tests/02_zones/04_wildcard_devices

   1 Test that wildcard devices are properly handled.
   2
   3 -- Testcase --
   4 {%
   5         include("./root/usr/share/firewall4/main.uc", {
   6                 getenv: function(varname) {
   7                         switch (varname) {
   8                         case 'ACTION':
   9                                 return 'print';
  10                         }
  11                 }
  12         })
  13 %}
  14 -- End --
  15
  16 -- File uci/helpers.json --
  17 {}
  18 -- End --
  19
  20 -- File fs/open~_sys_class_net_never_flags.txt --
  21 0x0
  22 -- End --
  23
  24 -- File fs/open~_sys_class_net_test_flags.txt --
  25 0x0
  26 -- End --
  27
  28 -- File fs/open~_sys_class_net_foo_flags.txt --
  29 0x0
  30 -- End --
  31
  32 -- File fs/open~_sys_class_net_bar_flags.txt --
  33 0x0
  34 -- End --
  35
  36 -- File fs/open~_sys_class_net_baz_flags.txt --
  37 0x0
  38 -- End --
  39
  40 -- File fs/open~_sys_class_net_qrx_flags.txt --
  41 0x0
  42 -- End --
  43
  44 -- File fs/open~_sys_class_net_test1_flags.txt --
  45 0x1103
  46 -- End --
  47
  48 -- File fs/open~_sys_class_net_test2_flags.txt --
  49 0x1103
  50 -- End --
  51
  52 -- File uci/firewall.json --
  53 {
  54         "zone": [
  55                 {
  56                         ".description": "A '+' device match should translate to no ifname match at all",
  57                         "name": "test1",
  58                         "device": [ "+" ]
  59                 },
  60                 {
  61                         ".description": "An inverted '+' device match should result in a match that always fails",
  62                         "name": "test2",
  63                         "device": [ "!+" ]
  64                 },
  65                 {
  66                         ".description": "A 'name+' device match should translate to an nft wildcard pattern",
  67                         "name": "test3",
  68                         "device": [ "test+" ]
  69                 },
  70                 {
  71                         ".description": "Wildcard matches must not be grouped into sets",
  72                         "name": "test4",
  73                         "device": [ "foo+", "bar+", "test1", "test2" ]
  74                 },
  75                 {
  76                         ".description": "Multiple inverted wildcard matches may be grouped into one rule",
  77                         "name": "test5",
  78                         "device": [ "foo+", "bar+", "!baz+", "!qrx+", "test1", "test2", "!test3", "!test4" ]
  79                 }
  80         ]
  81 }
  82 -- End --
  83
  84 -- Expect stdout --
  85 table inet fw4
  86 flush table inet fw4
  87
  88 table inet fw4 {
  89         #
  90         # Set definitions
  91         #
  92
  93
  94         #
  95         # Defines
  96         #
  97
  98         define test1_devices = { "+" }
  99         define test2_devices = { "/never/" }
 100         define test3_devices = { "test*" }
 101         define test4_devices = { "foo*", "bar*", "test1", "test2" }
 102         define test5_devices = { "foo*", "bar*", "test1", "test2" }
 103
 104         #
 105         # User includes
 106         #
 107
 108         include "/etc/nftables.d/*.nft"
 109
 110
 111         #
 112         # Filter rules
 113         #
 114
 115         chain input {
 116                 type filter hook input priority filter; policy drop;
 117
 118                 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 119
 120                 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
 121                 jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
 122                 iifname "/never/" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
 123                 iifname "test*" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic"
 124                 iifname "foo*" jump input_test4 comment "!fw4: Handle test4 IPv4/IPv6 input traffic"
 125                 iifname "bar*" jump input_test4 comment "!fw4: Handle test4 IPv4/IPv6 input traffic"
 126                 iifname { "test1", "test2" } jump input_test4 comment "!fw4: Handle test4 IPv4/IPv6 input traffic"
 127                 iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump input_test5 comment "!fw4: Handle test5 IPv4/IPv6 input traffic"
 128                 iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump input_test5 comment "!fw4: Handle test5 IPv4/IPv6 input traffic"
 129                 iifname { "test1", "test2" } iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump input_test5 comment "!fw4: Handle test5 IPv4/IPv6 input traffic"
