projects / project / firewall4.git / blob
? search:


c5ef8c6544476e9551419730ca58298220dbea7f
[project/firewall4.git] / tests / 03_rules / 02_enabled
1 Testing that not enabled rules are ignored.
2
3 -- Testcase --
4 {%
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
7 switch (varname) {
8 case 'ACTION':
9 return 'print';
10 }
11 }
12 })
13 %}
14 -- End --
15
16 -- File uci/helpers.json --
17 {}
18 -- End --
19
20 -- File uci/firewall.json --
21 {
22 "rule": [
23 {
24 "proto": "any",
25 "name": "Implicitly enabled"
26 },
27 {
28 "proto": "any",
29 "name": "Explicitly enabled",
30 "enabled": "1"
31 },
32 {
33 "proto": "any",
34 "name": "Explicitly disabled",
35 "enabled": "0"
36 }
37 ]
38 }
39 -- End --
40
41 -- Expect stderr --
42 [!] Section @rule[2] (Explicitly disabled) is disabled, ignoring section
43 -- End --
44
45 -- Expect stdout --
46 table inet fw4
47 flush table inet fw4
48
49 table inet fw4 {
50 #
51 # Defines
52 #
53
54
55 #
56 # User includes
57 #
58
59 include "/etc/nftables.d/*.nft"
60
61
62 #
63 # Filter rules
64 #
65
66 chain input {
67 type filter hook input priority filter; policy drop;
68
69 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
70
71 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
72 }
73
74 chain forward {
75 type filter hook forward priority filter; policy drop;
76
77 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
78 }
79
80 chain output {
81 type filter hook output priority filter; policy drop;
82
83 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
84
85 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
86 counter comment "!fw4: Implicitly enabled"
87 counter comment "!fw4: Explicitly enabled"
88 }
89
90 chain prerouting {
91 type filter hook prerouting priority filter; policy accept;
92 }
93
94 chain handle_reject {
95 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
96 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
97 }
98
99
100 #
101 # NAT rules
102 #
103
104 chain dstnat {
105 type nat hook prerouting priority dstnat; policy accept;
106 }
107
108 chain srcnat {
109 type nat hook postrouting priority srcnat; policy accept;
110 }
111
112
113 #
114 # Raw rules (notrack)
115 #
116
117 chain raw_prerouting {
118 type filter hook prerouting priority raw; policy accept;
119 }
120
121 chain raw_output {
122 type filter hook output priority raw; policy accept;
123 }
124
125
126 #
127 # Mangle rules
128 #
129
130 chain mangle_prerouting {
131 type filter hook prerouting priority mangle; policy accept;
132 }
133
134 chain mangle_postrouting {
135 type filter hook postrouting priority mangle; policy accept;
136 }
137
138 chain mangle_input {
139 type filter hook input priority mangle; policy accept;
140 }
141
142 chain mangle_output {
143 type route hook output priority mangle; policy accept;
144 }
145
146 chain mangle_forward {
147 type filter hook forward priority mangle; policy accept;
148 }
149 }
150 -- End --
OpenWrt nftables firewall