1 Testing that dropping of invalid conntrack state traffic can be inhibited.
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
16 -- File uci/helpers.json --
20 -- File fs/open~_sys_class_net_zone1_flags.txt --
24 -- File fs/open~_sys_class_net_zone2_flags.txt --
28 -- File uci/firewall.json --
32 ".description": "No ct state invalid drop rule should be generated",
39 "masq_allow_invalid": 1
54 define test1_devices = { "zone1" }
55 define test1_subnets = { }
62 include "/etc/nftables.d/*.nft"
70 type filter hook input priority filter; policy drop;
72 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
74 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
75 iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
79 type filter hook forward priority filter; policy drop;
81 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
82 iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
86 type filter hook output priority filter; policy drop;
88 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
90 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
91 oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
95 type filter hook prerouting priority filter; policy accept;
99 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
100 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
104 jump accept_from_test1
111 chain forward_test1 {
115 chain accept_from_test1 {
116 iifname "zone1" counter accept comment "!fw4: accept test1 IPv4/IPv6 traffic"
119 chain accept_to_test1 {
120 oifname "zone1" counter accept comment "!fw4: accept test1 IPv4/IPv6 traffic"
129 type nat hook prerouting priority dstnat; policy accept;
133 type nat hook postrouting priority srcnat; policy accept;
134 oifname "zone1" jump srcnat_test1 comment "!fw4: Handle test1 IPv4/IPv6 srcnat traffic"
138 meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 test1 traffic"
143 # Raw rules (notrack)
146 chain raw_prerouting {
147 type filter hook prerouting priority raw; policy accept;
151 type filter hook output priority raw; policy accept;
159 chain mangle_prerouting {
160 type filter hook prerouting priority mangle; policy accept;
163 chain mangle_postrouting {
164 type filter hook postrouting priority mangle; policy accept;
168 type filter hook input priority mangle; policy accept;
171 chain mangle_output {
172 type route hook output priority mangle; policy accept;
175 chain mangle_forward {
176 type filter hook forward priority mangle; policy accept;