projects / project / firewall4.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
ruleset: dispatch ct states using verdict map
[project/firewall4.git] / tests / 02_zones / 08_log_limit
1 Test that configured zone log limits are honored in emitted log rules.
2
3 -- Testcase --
4 {%
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
7 switch (varname) {
8 case 'ACTION':
9 return 'print';
10 }
11 }
12 })
13 %}
14 -- End --
15
16 -- File uci/firewall.json --
17 {
18 "zone": [
19 {
20 ".description": "test zone with log_limit",
21 "name": "lan",
22 "network": "lan",
23 "auto_helper": 0,
24 "log": 3,
25 "log_limit": "1/min"
26 },
27 {
28 ".description": "test zone with MASQ and log_limit",
29 "name": "wan",
30 "network": "wan",
31 "auto_helper": 0,
32 "family": "ipv4",
33 "masq": 1,
34 "log": 3,
35 "log_limit": "2/min"
36 },
37 {
38 ".description": "test zone with log_limit and no log",
39 "name": "guest",
40 "network": "guest",
41 "auto_helper": 0,
42 "log_limit": "3/min"
43 },
44 {
45 ".description": "test zone with log and no limit, should produce multi target rules",
46 "name": "wan6",
47 "network": "wan6",
48 "auto_helper": 0,
49 "family": "ipv6",
50 "log": 1
51 }
52 ],
53
54 "forwarding": [
55 {
56 "src": "lan",
57 "dest": "wan"
58 }
59 ],
60
61 "rule": [
62 {
63 ".description": "src lan log",
64 "proto": "tcp",
65 "src": "lan",
66 "dest_port": 1001,
67 "log": 1
68 },
69 {
70 ".description": "src lan no log",
71 "proto": "tcp",
72 "src": "lan",
73 "dest_port": 1002,
74 "log": 0
75 },
76 {
77 ".description": "dest lan log",
78 "proto": "tcp",
79 "dest": "lan",
80 "dest_port": 1003,
81 "log": 1
82 },
83 {
84 ".description": "dest lan no log",
85 "proto": "tcp",
86 "dest": "lan",
87 "dest_port": 1004,
88 "log": 0
89 },
90 {
91 ".description": "Source any, dest lan, log",
92 "proto": "tcp",
93 "src": "*",
94 "dest": "lan",
95 "dest_port": 1005,
96 "log": 1
97 },
98 {
99 ".description": "Source any, dest lan, no log",
100 "proto": "tcp",
101 "src": "*",
102 "dest": "lan",
103 "dest_port": 1006,
104 "log": 0
105 },
106 {
107 ".description": "src any log",
108 "proto": "tcp",
109 "src": "*",
110 "dest_port": 1007,
111 "log": 1
112 },
113 {
114 ".description": "src any no log",
115 "proto": "tcp",
116 "src": "*",
117 "dest_port": 1008,
118 "log": 0
119 },
120 {
121 "name": "Deny guest with no log",
122 "proto": "icmp",
123 "dest": "guest",
124 "target": "drop"
125 },
126 {
127 "name": "Deny guest with log",
128 "proto": "icmp",
129 "dest": "guest",
130 "target": "drop",
131 "log": 1
132 },
133 {
134 "name": "Deny rule #1",
135 "proto": "any",
136 "src": "lan",
137 "dest": "wan",
138 "src_ip": [ "192.168.1.2" ],
139 "target": "drop"
140 },
141 {
142 "name": "Deny rule #2",
143 "proto": "icmp",
144 "src": "lan",
145 "dest": "wan",
146 "src_ip": [ "192.168.1.3" ],
147 "target": "drop"
148 },
149 {
150 ".description": "src any log",
151 "proto": "tcp",
152 "src": "*",
153 "dest_port": 1009,
154 "log": 1,
155 "log_limit": "5/min"
156 }
157 ],
158 "redirect": [
159 {
160 "proto": "tcp",
161 "src": "wan",
162 "dest": "lan",
163 "dest_ip": "10.0.0.2",
164 "dest_port": "22",
165 "log": "1"
166 },
167 {
168 "proto": "tcp",
169 "src": "wan",
170 "dest": "lan",
171 "dest_ip": "10.0.0.2",
172 "dest_port": "23",
173 "log": "1",
174 "log_limit": "4/min"
175 }
176
177 ]
178 }
179 -- End --
180
181 -- File uci/helpers.json --
182 {}
183 -- End --
184
185 -- Expect stdout --
186 table inet fw4
187 flush table inet fw4
188
189 table inet fw4 {
190 #
191 # Defines
192 #
193
194 define lan_devices = { "br-lan" }
195 define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
196
197 define wan_devices = { "pppoe-wan" }
198 define wan_subnets = { 10.11.12.0/24 }
199
200 define guest_devices = { "br-guest" }
201 define guest_subnets = { 10.1.0.0/24, 192.168.27.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
202
203 define wan6_devices = { "pppoe-wan" }
204 define wan6_subnets = { 2001:db8:54:321::/64 }
205
206
207 #
208 # Limits
209 #
210
211 limit lan.log_limit {
212 comment "lan log limit"
213 rate 1/minute
214 }
215
216 limit wan.log_limit {
217 comment "wan log limit"
218 rate 2/minute
219 }
220
221 limit guest.log_limit {
222 comment "guest log limit"
223 rate 3/minute
224 }
225
226
227 #
228 # User includes
229 #
230