 130         }
 131
 132         chain forward {
 133                 type filter hook forward priority filter; policy drop;
 134
 135                 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
 136                 jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
 137                 iifname "/never/" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
 138                 iifname "test*" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic"
 139                 iifname "foo*" jump forward_test4 comment "!fw4: Handle test4 IPv4/IPv6 forward traffic"
 140                 iifname "bar*" jump forward_test4 comment "!fw4: Handle test4 IPv4/IPv6 forward traffic"
 141                 iifname { "test1", "test2" } jump forward_test4 comment "!fw4: Handle test4 IPv4/IPv6 forward traffic"
 142                 iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump forward_test5 comment "!fw4: Handle test5 IPv4/IPv6 forward traffic"
 143                 iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump forward_test5 comment "!fw4: Handle test5 IPv4/IPv6 forward traffic"
 144                 iifname { "test1", "test2" } iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump forward_test5 comment "!fw4: Handle test5 IPv4/IPv6 forward traffic"
 145         }
 146
 147         chain output {
 148                 type filter hook output priority filter; policy drop;
 149
 150                 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 151
 152                 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
 153                 jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
 154                 oifname "/never/" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
 155                 oifname "test*" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic"
 156                 oifname "foo*" jump output_test4 comment "!fw4: Handle test4 IPv4/IPv6 output traffic"
 157                 oifname "bar*" jump output_test4 comment "!fw4: Handle test4 IPv4/IPv6 output traffic"
 158                 oifname { "test1", "test2" } jump output_test4 comment "!fw4: Handle test4 IPv4/IPv6 output traffic"
 159                 oifname "foo*" oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" jump output_test5 comment "!fw4: Handle test5 IPv4/IPv6 output traffic"
 160                 oifname "bar*" oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" jump output_test5 comment "!fw4: Handle test5 IPv4/IPv6 output traffic"
 161                 oifname { "test1", "test2" } oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" jump output_test5 comment "!fw4: Handle test5 IPv4/IPv6 output traffic"
 162         }
 163
 164         chain prerouting {
 165                 type filter hook prerouting priority filter; policy accept;
 166                 iifname "/never/" jump helper_test2 comment "!fw4: test2 IPv4/IPv6 CT helper assignment"
 167                 iifname "test*" jump helper_test3 comment "!fw4: test3 IPv4/IPv6 CT helper assignment"
 168                 iifname "foo*" jump helper_test4 comment "!fw4: test4 IPv4/IPv6 CT helper assignment"
 169                 iifname "bar*" jump helper_test4 comment "!fw4: test4 IPv4/IPv6 CT helper assignment"
 170                 iifname { "test1", "test2" } jump helper_test4 comment "!fw4: test4 IPv4/IPv6 CT helper assignment"
 171                 iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: test5 IPv4/IPv6 CT helper assignment"
 172                 iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: test5 IPv4/IPv6 CT helper assignment"
 173                 iifname { "test1", "test2" } iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: test5 IPv4/IPv6 CT helper assignment"
 174         }
 175
 176         chain handle_reject {
 177                 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
 178                 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
 179         }
 180
 181         chain input_test1 {
 182                 jump drop_from_test1
 183         }
 184
 185         chain output_test1 {
 186                 jump drop_to_test1
 187         }
 188
 189         chain forward_test1 {
 190                 jump drop_to_test1
 191         }
 192
 193         chain helper_test1 {
 194         }
 195
 196         chain drop_from_test1 {
 197                 counter drop comment "!fw4: drop test1 IPv4/IPv6 traffic"
 198         }
 199
 200         chain drop_to_test1 {
 201                 counter drop comment "!fw4: drop test1 IPv4/IPv6 traffic"
 202         }
 203
 204         chain input_test2 {
 205                 jump drop_from_test2
