tests/03_rules/04_icmp

   1 Testing handling of ICMP related options.
   2
   3 -- Testcase --
   4 {%
   5         include("./root/usr/share/firewall4/main.uc", {
   6                 getenv: function(varname) {
   7                         switch (varname) {
   8                         case 'ACTION':
   9                                 return 'print';
  10                         }
  11                 }
  12         })
  13 %}
  14 -- End --
  15
  16 -- File uci/helpers.json --
  17 {}
  18 -- End --
  19
  20 -- File uci/firewall.json --
  21 {
  22         "rule": [
  23                 {
  24                         ".description": "Proto 'icmp' maps to a single IPv4 and IPv6 rule",
  25                         "proto": "icmp",
  26                         "name": "ICMP rule #1"
  27                 },
  28                 {
  29                         ".description": "Proto 'icmpv6' maps to IPv6 rule only",
  30                         "proto": "icmpv6",
  31                         "name": "ICMP rule #2",
  32                 },
  33                 {
  34                         ".description": "Proto 'ipv6-icmp' is an alias for 'icmpv6'",
  35                         "proto": "ipv6-icmp",
  36                         "name": "ICMP rule #3",
  37                 },
  38                 {
  39                         ".description": "Proto 'icmp' with IPv4 specific types inhibits IPv6 rule",
  40                         "proto": "icmp",
  41                         "name": "ICMP rule #4",
  42                         "icmp_type": [ "ip-header-bad" ]
  43                 },
  44                 {
  45                         ".description": "Proto 'icmp' with IPv6 specific types inhibits IPv4 rule",
  46                         "proto": "icmp",
  47                         "name": "ICMP rule #5",
  48                         "icmp_type": [ "neighbour-advertisement" ]
  49                 }
  50         ]
  51 }
  52 -- End --
  53
  54 -- Expect stdout --
  55 table inet fw4
  56 flush table inet fw4
  57
  58 table inet fw4 {
  59         #
  60         # Defines
  61         #
  62
  63
  64         #
  65         # User includes
  66         #
  67
  68         include "/etc/nftables.d/*.nft"
  69
  70
  71         #
  72         # Filter rules
  73         #
  74
  75         chain input {
  76                 type filter hook input priority filter; policy drop;
  77
  78                 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
  79
  80                 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
  81         }
  82
  83         chain forward {
  84                 type filter hook forward priority filter; policy drop;
  85
  86                 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
  87         }
  88
  89         chain output {
  90                 type filter hook output priority filter; policy drop;
  91
  92                 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
  93
  94                 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
  95                 meta l4proto { "icmp", "ipv6-icmp" } counter comment "!fw4: ICMP rule #1"
  96                 meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #2"
  97                 meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #3"
  98                 meta nfproto ipv4 icmp type . icmp code { 12 . 0 } counter comment "!fw4: ICMP rule #4"
  99                 meta nfproto ipv6 icmpv6 type . icmpv6 code { 136 . 0 } counter comment "!fw4: ICMP rule #5"
 100         }
 101
 102         chain prerouting {
 103                 type filter hook prerouting priority filter; policy accept;
 104         }
 105
 106         chain handle_reject {
 107                 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
 108                 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
 109         }
 110
 111
 112         #
 113         # NAT rules
 114         #
 115
 116         chain dstnat {
 117                 type nat hook prerouting priority dstnat; policy accept;
 118         }
 119
 120         chain srcnat {
 121                 type nat hook postrouting priority srcnat; policy accept;
 122         }
 123
 124
 125         #
 126         # Raw rules (notrack)
 127         #
 128
 129         chain raw_prerouting {
 130                 type filter hook prerouting priority raw; policy accept;
 131         }
 132
 133         chain raw_output {
 134                 type filter hook output priority raw; policy accept;
 135         }
 136
 137
 138         #
 139         # Mangle rules
 140         #
 141
 142         chain mangle_prerouting {
 143                 type filter hook prerouting priority mangle; policy accept;
 144         }
 145
 146         chain mangle_postrouting {
 147                 type filter hook postrouting priority mangle; policy accept;
 148         }
 149
 150         chain mangle_input {
 151                 type filter hook input priority mangle; policy accept;
 152         }
 153
 154         chain mangle_output {
 155                 type route hook output priority mangle; policy accept;
 156         }
 157
 158         chain mangle_forward {
 159                 type filter hook forward priority mangle; policy accept;
 160         }
 161 }
 162 -- End --