1 Testing that zone masquerading restrictions source and destination restrictions are properly applied.
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
16 -- File uci/helpers.json --
20 -- File fs/open~_sys_class_net_zone1_flags.txt --
24 -- File fs/open~_sys_class_net_zone2_flags.txt --
28 -- File uci/firewall.json --
32 ".description": "Positive and negative entries should be handled properly and IPv6 addresses should be filtered out for IPv4 masquerading",
61 ".description": "Positive and negative entries should be handled properly and IPv4 addresses should be filtered out for IPv6 masquerading",
107 define test1_devices = { "zone1" }
108 define test2_devices = { "zone2" }
114 include "/etc/nftables.d/*.nft"
122 type filter hook input priority filter; policy drop;
124 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
126 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
127 iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
128 iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
132 type filter hook forward priority filter; policy drop;
134 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
135 iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
136 iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
140 type filter hook output priority filter; policy drop;
142 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
144 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
145 oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
146 oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
149 chain handle_reject {
150 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
151 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
155 jump accept_from_test1
162 chain forward_test1 {
166 chain accept_from_test1 {
167 iifname "zone1" counter accept comment "!fw4: accept test1 IPv4/IPv6 traffic"
170 chain accept_to_test1 {
171 oifname "zone1" counter accept comment "!fw4: accept test1 IPv4/IPv6 traffic"
182 chain forward_test2 {
186 chain drop_from_test2 {
187 iifname "zone2" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic"
190 chain drop_to_test2 {
191 oifname "zone2" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic"
200 type nat hook prerouting priority dstnat; policy accept;
204 type nat hook postrouting priority srcnat; policy accept;
205 oifname "zone1" jump srcnat_test1 comment "!fw4: Handle test1 IPv4/IPv6 srcnat traffic"
206 oifname "zone2" jump srcnat_test2 comment "!fw4: Handle test2 IPv4/IPv6 srcnat traffic"
210 meta nfproto ipv4 ip saddr { 10.1.0.0/24, 10.1.1.1 } ip saddr != { 10.1.0.1, 10.1.0.2 } ip daddr { 10.2.0.0/24, 10.2.1.1 } ip daddr != { 10.2.0.1, 10.2.0.2 } masquerade comment "!fw4: Masquerade IPv4 test1 traffic"
214 meta nfproto ipv6 ip6 saddr { 2001:db8:0:1::/64, 2001:db8:0:2::/64 } ip6 saddr != { 2001:db8:0:1::1, 2001:db8:0:1::2 } ip6 daddr { 2001:db8:1:1::/64, 2001:db8:1:2::/64 } ip6 daddr != { 2001:db8:1:1::1, 2001:db8:1:1::2 } masquerade comment "!fw4: Masquerade IPv6 test2 traffic"
219 # Raw rules (notrack & helper)
222 chain raw_prerouting {
223 type filter hook prerouting priority raw; policy accept;
227 type filter hook output priority raw; policy accept;
235 chain mangle_prerouting {
236 type filter hook prerouting priority mangle; policy accept;
239 chain mangle_postrouting {
240 type filter hook postrouting priority mangle; policy accept;
244 type filter hook input priority mangle; policy accept;
247 chain mangle_output {
248 type filter hook output priority mangle; policy accept;
251 chain mangle_forward {
252 type filter hook forward priority mangle; policy accept;