tests/05_ipsets/02_usage

   1 Test matching an ipset in rules.
   2
   3 -- Testcase --
   4 {%
   5         include("./root/usr/share/firewall4/main.uc", {
   6                 getenv: function(varname) {
   7                         switch (varname) {
   8                         case 'ACTION':
   9                                 return 'print';
  10                         }
  11                 }
  12         })
  13 %}
  14 -- End --
  15
  16 -- File uci/helpers.json --
  17 {}
  18 -- End --
  19
  20 -- File fs/open~_proc_version.txt --
  21 Linux version 5.10.113 (jow@j7) (mipsel-openwrt-linux-musl-gcc (OpenWrt GCC 11.2.0 r17858+262-2c3e8bed3f) 11.2.0, GNU ld (GNU Binutils) 2.37) #0 SMP Tue May 17 19:05:07 2022
  22 -- End --
  23
  24 -- File uci/firewall.json --
  25 {
  26         "ipset": [
  27                 {
  28                         "name": "test-set-1",
  29                         "comment": "Test set #1 with traffic direction in type declaration",
  30                         "match": [ "src_ip", "dest_port" ],
  31                         "entry": [
  32                                 "1.2.3.4 80",
  33                                 "5.6.7.8 22"
  34                         ]
  35                 },
  36                 {
  37                         "name": "test-set-2",
  38                         "comment": "Test set #2 with unspecified traffic direction",
  39                         "match": [ "ip", "port" ],
  40                         "entry": [
  41                                 "1.2.3.4 80",
  42                                 "5.6.7.8 22"
  43                         ]
  44                 },
  45                 {
  46                         "name": "test-set-3",
  47                         "comment": "Test set #3 with IPv6 addresses",
  48                         "family": "IPv6",
  49                         "match": [ "net", "net", "port" ],
  50                         "entry": [
  51                                 "db80:1234:4567::1/64 db80:1234:abcd::1/64 80",
  52                                 "db80:8765:aaaa::1/64 db80:8765:ffff::1/64 22",
  53                                 "db80:1:2:3:4:0:0:1 0:0:0:0:0:0:0:0/0 443",
  54                         ]
  55                 }
  56         ],
  57         "rule": [
  58                 {
  59                         "name": "Rule using test set #1",
  60                         "src": "*",
  61                         "dest": "*",
  62                         "proto": "tcp",
  63                         "ipset": "test-set-1"
  64                 },
  65                 {
  66                         "name": "Rule using test set #2, match direction should default to 'source'",
  67                         "src": "*",
  68                         "dest": "*",
  69                         "proto": "tcp",
  70                         "ipset": "test-set-2"
  71                 },
  72                 {
  73                         "name": "Rule using test set #1, overriding match direction",
  74                         "src": "*",
  75                         "dest": "*",
  76                         "proto": "tcp",
  77                         "ipset": "test-set-1 dst src"
  78                 },
  79                 {
  80                         "name": "Rule using test set #2, specifiying match direction",
  81                         "src": "*",
  82                         "dest": "*",
  83                         "proto": "tcp",
  84                         "ipset": "test-set-2 dst dst"
  85                 },
  86                 {
  87                         "name": "Rule using test set #1, overriding direction and inverting match",
  88                         "src": "*",
  89                         "dest": "*",
  90                         "proto": "tcp",
  91                         "ipset": "!test-set-1 dst src"
  92                 },
  93                 {
  94                         "name": "Rule using test set #3 with alternative direction notation, should inherit IPv6 family",
  95                         "src": "*",
  96                         "dest": "*",
  97                         "proto": "tcp",
  98                         "ipset": "test-set-3 src,dest,dest"
  99                 },
 100         ]
 101 }
 102 -- End --
 103
 104 -- Expect stdout --
 105 table inet fw4
 106 flush table inet fw4
 107
 108 table inet fw4 {
 109         #
 110         # Set definitions
 111         #
 112
 113         set test-set-1 {
 114                 comment "Test set #1 with traffic direction in type declaration"
 115                 type ipv4_addr . inet_service
 116                 elements = {
 117                         1.2.3.4 . 80,
