1 Testing that `config rule` rules are rendered before `config forwarding` ones
2 and that rules are rendered in the order they're declared.
6 include("./root/usr/share/firewall4/main.uc", {
9 getenv: function(varname) {
19 -- File uci/helpers.json --
23 -- File uci/firewall.json --
45 "name": "Deny rule #1",
49 "src_ip": [ "192.168.1.2" ],
53 "name": "Deny rule #2",
57 "src_ip": [ "192.168.1.3" ],
73 define lan_devices = { "br-lan" }
74 define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
76 define wan_devices = { "pppoe-wan" }
77 define wan_subnets = { 10.11.12.0/24 }
84 include "/etc/nftables.d/*.nft"
92 type filter hook input priority filter; policy drop;
94 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
96 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
97 iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
98 iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
102 type filter hook forward priority filter; policy drop;
104 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
105 iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
106 iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
110 type filter hook output priority filter; policy drop;
112 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
114 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
115 oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
116 oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
120 type filter hook prerouting priority filter; policy accept;
123 chain handle_reject {
124 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
125 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
137 ip saddr 192.168.1.2 counter jump drop_to_wan comment "!fw4: Deny rule #1"
138 meta l4proto icmp ip saddr 192.168.1.3 counter jump drop_to_wan comment "!fw4: Deny rule #2"
139 jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
143 chain drop_from_lan {
144 iifname "br-lan" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
148 oifname "br-lan" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
163 chain accept_to_wan {
164 oifname "pppoe-wan" counter accept comment "!fw4: accept wan IPv4/IPv6 traffic"
167 chain drop_from_wan {
168 iifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
172 oifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
181 type nat hook prerouting priority dstnat; policy accept;
185 type nat hook postrouting priority srcnat; policy accept;
190 # Raw rules (notrack)
193 chain raw_prerouting {
194 type filter hook prerouting priority raw; policy accept;
198 type filter hook output priority raw; policy accept;
206 chain mangle_prerouting {
207 type filter hook prerouting priority mangle; policy accept;
210 chain mangle_postrouting {
211 type filter hook postrouting priority mangle; policy accept;
215 type filter hook input priority mangle; policy accept;
218 chain mangle_output {
219 type route hook output priority mangle; policy accept;
222 chain mangle_forward {
223 type filter hook forward priority mangle; policy accept;
229 [call] ctx.call object <network.interface> method <dump> args <null>
230 [call] ctx.call object <service> method <get_data> args <{ "type": "firewall" }>
231 [call] fs.open path </proc/version> mode <r>
232 [call] fs.popen cmdline </usr/sbin/nft --terse --json list flowtables inet> mode <r>