231 include "/etc/nftables.d/*.nft"
232
233
234 #
235 # Filter rules
236 #
237
238 chain input {
239 type filter hook input priority filter; policy drop;
240
241 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
242
243 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
244 tcp dport 1007 counter log prefix "@rule[6]: " comment "!fw4: @rule[6]"
245 tcp dport 1008 counter comment "!fw4: @rule[7]"
246 tcp dport 1009 limit rate 5/minute log prefix "@rule[12]: "
247 tcp dport 1009 counter comment "!fw4: @rule[12]"
248 iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
249 meta nfproto ipv4 iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4 input traffic"
250 iifname "br-guest" jump input_guest comment "!fw4: Handle guest IPv4/IPv6 input traffic"
251 meta nfproto ipv6 iifname "pppoe-wan" jump input_wan6 comment "!fw4: Handle wan6 IPv6 input traffic"
252 }
253
254 chain forward {
255 type filter hook forward priority filter; policy drop;
256
257 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
258 tcp dport 1005 limit name "lan.log_limit" log prefix "@rule[4]: "
259 tcp dport 1005 counter comment "!fw4: @rule[4]"
260 tcp dport 1006 counter comment "!fw4: @rule[5]"
261 iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
262 meta nfproto ipv4 iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4 forward traffic"
263 iifname "br-guest" jump forward_guest comment "!fw4: Handle guest IPv4/IPv6 forward traffic"
264 meta nfproto ipv6 iifname "pppoe-wan" jump forward_wan6 comment "!fw4: Handle wan6 IPv6 forward traffic"
265 }
266
267 chain output {
268 type filter hook output priority filter; policy drop;
269
270 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
271
272 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
273 oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
274 meta nfproto ipv4 oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4 output traffic"
275 oifname "br-guest" jump output_guest comment "!fw4: Handle guest IPv4/IPv6 output traffic"
276 meta nfproto ipv6 oifname "pppoe-wan" jump output_wan6 comment "!fw4: Handle wan6 IPv6 output traffic"
277 }
278
279 chain prerouting {
280 type filter hook prerouting priority filter; policy accept;
281 }
282
283 chain handle_reject {
284 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
285 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
286 }
287
288 chain input_lan {
289 tcp dport 1001 limit name "lan.log_limit" log prefix "@rule[0]: "
290 tcp dport 1001 counter comment "!fw4: @rule[0]"
291 tcp dport 1002 counter comment "!fw4: @rule[1]"
292 ct status dnat accept comment "!fw4: Accept port redirections"
293 jump drop_from_lan
294 }
295
296 chain output_lan {
297 tcp dport 1003 limit name "lan.log_limit" log prefix "@rule[2]: "
298 tcp dport 1003 counter comment "!fw4: @rule[2]"
299 tcp dport 1004 counter comment "!fw4: @rule[3]"
300 jump drop_to_lan
301 }
302
303 chain forward_lan {
304 ip saddr 192.168.1.2 counter jump drop_to_wan comment "!fw4: Deny rule #1"
305 meta l4proto icmp ip saddr 192.168.1.3 counter jump drop_to_wan comment "!fw4: Deny rule #2"
306 meta nfproto ipv4 jump accept_to_wan comment "!fw4: Accept lan to wan IPv4 forwarding"
307 ct status dnat accept comment "!fw4: Accept port forwards"
308 jump drop_to_lan
309 limit name "lan.log_limit" log prefix "drop lan forward: "
310 }
311
312 chain accept_to_lan {
313 oifname "br-lan" counter accept comment "!fw4: accept lan IPv4/IPv6 traffic"
314 }
315
316 chain drop_from_lan {
317 iifname "br-lan" limit name "lan.log_limit" log prefix "drop lan in: "
318 iifname "br-lan" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
319 }
320
321 chain drop_to_lan {
322 oifname "br-lan" limit name "lan.log_limit" log prefix "drop lan out: "
323 oifname "br-lan" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
324 }
325
326 chain input_wan {
327 ct status dnat accept comment "!fw4: Accept port redirections"
328 jump drop_from_wan
329 }
330
331 chain output_wan {
332 jump drop_to_wan
333 }
334
335 chain forward_wan {
336 ct status dnat accept comment "!fw4: Accept port forwards"
337 jump drop_to_wan
338 limit name "wan.log_limit" log prefix "drop wan forward: "
339 }
340
341 chain accept_to_wan {
342 meta nfproto ipv4 oifname "pppoe-wan" ct state invalid limit name "wan.log_limit" log prefix "drop wan invalid ct state: "
