projects / project / firewall4.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
ruleset: correct mangle_output chain type
[project/firewall4.git] / tests / 03_rules / 08_family_inheritance
1 Testing various option constraints.
2
3 -- Testcase --
4 {%
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
7 switch (varname) {
8 case 'ACTION':
9 return 'print';
10 }
11 }
12 })
13 %}
14 -- End --
15
16 -- File uci/helpers.json --
17 {}
18 -- End --
19
20 -- File uci/firewall.json --
21 {
22 "zone": [
23 {
24 ".description": "A zone matching only IPv4 subnets is assumed to be an IPv4 only zone",
25 "name": "ipv4only",
26 "subnet": "192.168.1.0/24",
27 "auto_helper": 0
28 },
29
30 {
31 ".description": "A zone with conflicting family and subnet settings should be skipped",
32 "name": "afconflict",
33 "subnet": "10.0.0.0/8",
34 "family": "IPv6",
35 "auto_helper": 0
36 }
37 ],
38 "ipset": [
39 {
40 "name": "ipv4set",
41 "match": "src_ip",
42 "entry": [
43 "10.0.0.2",
44 "10.0.0.3",
45 "10.0.0.4"
46 ]
47 }
48 ],
49 "rule": [
50 {
51 ".description": "Rules referencing an IPv4 only zone should be restricted to IPv4 themselves",
52 "src": "ipv4only",
53 "proto": "tcp",
54 "dest_port": "22",
55 "name": "Rule #1",
56 "target": "accept"
57 },
58
59 {
60 ".description": "Rules whose family conflicts with their addresses should be skipped",
61 "proto": "tcp",
62 "src_ip": "10.0.0.1",
63 "dest_port": "22",
64 "name": "Rule #2",
65 "target": "accept",
66 "family": "IPv6"
67 },
68
69 {
70 ".description": "Rules whose family conflicts with the zone family should be skipped",
71 "src": "ipv4only",
72 "proto": "tcp",
73 "dest_port": "22",
74 "name": "Rule #3",
75 "target": "accept",
76 "family": "IPv6"
77 },
78
79 {
80 ".description": "Rules whose family conflicts with the referenced set family should be skipped",
81 "src": "ipv4only",
82 "proto": "tcp",
83 "ipset": "ipv4set",
84 "name": "Rule #4",
85 "target": "accept",
86 "family": "IPv6"
87 }
88 ],
89 "redirect": [
90 {
91 ".description": "Redirects whose family conflicts with the referenced zone family should be skipped",
92 "src": "ipv4only",
93 "proto": "tcp",
94 "src_dport": "22",
95 "dest_ip": "fdca::1",
96 "name": "Redirect #1",
97 "target": "dnat"
98 },
99 ],
100 "nat": [
101 {
102 ".description": "NAT rules whose family conflicts with the referenced zone family should be skipped",
103 "name": "NAT #1",
104 "family": "ipv6",
105 "src": "ipv4only",
106 "target": "masquerade"
107 },
108
109 {
110 ".description": "NAT rules whose family conflicts with their addresses should be skipped",
111 "name": "NAT #2",
112 "family": "ipv4",
113 "src": "*",
114 "src_ip": "fc00::/7",
115 "target": "masquerade"
116 },
117
118 {
119 ".description": "NAT rules without any AF specific bits and unspecified family should default to IPv4 for backwards compatibility",
120 "name": "NAT #3",
121 "src": "*",
122 "target": "masquerade"
123 },
124
125 {
126 ".description": "NAT rules without explicit family but IPv6 specific bits should be IPv6",
127 "name": "NAT #4",
128 "src": "*",
129 "src_ip": "fc00::/7",
130 "target": "masquerade"
131 },
132
133
134 {
135 ".description": "NAT rules with explicit family any should inherit zone restrictions",
136 "name": "NAT #5",
137 "src": "ipv4only",
138 "target": "masquerade"
139 },
140
141 {
142 ".description": "NAT rules without any AF specific bits but explicit family any should be IPv4/IPv6",
143 "name": "NAT #6",
144 "family": "any",
145 "src": "*",
146 "target": "masquerade"
147 }
148 ]
149 }
150 -- End --
151
152 -- Expect stderr --
153 [!] Section @zone[1] (afconflict) is restricted to IPv6 but referenced subnet list is IPv4 only, skipping
154 [!] Section @rule[1] (Rule #2) is restricted to IPv6 but referenced source IP is IPv4 only, skipping
155 [!] Section @rule[2] (Rule #3) is restricted to IPv6 but referenced source zone is IPv4 only, skipping
156 [!] Section @rule[3] (Rule #4) is restricted to IPv6 but referenced set match is IPv4 only, skipping
157 [!] Section @redirect[0] (Redirect #1) is restricted to IPv6 but referenced source zone is IPv4 only, skipping
