1 Test that wildcard devices are properly handled.
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
16 -- File uci/helpers.json --
20 -- File fs/open~_sys_class_net_never_flags.txt --
24 -- File fs/open~_sys_class_net_test_flags.txt --
28 -- File fs/open~_sys_class_net_foo_flags.txt --
32 -- File fs/open~_sys_class_net_bar_flags.txt --
36 -- File fs/open~_sys_class_net_baz_flags.txt --
40 -- File fs/open~_sys_class_net_qrx_flags.txt --
44 -- File fs/open~_sys_class_net_test1_flags.txt --
48 -- File fs/open~_sys_class_net_test2_flags.txt --
52 -- File uci/firewall.json --
56 ".description": "A '+' device match should translate to no ifname match at all",
61 ".description": "An inverted '+' device match should result in a match that always fails",
66 ".description": "A 'name+' device match should translate to an nft wildcard pattern",
71 ".description": "Wildcard matches must not be grouped into sets",
73 "device": [ "foo+", "bar+", "test1", "test2" ]
76 ".description": "Multiple inverted wildcard matches may be grouped into one rule",
78 "device": [ "foo+", "bar+", "!baz+", "!qrx+", "test1", "test2", "!test3", "!test4" ]
93 define test1_devices = { "+" }
94 define test1_subnets = { }
96 define test2_devices = { "/never/" }
97 define test2_subnets = { }
99 define test3_devices = { "test*" }
100 define test3_subnets = { }
102 define test4_devices = { "foo*", "bar*", "test1", "test2" }
103 define test4_subnets = { }
105 define test5_devices = { "foo*", "bar*", "test1", "test2" }
106 define test5_subnets = { }
113 include "/etc/nftables.d/*.nft"
121 type filter hook input priority filter; policy drop;
123 iif "lo" accept comment "!fw4: Accept traffic from loopback"
125 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
126 jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
127 iifname "/never/" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
128 iifname "test*" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic"
129 iifname "foo*" jump input_test4 comment "!fw4: Handle test4 IPv4/IPv6 input traffic"
130 iifname "bar*" jump input_test4 comment "!fw4: Handle test4 IPv4/IPv6 input traffic"
131 iifname { "test1", "test2" } jump input_test4 comment "!fw4: Handle test4 IPv4/IPv6 input traffic"
132 iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump input_test5 comment "!fw4: Handle test5 IPv4/IPv6 input traffic"
133 iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump input_test5 comment "!fw4: Handle test5 IPv4/IPv6 input traffic"
134 iifname { "test1", "test2" } iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump input_test5 comment "!fw4: Handle test5 IPv4/IPv6 input traffic"
138 type filter hook forward priority filter; policy drop;
140 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
141 jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
142 iifname "/never/" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
143 iifname "test*" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic"
144 iifname "foo*" jump forward_test4 comment "!fw4: Handle test4 IPv4/IPv6 forward traffic"
145 iifname "bar*" jump forward_test4 comment "!fw4: Handle test4 IPv4/IPv6 forward traffic"
146 iifname { "test1", "test2" } jump forward_test4 comment "!fw4: Handle test4 IPv4/IPv6 forward traffic"
147 iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump forward_test5 comment "!fw4: Handle test5 IPv4/IPv6 forward traffic"
148 iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump forward_test5 comment "!fw4: Handle test5 IPv4/IPv6 forward traffic"
149 iifname { "test1", "test2" } iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump forward_test5 comment "!fw4: Handle test5 IPv4/IPv6 forward traffic"
153 type filter hook output priority filter; policy drop;
155 oif "lo" accept comment "!fw4: Accept traffic towards loopback"
157 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
158 jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
159 oifname "/never/" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
160 oifname "test*" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic"
161 oifname "foo*" jump output_test4 comment "!fw4: Handle test4 IPv4/IPv6 output traffic"
162 oifname "bar*" jump output_test4 comment "!fw4: Handle test4 IPv4/IPv6 output traffic"
163 oifname { "test1", "test2" } jump output_test4 comment "!fw4: Handle test4 IPv4/IPv6 output traffic"
164 oifname "foo*" oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" jump output_test5 comment "!fw4: Handle test5 IPv4/IPv6 output traffic"
165 oifname "bar*" oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" jump output_test5 comment "!fw4: Handle test5 IPv4/IPv6 output traffic"
166 oifname { "test1", "test2" } oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" jump output_test5 comment "!fw4: Handle test5 IPv4/IPv6 output traffic"
170 type filter hook prerouting priority filter; policy accept;
171 iifname "/never/" jump helper_test2 comment "!fw4: Handle test2 IPv4/IPv6 helper assignment"
172 iifname "test*" jump helper_test3 comment "!fw4: Handle test3 IPv4/IPv6 helper assignment"
173 iifname "foo*" jump helper_test4 comment "!fw4: Handle test4 IPv4/IPv6 helper assignment"
174 iifname "bar*" jump helper_test4 comment "!fw4: Handle test4 IPv4/IPv6 helper assignment"
175 iifname { "test1", "test2" } jump helper_test4 comment "!fw4: Handle test4 IPv4/IPv6 helper assignment"
176 iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: Handle test5 IPv4/IPv6 helper assignment"
177 iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: Handle test5 IPv4/IPv6 helper assignment"
178 iifname { "test1", "test2" } iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: Handle test5 IPv4/IPv6 helper assignment"
181 chain handle_reject {
182 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
183 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
194 chain forward_test1 {
201 chain drop_from_test1 {
202 counter drop comment "!fw4: drop test1 IPv4/IPv6 traffic"
205 chain drop_to_test1 {
206 counter drop comment "!fw4: drop test1 IPv4/IPv6 traffic"
217 chain forward_test2 {
224 chain drop_from_test2 {
225 iifname "/never/" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic"
228 chain drop_to_test2 {
229 oifname "/never/" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic"
240 chain forward_test3 {
247 chain drop_from_test3 {
248 iifname "test*" counter drop comment "!fw4: drop test3 IPv4/IPv6 traffic"
251 chain drop_to_test3 {
252 oifname "test*" counter drop comment "!fw4: drop test3 IPv4/IPv6 traffic"
263 chain forward_test4 {
270 chain drop_from_test4 {
271 iifname "foo*" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
272 iifname "bar*" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
273 iifname { "test1", "test2" } counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
276 chain drop_to_test4 {
277 oifname "foo*" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
278 oifname "bar*" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
279 oifname { "test1", "test2" } counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
290 chain forward_test5 {
297 chain drop_from_test5 {
298 iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic"
299 iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic"
300 iifname { "test1", "test2" } iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic"
303 chain drop_to_test5 {
304 oifname "foo*" oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic"
305 oifname "bar*" oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic"
306 oifname { "test1", "test2" } oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic"
315 type nat hook prerouting priority dstnat; policy accept;
319 type nat hook postrouting priority srcnat; policy accept;
324 # Raw rules (notrack)
327 chain raw_prerouting {
328 type filter hook prerouting priority raw; policy accept;
332 type filter hook output priority raw; policy accept;
340 chain mangle_prerouting {
341 type filter hook prerouting priority mangle; policy accept;
344 chain mangle_postrouting {
345 type filter hook postrouting priority mangle; policy accept;
349 type filter hook input priority mangle; policy accept;
352 chain mangle_output {
353 type route hook output priority mangle; policy accept;
356 chain mangle_forward {
357 type filter hook forward priority mangle; policy accept;