 258                 type filter hook forward priority mangle; policy accept;
 259         }
 260
 261         include "/usr/share/nftables.d/include-table-end-1.nft"
 262         include "/usr/share/nftables.d/include-table-end-2.nft"
 263 }
 264
 265 include "/usr/share/nftables.d/include-ruleset-end.nft"
 266 -- End --