158 [!] Section @nat[0] (NAT #1) is restricted to IPv6 but referenced source zone is IPv4 only, skipping
159 [!] Section @nat[1] (NAT #2) is restricted to IPv4 but referenced source IP is IPv6 only, skipping
160 -- End --
161
162 -- Expect stdout --
163 table inet fw4
164 flush table inet fw4
165
166 table inet fw4 {
167 #
168 # Set definitions
169 #
170
171 set ipv4set {
172 type ipv4_addr
173 elements = {
174 10.0.0.2,
175 10.0.0.3,
176 10.0.0.4,
177 }
178 }
179
180
181 #
182 # Defines
183 #
184
185 define ipv4only_subnets = { 192.168.1.0/24 }
186
187 #
188 # User includes
189 #
190
191 include "/etc/nftables.d/*.nft"
192
193
194 #
195 # Filter rules
196 #
197
198 chain input {
199 type filter hook input priority filter; policy drop;
200
201 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
202
203 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
204 meta nfproto ipv4 ip saddr 192.168.1.0/24 jump input_ipv4only comment "!fw4: Handle ipv4only IPv4 input traffic"
205 }
206
207 chain forward {
208 type filter hook forward priority filter; policy drop;
209
210 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
211 meta nfproto ipv4 ip saddr 192.168.1.0/24 jump forward_ipv4only comment "!fw4: Handle ipv4only IPv4 forward traffic"
212 }
213
214 chain output {
215 type filter hook output priority filter; policy drop;
216
217 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
218
219 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
220 meta nfproto ipv4 ip daddr 192.168.1.0/24 jump output_ipv4only comment "!fw4: Handle ipv4only IPv4 output traffic"
221 }
222
223 chain handle_reject {
224 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
225 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
226 }
227
228 chain input_ipv4only {
229 meta nfproto ipv4 tcp dport 22 counter accept comment "!fw4: Rule #1"
230 ct status dnat accept comment "!fw4: Accept port redirections"
231 jump drop_from_ipv4only
232 }
233
234 chain output_ipv4only {
235 jump drop_to_ipv4only
236 }
237
238 chain forward_ipv4only {
239 ct status dnat accept comment "!fw4: Accept port forwards"
240 jump drop_to_ipv4only
241 }
242
243 chain drop_from_ipv4only {
244 meta nfproto ipv4 ip saddr 192.168.1.0/24 counter drop comment "!fw4: drop ipv4only IPv4 traffic"
245 }
246
247 chain drop_to_ipv4only {
248 meta nfproto ipv4 ip daddr 192.168.1.0/24 counter drop comment "!fw4: drop ipv4only IPv4 traffic"
249 }
250
251
252 #
253 # NAT rules
254 #
255
256 chain dstnat {
257 type nat hook prerouting priority dstnat; policy accept;
258 meta nfproto ipv4 ip saddr 192.168.1.0/24 jump dstnat_ipv4only comment "!fw4: Handle ipv4only IPv4 dstnat traffic"
259 }
260
261 chain srcnat {
262 type nat hook postrouting priority srcnat; policy accept;
263 meta nfproto ipv4 masquerade comment "!fw4: NAT #3"
264 ip6 saddr fc00::/7 masquerade comment "!fw4: NAT #4"
265 masquerade comment "!fw4: NAT #6"
266 meta nfproto ipv4 ip daddr 192.168.1.0/24 jump srcnat_ipv4only comment "!fw4: Handle ipv4only IPv4 srcnat traffic"
267 }
268
269 chain dstnat_ipv4only {
270 }
271
272 chain srcnat_ipv4only {
273 meta nfproto ipv4 masquerade comment "!fw4: NAT #5"
274 }
275
276
277 #
278 # Raw rules (notrack & helper)
279 #
280
281 chain raw_prerouting {
282 type filter hook prerouting priority raw; policy accept;
283 }
284
285 chain raw_output {
286 type filter hook output priority raw; policy accept;
287 }
288
289
290 #
291 # Mangle rules
292 #
293
294 chain mangle_prerouting {
295 type filter hook prerouting priority mangle; policy accept;
296 }
297
298 chain mangle_postrouting {
299 type filter hook postrouting priority mangle; policy accept;
300 }
301
302 chain mangle_input {
303 type filter hook input priority mangle; policy accept;
304 }
305
306 chain mangle_output {
307 type route hook output priority mangle; policy accept;
308 }
309
310 chain mangle_forward {
311 type filter hook forward priority mangle; policy accept;
312 }
313 }
314 -- End --
OpenWrt nftables firewall