projects / project / firewall4.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Revert "ruleset: dispatch ct states using verdict map"
[project/firewall4.git] / tests / 03_rules / 10_notrack
1 Ensure that NOTRACK rules end up in the appropriate chains, depending on
2 the src and dest options.
3
4 -- Testcase --
5 {%
6 include("./root/usr/share/firewall4/main.uc", {
7 getenv: function(varname) {
8 switch (varname) {
9 case 'ACTION':
10 return 'print';
11 }
12 }
13 })
14 %}
15 -- End --
16
17 -- File uci/helpers.json --
18 {}
19 -- End --
20
21 -- File fs/open~_sys_class_net_eth0_flags.txt --
22 0x1103
23 -- End --
24
25 -- File fs/open~_sys_class_net_lo_flags.txt --
26 0x9
27 -- End --
28
29 -- File uci/firewall.json --
30 {
31 "zone": [
32 {
33 "name": "zone1",
34 "device": [ "eth0" ],
35 "auto_helper": 0
36 },
37 {
38 "name": "zone2",
39 "device": [ "lo" ],
40 "auto_helper": 0
41 },
42 {
43 "name": "zone3",
44 "subnet": [ "127.0.0.1/8", "::1/128" ],
45 "auto_helper": 0
46 }
47 ],
48 "rule": [
49 {
50 ".description": "An ordinary notrack rule should end up in the raw_prerouting chain",
51 "name": "Notrack rule #1",
52 "src": "zone1",
53 "target": "NOTRACK"
54 },
55 {
56 ".description": "A notrack rule with loopback source device should end up in the raw_output chain",
57 "name": "Notrack rule #2",
58 "src": "zone2",
59 "target": "NOTRACK"
60 },
61 {
62 ".description": "A notrack rule with loopback source address should end up in the raw_output chain",
63 "name": "Notrack rule #3",
64 "src": "zone3",
65 "target": "NOTRACK"
66 }
67 ]
68 }
69 -- End --
70
71 -- Expect stdout --
72 table inet fw4
73 flush table inet fw4
74
75 table inet fw4 {
76 #
77 # Defines
78 #
79
80 define zone1_devices = { "eth0" }
81 define zone1_subnets = { }
82
83 define zone2_devices = { "lo" }
84 define zone2_subnets = { }
85
86 define zone3_devices = { }
87 define zone3_subnets = { 127.0.0.0/8, ::1 }
88
89
90 #
91 # User includes
92 #
93
94 include "/etc/nftables.d/*.nft"
95
96
97 #
98 # Filter rules
99 #
100
101 chain input {
102 type filter hook input priority filter; policy drop;
103
104 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
105
106 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
107 iifname "eth0" jump input_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 input traffic"
108 iifname "lo" jump input_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 input traffic"
109 meta nfproto ipv4 ip saddr 127.0.0.0/8 jump input_zone3 comment "!fw4: Handle zone3 IPv4 input traffic"
110 meta nfproto ipv6 ip6 saddr ::1 jump input_zone3 comment "!fw4: Handle zone3 IPv6 input traffic"
111 }
112
113 chain forward {
114 type filter hook forward priority filter; policy drop;
115
116 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
117 iifname "eth0" jump forward_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 forward traffic"
118 iifname "lo" jump forward_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 forward traffic"
119 meta nfproto ipv4 ip saddr 127.0.0.0/8 jump forward_zone3 comment "!fw4: Handle zone3 IPv4 forward traffic"
120 meta nfproto ipv6 ip6 saddr ::1 jump forward_zone3 comment "!fw4: Handle zone3 IPv6 forward traffic"
121 }
122
123 chain output {
124 type filter hook output priority filter; policy drop;
125
126 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
127
128 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
129 oifname "eth0" jump output_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 output traffic"
130 oifname "lo" jump output_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 output traffic"
131 meta nfproto ipv4 ip daddr 127.0.0.0/8 jump output_zone3 comment "!fw4: Handle zone3 IPv4 output traffic"