 206         }
 207
 208         chain output_test2 {
 209                 jump drop_to_test2
 210         }
 211
 212         chain forward_test2 {
 213                 jump drop_to_test2
 214         }
 215
 216         chain helper_test2 {
 217         }
 218
 219         chain drop_from_test2 {
 220                 iifname "/never/" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic"
 221         }
 222
 223         chain drop_to_test2 {
 224                 oifname "/never/" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic"
 225         }
 226
 227         chain input_test3 {
 228                 jump drop_from_test3
 229         }
 230
 231         chain output_test3 {
 232                 jump drop_to_test3
 233         }
 234
 235         chain forward_test3 {
 236                 jump drop_to_test3
 237         }
 238
 239         chain helper_test3 {
 240         }
 241
 242         chain drop_from_test3 {
 243                 iifname "test*" counter drop comment "!fw4: drop test3 IPv4/IPv6 traffic"
 244         }
 245
 246         chain drop_to_test3 {
 247                 oifname "test*" counter drop comment "!fw4: drop test3 IPv4/IPv6 traffic"
 248         }
 249
 250         chain input_test4 {
 251                 jump drop_from_test4
 252         }
 253
 254         chain output_test4 {
 255                 jump drop_to_test4
 256         }
 257
 258         chain forward_test4 {
 259                 jump drop_to_test4
 260         }
 261
 262         chain helper_test4 {
 263         }
 264
 265         chain drop_from_test4 {
 266                 iifname "foo*" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
 267                 iifname "bar*" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
 268                 iifname { "test1", "test2" } counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
 269         }
 270
 271         chain drop_to_test4 {
 272                 oifname "foo*" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
 273                 oifname "bar*" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
 274                 oifname { "test1", "test2" } counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
 275         }
 276
 277         chain input_test5 {
 278                 jump drop_from_test5
 279         }
 280
 281         chain output_test5 {
 282                 jump drop_to_test5
 283         }
 284
 285         chain forward_test5 {
 286                 jump drop_to_test5
 287         }
 288
 289         chain helper_test5 {
 290         }
 291
 292         chain drop_from_test5 {
 293                 iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic"
 294                 iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic"
 295                 iifname { "test1", "test2" } iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic"
 296         }
 297
 298         chain drop_to_test5 {
 299                 oifname "foo*" oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic"
 300                 oifname "bar*" oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic"
 301                 oifname { "test1", "test2" } oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic"
 302         }
 303
 304
 305         #
 306         # NAT rules
 307         #
 308
 309         chain dstnat {
 310                 type nat hook prerouting priority dstnat; policy accept;
 311         }
 312
 313         chain srcnat {
 314                 type nat hook postrouting priority srcnat; policy accept;
 315         }
 316
 317
 318         #
 319         # Raw rules (notrack)
 320         #
 321
 322         chain raw_prerouting {
 323                 type filter hook prerouting priority raw; policy accept;
 324         }
 325
 326         chain raw_output {
 327                 type filter hook output priority raw; policy accept;
 328         }
 329
 330
 331         #
 332         # Mangle rules
 333         #
 334
 335         chain mangle_prerouting {
 336                 type filter hook prerouting priority mangle; policy accept;
 337         }
 338
 339         chain mangle_postrouting {
 340                 type filter hook postrouting priority mangle; policy accept;
 341         }
 342
 343         chain mangle_input {
 344                 type filter hook input priority mangle; policy accept;
 345         }
 346
 347         chain mangle_output {
 348                 type route hook output priority mangle; policy accept;
 349         }
 350
 351         chain mangle_forward {
 352                 type filter hook forward priority mangle; policy accept;
 353         }
 354 }
 355 -- End --