projects / project / firewall4.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
ruleset: reorder declarations & output tweaks
[project/firewall4.git] / tests / 03_rules / 05_mangle
1 Ensure that DSCP and MARK target rules end up in the appropriate chains,
2 depending on the src and dest options.
3
4 -- Testcase --
5 {%
6 include("./root/usr/share/firewall4/main.uc", {
7 getenv: function(varname) {
8 switch (varname) {
9 case 'ACTION':
10 return 'print';
11 }
12 }
13 })
14 %}
15 -- End --
16
17 -- File uci/helpers.json --
18 {}
19 -- End --
20
21 -- File fs/open~_sys_class_net_eth0_flags.txt --
22 0x1103
23 -- End --
24
25 -- File fs/open~_sys_class_net_eth1_flags.txt --
26 0x1103
27 -- End --
28
29 -- File fs/open~_sys_class_net_eth2_flags.txt --
30 0x1103
31 -- End --
32
33 -- File fs/open~_sys_class_net_eth3_flags.txt --
34 0x1103
35 -- End --
36
37 -- File uci/firewall.json --
38 {
39 "zone": [
40 {
41 "name": "lan",
42 "device": [ "eth0", "eth1" ]
43 },
44 {
45 "name": "wan",
46 "device": [ "eth2", "eth3" ]
47 }
48 ],
49 "rule": [
50 {
51 ".description": "Source '*' and destination '*' should result in a forward rule",
52 "name": "Mangle rule #1",
53 "src": "*",
54 "dest": "*",
55 "target": "DSCP",
56 "set_dscp": "1"
57 },
58 {
59 ".description": "Source zone and destination zone should result in a forward rule",
60 "name": "Mangle rule #2",
61 "src": "lan",
62 "dest": "wan",
63 "target": "DSCP",
64 "set_dscp": "1"
65 },
66 {
67 ".description": "Any source zone and specific destination zone should result in a postrouting rule",
68 "name": "Mangle rule #3",
69 "src": "*",
70 "dest": "wan",
71 "target": "DSCP",
72 "set_dscp": "1"
73 },
74 {
75 ".description": "Specific source zone and any destination zone should result in a prerouting rule",
76 "name": "Mangle rule #4",
77 "src": "lan",
78 "dest": "*",
79 "target": "DSCP",
80 "set_dscp": "1"
81 },
82 {
83 ".description": "Specific source zone and no destination zone should result in an input rule",
84 "name": "Mangle rule #5",
85 "src": "lan",
86 "target": "DSCP",
87 "set_dscp": "1"
88 },
89 {
90 ".description": "Any source zone and no destination zone should result in an input rule",
91 "name": "Mangle rule #6",
92 "src": "*",
93 "target": "DSCP",
94 "set_dscp": "1"
95 },
96 {
97 ".description": "No source zone and no destination zone should result in an output rule",
98 "name": "Mangle rule #7",
99 "target": "DSCP",
100 "set_dscp": "1"
101 },
102 {
103 ".description": "No source zone and any destination zone should result in an output rule",
104 "name": "Mangle rule #8",
105 "dest": "*",
106 "target": "DSCP",
107 "set_dscp": "1"
108 },
109 {
110 ".description": "No source zone and specific destination zone should result in an output rule",
111 "name": "Mangle rule #9",
112 "dest": "wan",
113 "target": "DSCP",
114 "set_dscp": "1"
115 },
116 {
117 ".description": "Option device with no direction should override inbound ifname match",
118 "name": "Mangle rule #10",
119 "src": "*",
120 "dest": "wan",
121 "target": "DSCP",
122 "set_dscp": "1",
123 "device": "eth4"
124 },
125 {
126 ".description": "Option device with direction 'in' should override inbound ifname match",
127 "name": "Mangle rule #11",
128 "src": "*",
129 "dest": "wan",
130 "target": "DSCP",
131 "set_dscp": "1",
132 "device": "eth4",
133 "direction": "in"
134 },
135 {
136 ".description": "Option device with direction 'out' should override outbound ifname match",
137 "name": "Mangle rule #12",
138 "src": "*",
139 "dest": "wan",
140 "target": "DSCP",
141 "set_dscp": "1",
142 "device": "eth5",
143 "direction": "out"
144 }
145 ]
146 }
147 -- End --
148
149 -- Expect stdout --
150 table inet fw4
151 flush table inet fw4
152
153 table inet fw4 {
154 #
155 # Defines
156 #
157
158 define lan_devices = { "eth0", "eth1" }
159 define lan_subnets = { }
160
161 define wan_devices = { "eth2", "eth3" }
162 define wan_subnets = { }
163
164
165 #
166 # User includes
167 #
168
169 include "/etc/nftables.d/*.nft"
170
171
172 #
173 # Filter rules
174 #
175
176 chain input {
177 type filter hook input priority filter; policy drop;
178
179 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
180
181 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
182 iifname { "eth0", "eth1" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
183 iifname { "eth2", "eth3" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
184 }
185
186 chain forward {
187 type filter hook forward priority filter; policy drop;
188
189 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
190 iifname { "eth0", "eth1" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
191 iifname { "eth2", "eth3" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
192 }
193
194 chain output {
195 type filter hook output priority filter; policy drop;
196
197 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
198
199 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
200 oifname { "eth0", "eth1" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
201 oifname { "eth2", "eth3" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
202 }
203
204 chain prerouting {
205 type filter hook prerouting priority filter; policy accept;
206 iifname { "eth0", "eth1" } jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
207 iifname { "eth2", "eth3" } jump helper_wan comment "!fw4: Handle wan IPv4/IPv6 helper assignment"
208 }
209
210 chain handle_reject {
211 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
212 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
213 }
214
215 chain input_lan {
216 jump drop_from_lan
217 }
218
219 chain output_lan {
220 jump drop_to_lan
221 }
222
223 chain forward_lan {
224 jump drop_to_lan
225 }
226
227 chain helper_lan {
228 }
229
230 chain drop_from_lan {
231 iifname { "eth0", "eth1" } counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
232 }
233
234 chain drop_to_lan {
235 oifname { "eth0", "eth1" } counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
236 }
237
238 chain input_wan {