132 meta nfproto ipv6 ip6 daddr ::1 jump output_zone3 comment "!fw4: Handle zone3 IPv6 output traffic"
133 }
134
135 chain prerouting {
136 type filter hook prerouting priority filter; policy accept;
137 }
138
139 chain handle_reject {
140 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
141 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
142 }
143
144 chain input_zone1 {
145 jump drop_from_zone1
146 }
147
148 chain output_zone1 {
149 jump drop_to_zone1
150 }
151
152 chain forward_zone1 {
153 jump drop_to_zone1
154 }
155
156 chain drop_from_zone1 {
157 iifname "eth0" counter drop comment "!fw4: drop zone1 IPv4/IPv6 traffic"
158 }
159
160 chain drop_to_zone1 {
161 oifname "eth0" counter drop comment "!fw4: drop zone1 IPv4/IPv6 traffic"
162 }
163
164 chain input_zone2 {
165 jump drop_from_zone2
166 }
167
168 chain output_zone2 {
169 jump drop_to_zone2
170 }
171
172 chain forward_zone2 {
173 jump drop_to_zone2
174 }
175
176 chain drop_from_zone2 {
177 iifname "lo" counter drop comment "!fw4: drop zone2 IPv4/IPv6 traffic"
178 }
179
180 chain drop_to_zone2 {
181 oifname "lo" counter drop comment "!fw4: drop zone2 IPv4/IPv6 traffic"
182 }
183
184 chain input_zone3 {
185 jump drop_from_zone3
186 }
187
188 chain output_zone3 {
189 jump drop_to_zone3
190 }
191
192 chain forward_zone3 {
193 jump drop_to_zone3
194 }
195
196 chain drop_from_zone3 {
197 meta nfproto ipv4 ip saddr 127.0.0.0/8 counter drop comment "!fw4: drop zone3 IPv4 traffic"
198 meta nfproto ipv6 ip6 saddr ::1 counter drop comment "!fw4: drop zone3 IPv6 traffic"
199 }
200
201 chain drop_to_zone3 {
202 meta nfproto ipv4 ip daddr 127.0.0.0/8 counter drop comment "!fw4: drop zone3 IPv4 traffic"
203 meta nfproto ipv6 ip6 daddr ::1 counter drop comment "!fw4: drop zone3 IPv6 traffic"
204 }
205
206
207 #
208 # NAT rules
209 #
210
211 chain dstnat {
212 type nat hook prerouting priority dstnat; policy accept;
213 }
214
215 chain srcnat {
216 type nat hook postrouting priority srcnat; policy accept;
217 }
218
219
220 #
221 # Raw rules (notrack)
222 #
223
224 chain raw_prerouting {
225 type filter hook prerouting priority raw; policy accept;
226 iifname "eth0" jump notrack_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 notrack traffic"
227 }
228
229 chain raw_output {
230 type filter hook output priority raw; policy accept;
231 iifname "lo" jump notrack_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 notrack traffic"
232 meta nfproto ipv4 ip saddr 127.0.0.0/8 jump notrack_zone3 comment "!fw4: Handle zone3 IPv4 notrack traffic"
233 meta nfproto ipv6 ip6 saddr ::1 jump notrack_zone3 comment "!fw4: Handle zone3 IPv6 notrack traffic"
234 }
235
236 chain notrack_zone1 {
237 meta l4proto tcp counter notrack comment "!fw4: Notrack rule #1"
238 meta l4proto udp counter notrack comment "!fw4: Notrack rule #1"
239 }
240
241 chain notrack_zone2 {
242 meta l4proto tcp counter notrack comment "!fw4: Notrack rule #2"
243 meta l4proto udp counter notrack comment "!fw4: Notrack rule #2"
244 }
245
246 chain notrack_zone3 {
247 meta l4proto tcp counter notrack comment "!fw4: Notrack rule #3"
248 meta l4proto udp counter notrack comment "!fw4: Notrack rule #3"
249 }
250
251
252 #
253 # Mangle rules
254 #
255
256 chain mangle_prerouting {
257 type filter hook prerouting priority mangle; policy accept;
258 }
259
260 chain mangle_postrouting {
261 type filter hook postrouting priority mangle; policy accept;
262 }
263
264 chain mangle_input {
265 type filter hook input priority mangle; policy accept;
266 }
267
268 chain mangle_output {
269 type route hook output priority mangle; policy accept;
270 }
271
272 chain mangle_forward {
273 type filter hook forward priority mangle; policy accept;
274 }
275 }
276 -- End --
OpenWrt nftables firewall