projects / project / firewall4.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Revert "ruleset: dispatch ct states using verdict map"
[project/firewall4.git] / tests / 05_ipsets / 01_declaration
1 Testing an ipset declaration.
2
3 -- Testcase --
4 {%
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
7 switch (varname) {
8 case 'ACTION':
9 return 'print';
10 }
11 }
12 })
13 %}
14 -- End --
15
16 -- File uci/helpers.json --
17 {}
18 -- End --
19
20 -- File fs/open~set-entries_txt.txt --
21 10.11.12.13 53
22 172.16.27.1 443
23 -- End --
24
25 -- File uci/firewall.json --
26 {
27 "ipset": [
28 {
29 "name": "test-set",
30 "comment": "A simple set",
31 "counters": "1",
32 "family": "IPv4",
33 "match": [ "src_ip", "dest_port" ],
34 "timeout": "600",
35 "maxelem": "1000",
36 "entry": [
37 "1.2.3.4 80",
38 "5.6.7.8 22"
39 ],
40 "loadfile": "set-entries.txt"
41 }
42 ]
43 }
44 -- End --
45
46 -- Expect stdout --
47 table inet fw4
48 flush table inet fw4
49
50 table inet fw4 {
51 #
52 # Set definitions
53 #
54
55 set test-set {
56 comment "A simple set"
57 type ipv4_addr . inet_service
58 size 1000
59 timeout 600s
60 flags timeout
61 elements = {
62 1.2.3.4 . 80,
63 5.6.7.8 . 22,
64 10.11.12.13 . 53,
65 172.16.27.1 . 443,
66 }
67 }
68
69
70 #
71 # Defines
72 #
73
74
75 #
76 # User includes
77 #
78
79 include "/etc/nftables.d/*.nft"
80
81
82 #
83 # Filter rules
84 #
85
86 chain input {
87 type filter hook input priority filter; policy drop;
88
89 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
90
91 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
92 }
93
94 chain forward {
95 type filter hook forward priority filter; policy drop;
96
97 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
98 }
99
100 chain output {
101 type filter hook output priority filter; policy drop;
102
103 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
104
105 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
106 }
107
108 chain prerouting {
109 type filter hook prerouting priority filter; policy accept;
110 }
111
112 chain handle_reject {
113 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
114 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
115 }
116
117
118 #
119 # NAT rules
120 #
121
122 chain dstnat {
123 type nat hook prerouting priority dstnat; policy accept;
124 }
125
126 chain srcnat {
127 type nat hook postrouting priority srcnat; policy accept;
128 }
129
130
131 #
132 # Raw rules (notrack)
133 #
134
135 chain raw_prerouting {
136 type filter hook prerouting priority raw; policy accept;
137 }
138
139 chain raw_output {
140 type filter hook output priority raw; policy accept;
141 }
142
143
144 #
145 # Mangle rules
146 #
147
148 chain mangle_prerouting {
149 type filter hook prerouting priority mangle; policy accept;
150 }
151
152 chain mangle_postrouting {
153 type filter hook postrouting priority mangle; policy accept;
154 }
155
156 chain mangle_input {
157 type filter hook input priority mangle; policy accept;
158 }
159
160 chain mangle_output {
161 type route hook output priority mangle; policy accept;
162 }
163
164 chain mangle_forward {
165 type filter hook forward priority mangle; policy accept;
166 }
167 }
168 -- End --
OpenWrt nftables firewall