239 jump drop_from_wan
240 }
241
242 chain output_wan {
243 jump drop_to_wan
244 }
245
246 chain forward_wan {
247 jump drop_to_wan
248 }
249
250 chain helper_wan {
251 }
252
253 chain drop_from_wan {
254 iifname { "eth2", "eth3" } counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
255 }
256
257 chain drop_to_wan {
258 oifname { "eth2", "eth3" } counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
259 }
260
261
262 #
263 # NAT rules
264 #
265
266 chain dstnat {
267 type nat hook prerouting priority dstnat; policy accept;
268 }
269
270 chain srcnat {
271 type nat hook postrouting priority srcnat; policy accept;
272 }
273
274
275 #
276 # Raw rules (notrack)
277 #
278
279 chain raw_prerouting {
280 type filter hook prerouting priority raw; policy accept;
281 }
282
283 chain raw_output {
284 type filter hook output priority raw; policy accept;
285 }
286
287
288 #
289 # Mangle rules
290 #
291
292 chain mangle_prerouting {
293 type filter hook prerouting priority mangle; policy accept;
294 meta nfproto ipv4 meta l4proto tcp iifname { "eth0", "eth1" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #4"
295 meta nfproto ipv6 meta l4proto tcp iifname { "eth0", "eth1" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #4"
296 meta nfproto ipv4 meta l4proto udp iifname { "eth0", "eth1" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #4"
297 meta nfproto ipv6 meta l4proto udp iifname { "eth0", "eth1" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #4"
298 }
299
300 chain mangle_postrouting {
301 type filter hook postrouting priority mangle; policy accept;
302 meta nfproto ipv4 meta l4proto tcp oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #3"
303 meta nfproto ipv6 meta l4proto tcp oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #3"
304 meta nfproto ipv4 meta l4proto udp oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #3"
305 meta nfproto ipv6 meta l4proto udp oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #3"
306 meta nfproto ipv4 meta l4proto tcp iifname "eth4" oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #10"
307 meta nfproto ipv6 meta l4proto tcp iifname "eth4" oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #10"
308 meta nfproto ipv4 meta l4proto udp iifname "eth4" oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #10"
309 meta nfproto ipv6 meta l4proto udp iifname "eth4" oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #10"
310 meta nfproto ipv4 meta l4proto tcp iifname "eth4" oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #11"
311 meta nfproto ipv6 meta l4proto tcp iifname "eth4" oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #11"
312 meta nfproto ipv4 meta l4proto udp iifname "eth4" oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #11"
313 meta nfproto ipv6 meta l4proto udp iifname "eth4" oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #11"
314 meta nfproto ipv4 meta l4proto tcp oifname "eth5" counter ip dscp set 0x1 comment "!fw4: Mangle rule #12"
315 meta nfproto ipv6 meta l4proto tcp oifname "eth5" counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #12"
316 meta nfproto ipv4 meta l4proto udp oifname "eth5" counter ip dscp set 0x1 comment "!fw4: Mangle rule #12"
317 meta nfproto ipv6 meta l4proto udp oifname "eth5" counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #12"
318 }
319
320 chain mangle_input {
321 type filter hook input priority mangle; policy accept;
322 meta nfproto ipv4 meta l4proto tcp iifname { "eth0", "eth1" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #5"
323 meta nfproto ipv6 meta l4proto tcp iifname { "eth0", "eth1" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #5"
324 meta nfproto ipv4 meta l4proto udp iifname { "eth0", "eth1" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #5"
325 meta nfproto ipv6 meta l4proto udp iifname { "eth0", "eth1" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #5"
326 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #6"
327 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #6"
328 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #6"
329 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #6"
330 }
331
332 chain mangle_output {
333 type route hook output priority mangle; policy accept;
334 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #7"
335 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #7"
336 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #7"
337 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #7"
338 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #8"
339 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #8"
340 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #8"
341 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #8"
342 meta nfproto ipv4 meta l4proto tcp oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #9"
343 meta nfproto ipv6 meta l4proto tcp oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #9"
344 meta nfproto ipv4 meta l4proto udp oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #9"
345 meta nfproto ipv6 meta l4proto udp oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #9"
346 }
347
348 chain mangle_forward {
349 type filter hook forward priority mangle; policy accept;
350 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #1"
351 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #1"
352 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #1"
353 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #1"
354 meta nfproto ipv4 meta l4proto tcp iifname { "eth0", "eth1" } oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #2"
355 meta nfproto ipv6 meta l4proto tcp iifname { "eth0", "eth1" } oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #2"
356 meta nfproto ipv4 meta l4proto udp iifname { "eth0", "eth1" } oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #2"
357 meta nfproto ipv6 meta l4proto udp iifname { "eth0", "eth1" } oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #2"
358 }
359 }
360 -- End --
OpenWrt nftables firewall