projects / project / firewall4.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
ruleset: dispatch ct states using verdict map
[project/firewall4.git] / tests / 03_rules / 11_log
1 Testing that `option log 1` enables rule logging and sets the rule name as
2 log prefix. Also testing that setting settin `option log` to a non-boolean
3 string uses that string verbatim as log prefix.
4
5 -- Testcase --
6 {%
7 include("./root/usr/share/firewall4/main.uc", {
8 getenv: function(varname) {
9 switch (varname) {
10 case 'ACTION':
11 return 'print';
12 }
13 }
14 })
15 %}
16 -- End --
17
18 -- File uci/helpers.json --
19 {}
20 -- End --
21
22 -- File uci/firewall.json --
23 {
24 "zone": [
25 {
26 "name": "wan"
27 }
28 ],
29 "rule": [
30 {
31 "proto": "any",
32 "log": "1"
33 },
34 {
35 "name": "Explicit rule name",
36 "proto": "any",
37 "log": "1"
38 },
39 { "proto": "any",
40 "log": "Explicit prefix: "
41 }
42 ],
43 "redirect": [
44 {
45 "proto": "tcp",
46 "src": "wan",
47 "dest_ip": "10.0.0.2",
48 "dest_port": "22",
49 "log": "1"
50 },
51 {
52 "name": "Explicit redirect name",
53 "proto": "tcp",
54 "src": "wan",
55 "dest_ip": "10.0.0.3",
56 "dest_port": "23",
57 "log": "1"
58 },
59 {
60 "proto": "tcp",
61 "src": "wan",
62 "dest_ip": "10.0.0.4",
63 "dest_port": "24",
64 "log": "Explicit prefix: "
65 }
66 ],
67 "nat": [
68 {
69 "src": "wan",
70 "target": "MASQUERADE",
71 "log": "1"
72 },
73 {
74 "name": "Explicit nat name",
75 "src": "wan",
76 "target": "MASQUERADE",
77 "log": "1"
78 },
79 {
80 "src": "wan",
81 "target": "MASQUERADE",
82 "log": "Explicit log prefix: "
83 }
84 ]
85 }
86 -- End --
87
88 -- Expect stdout --
89 table inet fw4
90 flush table inet fw4
91
92 table inet fw4 {
93 #
94 # Defines
95 #
96
97 define wan_devices = { }
98 define wan_subnets = { }
99
100
101 #
102 # User includes
103 #
104
105 include "/etc/nftables.d/*.nft"
106
107
108 #
109 # Filter rules
110 #
111
112 chain input {
113 type filter hook input priority filter; policy drop;
114
115 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
116
117 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
118 }
119
120 chain forward {
121 type filter hook forward priority filter; policy drop;
122
123 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
124 }
125
126 chain output {
127 type filter hook output priority filter; policy drop;
128
129 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
130
131 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
132 counter log prefix "@rule[0]: " comment "!fw4: @rule[0]"
133 counter log prefix "Explicit rule name: " comment "!fw4: Explicit rule name"
134 counter log prefix "Explicit prefix: " comment "!fw4: @rule[2]"
135 }
136
137 chain prerouting {
138 type filter hook prerouting priority filter; policy accept;
139 }
140
141 chain handle_reject {
142 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
143 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
144 }
145
146 chain input_wan {
147 ct status dnat accept comment "!fw4: Accept port redirections"
148 jump drop_from_wan
149 }
150
151 chain output_wan {
152 jump drop_to_wan
153 }
154
155 chain forward_wan {
156 ct status dnat accept comment "!fw4: Accept port forwards"
157 jump drop_to_wan
158 }
159
160 chain helper_wan {
161 }
162
163 chain drop_from_wan {
164 }
165
166 chain drop_to_wan {
167 }
168
169
170 #
171 # NAT rules
172 #
173
174 chain dstnat {
175 type nat hook prerouting priority dstnat; policy accept;
176 }
177
178 chain srcnat {
179 type nat hook postrouting priority srcnat; policy accept;
180 }
181
182 chain dstnat_wan {
183 meta nfproto ipv4 counter log prefix "@redirect[0]: " dnat 10.0.0.2:22 comment "!fw4: @redirect[0]"
184 meta nfproto ipv4 counter log prefix "Explicit redirect name: " dnat 10.0.0.3:23 comment "!fw4: Explicit redirect name"
185 meta nfproto ipv4 counter log prefix "Explicit prefix: " dnat 10.0.0.4:24 comment "!fw4: @redirect[2]"
186 }
187
188 chain srcnat_wan {
189 meta nfproto ipv4 counter log prefix "@nat[0]: " masquerade comment "!fw4: @nat[0]"
190 meta nfproto ipv4 counter log prefix "Explicit nat name: " masquerade comment "!fw4: Explicit nat name"
191 meta nfproto ipv4 counter log prefix "Explicit log prefix: " masquerade comment "!fw4: @nat[2]"
192 }
193
194
195 #
196 # Raw rules (notrack)
197 #
198
199 chain raw_prerouting {
200 type filter hook prerouting priority raw; policy accept;
201 }
202
203 chain raw_output {
204 type filter hook output priority raw; policy accept;
205 }
206
207
208 #
209 # Mangle rules
210 #
211
212 chain mangle_prerouting {
213 type filter hook prerouting priority mangle; policy accept;
214 }
215
216 chain mangle_postrouting {
217 type filter hook postrouting priority mangle; policy accept;
218 }
219
220 chain mangle_input {
221 type filter hook input priority mangle; policy accept;
222 }
223
224 chain mangle_output {
225 type route hook output priority mangle; policy accept;
226 }
227
228 chain mangle_forward {
229 type filter hook forward priority mangle; policy accept;
230 }
231 }
232 -- End --
OpenWrt nftables firewall