343 meta nfproto ipv4 oifname "pppoe-wan" ct state invalid counter drop comment "!fw4: Prevent NAT leakage"
344 meta nfproto ipv4 oifname "pppoe-wan" counter accept comment "!fw4: accept wan IPv4 traffic"
345 }
346
347 chain drop_from_wan {
348 meta nfproto ipv4 iifname "pppoe-wan" limit name "wan.log_limit" log prefix "drop wan in: "
349 meta nfproto ipv4 iifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4 traffic"
350 }
351
352 chain drop_to_wan {
353 meta nfproto ipv4 oifname "pppoe-wan" limit name "wan.log_limit" log prefix "drop wan out: "
354 meta nfproto ipv4 oifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4 traffic"
355 }
356
357 chain input_guest {
358 jump drop_from_guest
359 }
360
361 chain output_guest {
362 meta l4proto { "icmp", "ipv6-icmp" } counter jump drop_to_guest comment "!fw4: Deny guest with no log"
363 meta l4proto { "icmp", "ipv6-icmp" } limit name "guest.log_limit" log prefix "Deny guest with log: "
364 meta l4proto { "icmp", "ipv6-icmp" } counter jump drop_to_guest comment "!fw4: Deny guest with log"
365 jump drop_to_guest
366 }
367
368 chain forward_guest {
369 jump drop_to_guest
370 }
371
372 chain drop_from_guest {
373 iifname "br-guest" counter drop comment "!fw4: drop guest IPv4/IPv6 traffic"
374 }
375
376 chain drop_to_guest {
377 oifname "br-guest" counter drop comment "!fw4: drop guest IPv4/IPv6 traffic"
378 }
379
380 chain input_wan6 {
381 jump drop_from_wan6
382 }
383
384 chain output_wan6 {
385 jump drop_to_wan6
386 }
387
388 chain forward_wan6 {
389 jump drop_to_wan6
390 log prefix "drop wan6 forward: "
391 }
392
393 chain drop_from_wan6 {
394 meta nfproto ipv6 iifname "pppoe-wan" counter log prefix "drop wan6 in: " drop comment "!fw4: drop wan6 IPv6 traffic"
395 }
396
397 chain drop_to_wan6 {
398 meta nfproto ipv6 oifname "pppoe-wan" counter log prefix "drop wan6 out: " drop comment "!fw4: drop wan6 IPv6 traffic"
399 }
400
401
402 #
403 # NAT rules
404 #
405
406 chain dstnat {
407 type nat hook prerouting priority dstnat; policy accept;
408 iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
409 meta nfproto ipv4 iifname "pppoe-wan" jump dstnat_wan comment "!fw4: Handle wan IPv4 dstnat traffic"
410 }
411
412 chain srcnat {
413 type nat hook postrouting priority srcnat; policy accept;
414 oifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
415 meta nfproto ipv4 oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4 srcnat traffic"
416 }
417
418 chain dstnat_lan {
419 ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.11.12.194 dnat 10.0.0.2:22 comment "!fw4: @redirect[0] (reflection)"
420 ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.11.12.194 dnat 10.0.0.2:23 comment "!fw4: @redirect[1] (reflection)"
421 }
422
423 chain srcnat_lan {
424 ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.0.0.2 tcp dport 22 snat 10.0.0.1 comment "!fw4: @redirect[0] (reflection)"
425 ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.0.0.2 tcp dport 23 snat 10.0.0.1 comment "!fw4: @redirect[1] (reflection)"
426 }
427
428 chain dstnat_wan {
429 meta nfproto ipv4 limit name "wan.log_limit" log prefix "@redirect[0]: "
430 meta nfproto ipv4 counter dnat 10.0.0.2:22 comment "!fw4: @redirect[0]"
431 meta nfproto ipv4 limit rate 4/minute log prefix "@redirect[1]: "
432 meta nfproto ipv4 counter dnat 10.0.0.2:23 comment "!fw4: @redirect[1]"
433 }
434
435 chain srcnat_wan {
436 meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
437 }
438
439
440 #
441 # Raw rules (notrack)
442 #
443
444 chain raw_prerouting {
445 type filter hook prerouting priority raw; policy accept;
446 }
447
448 chain raw_output {
449 type filter hook output priority raw; policy accept;
450 }
451
452
453 #
454 # Mangle rules
455 #
456
457 chain mangle_prerouting {
458 type filter hook prerouting priority mangle; policy accept;
459 }
460
461 chain mangle_postrouting {
462 type filter hook postrouting priority mangle; policy accept;
463 }
464
465 chain mangle_input {
466 type filter hook input priority mangle; policy accept;
467 }
468
469 chain mangle_output {
470 type route hook output priority mangle; policy accept;
471 }
472
473 chain mangle_forward {
474 type filter hook forward priority mangle; policy accept;
475 }
476 }
477 -- End --
OpenWrt nftables firewall