 118                         5.6.7.8 . 22,
 119                 }
 120         }
 121
 122         set test-set-2 {
 123                 comment "Test set #2 with unspecified traffic direction"
 124                 type ipv4_addr . inet_service
 125                 elements = {
 126                         1.2.3.4 . 80,
 127                         5.6.7.8 . 22,
 128                 }
 129         }
 130
 131         set test-set-3 {
 132                 comment "Test set #3 with IPv6 addresses"
 133                 type ipv6_addr . ipv6_addr . inet_service
 134                 auto-merge
 135                 flags interval
 136                 elements = {
 137                         db80:1234:4567::1/64 . db80:1234:abcd::1/64 . 80,
 138                         db80:8765:aaaa::1/64 . db80:8765:ffff::1/64 . 22,
 139                         db80:1:2:3:4::1/128 . ::/0 . 443,
 140                 }
 141         }
 142
 143
 144         #
 145         # Defines
 146         #
 147
 148
 149         #
 150         # User includes
 151         #
 152
 153         include "/etc/nftables.d/*.nft"
 154
 155
 156         #
 157         # Filter rules
 158         #
 159
 160         chain input {
 161                 type filter hook input priority filter; policy drop;
 162
 163                 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
 164
 165                 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
 166         }
 167
 168         chain forward {
 169                 type filter hook forward priority filter; policy drop;
 170
 171                 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
 172                 meta nfproto ipv4 meta l4proto tcp ip saddr . tcp dport @test-set-1 counter comment "!fw4: Rule using test set #1"
 173                 meta nfproto ipv4 meta l4proto tcp ip saddr . tcp sport @test-set-2 counter comment "!fw4: Rule using test set #2, match direction should default to 'source'"
 174                 meta nfproto ipv4 meta l4proto tcp ip daddr . tcp sport @test-set-1 counter comment "!fw4: Rule using test set #1, overriding match direction"
 175                 meta nfproto ipv4 meta l4proto tcp ip daddr . tcp dport @test-set-2 counter comment "!fw4: Rule using test set #2, specifiying match direction"
 176                 meta nfproto ipv4 meta l4proto tcp ip daddr . tcp sport != @test-set-1 counter comment "!fw4: Rule using test set #1, overriding direction and inverting match"
 177                 meta nfproto ipv6 meta l4proto tcp ip6 saddr . ip6 daddr . tcp dport @test-set-3 counter comment "!fw4: Rule using test set #3 with alternative direction notation, should inherit IPv6 family"
 178         }
 179
 180         chain output {
 181                 type filter hook output priority filter; policy drop;
 182
 183                 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
 184
 185                 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
 186         }
 187
 188         chain prerouting {
 189                 type filter hook prerouting priority filter; policy accept;
 190         }
 191
 192         chain handle_reject {
 193                 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
 194                 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
 195         }
 196
 197
 198         #
 199         # NAT rules
 200         #
 201
 202         chain dstnat {
 203                 type nat hook prerouting priority dstnat; policy accept;
 204         }
 205
 206         chain srcnat {
 207                 type nat hook postrouting priority srcnat; policy accept;
 208         }
 209
 210
 211         #
 212         # Raw rules (notrack)
 213         #
 214
 215         chain raw_prerouting {
 216                 type filter hook prerouting priority raw; policy accept;
 217         }
 218
 219         chain raw_output {
 220                 type filter hook output priority raw; policy accept;
 221         }
 222
 223
 224         #
 225         # Mangle rules
 226         #
 227
 228         chain mangle_prerouting {
 229                 type filter hook prerouting priority mangle; policy accept;
 230         }
 231
 232         chain mangle_postrouting {
 233                 type filter hook postrouting priority mangle; policy accept;
 234         }
 235
 236         chain mangle_input {
 237                 type filter hook input priority mangle; policy accept;
 238         }
 239
 240         chain mangle_output {
 241                 type route hook output priority mangle; policy accept;
 242         }
 243
 244         chain mangle_forward {
 245                 type filter hook forward priority mangle; policy accept;
 246         }
 247 }
 248 -- End --