projects / project / firewall4.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
ruleset: correct mangle_output chain type
[project/firewall4.git] / tests / 03_rules / 03_constraints
1 Testing various option constraints.
2
3 -- Testcase --
4 {%
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
7 switch (varname) {
8 case 'ACTION':
9 return 'print';
10 }
11 }
12 })
13 %}
14 -- End --
15
16 -- File uci/helpers.json --
17 {}
18 -- End --
19
20 -- File uci/firewall.json --
21 {
22 "zone": [
23 {
24 "name": "lan"
25 }
26 ],
27 "rule": [
28 {
29 ".description": "Helper rules require an explicit source zone",
30 "proto": "any",
31 "name": "Helper rule #1",
32 "target": "helper"
33 },
34 {
35 ".description": "Helper rules require a set_helper option",
36 "proto": "any",
37 "name": "Helper rule #2",
38 "src": "lan",
39 "target": "helper"
40 },
41
42 {
43 ".description": "Notrack rules require an explicit source zone",
44 "proto": "any",
45 "name": "Notrack rule",
46 "target": "notrack"
47 },
48
49 {
50 ".description": "DSCP target rules require a set_dscp option",
51 "proto": "any",
52 "name": "DSCP target rule #1",
53 "target": "dscp"
54 },
55
56 {
57 ".description": "DSCP matches enforce AF specific rules due to required ip/ip6 prefix",
58 "proto": "any",
59 "name": "DSCP match rule #1",
60 "dscp": "0x0"
61 },
62
63 {
64 ".description": "Mark rules require a set_xmark or set_mark option",
65 "proto": "any",
66 "name": "Mark rule #1",
67 "target": "mark"
68 },
69 ]
70 }
71 -- End --
72
73 -- Expect stderr --
74 [!] Section @rule[0] (Helper rule #1) must specify a source zone for target 'helper'
75 [!] Section @rule[1] (Helper rule #2) must specify option 'set_helper' for target 'helper'
76 [!] Section @rule[2] (Notrack rule) must specify a source zone for target 'notrack'
77 [!] Section @rule[3] (DSCP target rule #1) must specify option 'set_dscp' for target 'dscp'
78 [!] Section @rule[5] (Mark rule #1) must specify option 'set_mark' or 'set_xmark' for target 'mark'
79 -- End --
80
81 -- Expect stdout --
82 table inet fw4
83 flush table inet fw4
84
85 table inet fw4 {
86 #
87 # Set definitions
88 #
89
90
91 #
92 # Defines
93 #
94
95
96 #
97 # User includes
98 #
99
100 include "/etc/nftables.d/*.nft"
101
102
103 #
104 # Filter rules
105 #
106
107 chain input {
108 type filter hook input priority filter; policy drop;
109
110 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
111
112 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
113 }
114
115 chain forward {
116 type filter hook forward priority filter; policy drop;
117
118 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
119 }
120
121 chain output {
122 type filter hook output priority filter; policy drop;
123
124 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
125
126 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
127 meta nfproto ipv4 ip dscp 0x0 counter comment "!fw4: DSCP match rule #1"
128 meta nfproto ipv6 ip6 dscp 0x0 counter comment "!fw4: DSCP match rule #1"
129 }
130
131 chain handle_reject {
132 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
133 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
134 }
135
136 chain input_lan {
137 jump drop_from_lan
138 }
139
140 chain output_lan {
141 jump drop_to_lan
142 }
143
144 chain forward_lan {
145 jump drop_to_lan
146 }
147
148 chain drop_from_lan {
149 }
150
151 chain drop_to_lan {
152 }
153
154
155 #
156 # NAT rules
157 #
158
159 chain dstnat {
160 type nat hook prerouting priority dstnat; policy accept;
161 }
162
163 chain srcnat {
164 type nat hook postrouting priority srcnat; policy accept;
165 }
166
167
168 #
169 # Raw rules (notrack & helper)
170 #
171
172 chain raw_prerouting {
173 type filter hook prerouting priority raw; policy accept;
174 }
175
176 chain raw_output {
177 type filter hook output priority raw; policy accept;
178 }
179
180 chain helper_lan {
181 }
182
183
184 #
185 # Mangle rules
186 #
187
188 chain mangle_prerouting {
189 type filter hook prerouting priority mangle; policy accept;
190 }
191
192 chain mangle_postrouting {
193 type filter hook postrouting priority mangle; policy accept;
194 }
195
196 chain mangle_input {
197 type filter hook input priority mangle; policy accept;
198 }
199
200 chain mangle_output {
201 type route hook output priority mangle; policy accept;
202 }
203
204 chain mangle_forward {
205 type filter hook forward priority mangle; policy accept;
206 }
207 }
208 -- End --
OpenWrt nftables firewall