1 Test that configured zone log limits are honored in emitted log rules.
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
16 -- File uci/firewall.json --
20 ".description": "test zone with log_limit",
28 ".description": "test zone with MASQ and log_limit",
38 ".description": "test zone with log_limit and no log",
45 ".description": "test zone with log and no limit, should produce multi target rules",
63 ".description": "src lan log",
70 ".description": "src lan no log",
77 ".description": "dest lan log",
84 ".description": "dest lan no log",
91 ".description": "Source any, dest lan, log",
99 ".description": "Source any, dest lan, no log",
107 ".description": "src any log",
114 ".description": "src any no log",
121 "name": "Deny guest with no log",
127 "name": "Deny guest with log",
134 "name": "Deny rule #1",
138 "src_ip": [ "192.168.1.2" ],
142 "name": "Deny rule #2",
146 "src_ip": [ "192.168.1.3" ],
150 ".description": "src any log",
163 "dest_ip": "10.0.0.2",
171 "dest_ip": "10.0.0.2",
181 -- File uci/helpers.json --
194 define lan_devices = { "br-lan" }
195 define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
197 define wan_devices = { "pppoe-wan" }
198 define wan_subnets = { 10.11.12.0/24 }
200 define guest_devices = { "br-guest" }
201 define guest_subnets = { 10.1.0.0/24, 192.168.27.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
203 define wan6_devices = { "pppoe-wan" }
204 define wan6_subnets = { 2001:db8:54:321::/64 }
211 limit lan.log_limit {
212 comment "lan log limit"
216 limit wan.log_limit {
217 comment "wan log limit"
221 limit guest.log_limit {
222 comment "guest log limit"
231 include "/etc/nftables.d/*.nft"
239 type filter hook input priority filter; policy drop;
241 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
243 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
244 tcp dport 1007 counter log prefix "@rule[6]: " comment "!fw4: @rule[6]"
245 tcp dport 1008 counter comment "!fw4: @rule[7]"
246 tcp dport 1009 limit rate 5/minute log prefix "@rule[12]: "
247 tcp dport 1009 counter comment "!fw4: @rule[12]"
248 iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
249 meta nfproto ipv4 iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4 input traffic"
250 iifname "br-guest" jump input_guest comment "!fw4: Handle guest IPv4/IPv6 input traffic"
251 meta nfproto ipv6 iifname "pppoe-wan" jump input_wan6 comment "!fw4: Handle wan6 IPv6 input traffic"
255 type filter hook forward priority filter; policy drop;
257 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
258 tcp dport 1005 limit name "lan.log_limit" log prefix "@rule[4]: "
259 tcp dport 1005 counter comment "!fw4: @rule[4]"
260 tcp dport 1006 counter comment "!fw4: @rule[5]"
261 iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
262 meta nfproto ipv4 iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4 forward traffic"
263 iifname "br-guest" jump forward_guest comment "!fw4: Handle guest IPv4/IPv6 forward traffic"
264 meta nfproto ipv6 iifname "pppoe-wan" jump forward_wan6 comment "!fw4: Handle wan6 IPv6 forward traffic"
268 type filter hook output priority filter; policy drop;
270 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
272 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
273 oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
274 meta nfproto ipv4 oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4 output traffic"
275 oifname "br-guest" jump output_guest comment "!fw4: Handle guest IPv4/IPv6 output traffic"
276 meta nfproto ipv6 oifname "pppoe-wan" jump output_wan6 comment "!fw4: Handle wan6 IPv6 output traffic"
280 type filter hook prerouting priority filter; policy accept;
283 chain handle_reject {
284 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
285 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
289 tcp dport 1001 limit name "lan.log_limit" log prefix "@rule[0]: "
290 tcp dport 1001 counter comment "!fw4: @rule[0]"
291 tcp dport 1002 counter comment "!fw4: @rule[1]"
292 ct status dnat accept comment "!fw4: Accept port redirections"
297 tcp dport 1003 limit name "lan.log_limit" log prefix "@rule[2]: "
298 tcp dport 1003 counter comment "!fw4: @rule[2]"
299 tcp dport 1004 counter comment "!fw4: @rule[3]"
304 ip saddr 192.168.1.2 counter jump drop_to_wan comment "!fw4: Deny rule #1"
305 meta l4proto icmp ip saddr 192.168.1.3 counter jump drop_to_wan comment "!fw4: Deny rule #2"
306 meta nfproto ipv4 jump accept_to_wan comment "!fw4: Accept lan to wan IPv4 forwarding"
307 ct status dnat accept comment "!fw4: Accept port forwards"
309 limit name "lan.log_limit" log prefix "drop lan forward: "
312 chain accept_to_lan {
313 oifname "br-lan" counter accept comment "!fw4: accept lan IPv4/IPv6 traffic"
316 chain drop_from_lan {
317 iifname "br-lan" limit name "lan.log_limit" log prefix "drop lan in: "
318 iifname "br-lan" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
322 oifname "br-lan" limit name "lan.log_limit" log prefix "drop lan out: "
323 oifname "br-lan" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
327 ct status dnat accept comment "!fw4: Accept port redirections"
336 ct status dnat accept comment "!fw4: Accept port forwards"
338 limit name "wan.log_limit" log prefix "drop wan forward: "
341 chain accept_to_wan {
342 meta nfproto ipv4 oifname "pppoe-wan" ct state invalid limit name "wan.log_limit" log prefix "drop wan invalid ct state: "
343 meta nfproto ipv4 oifname "pppoe-wan" ct state invalid counter drop comment "!fw4: Prevent NAT leakage"
344 meta nfproto ipv4 oifname "pppoe-wan" counter accept comment "!fw4: accept wan IPv4 traffic"
347 chain drop_from_wan {
348 meta nfproto ipv4 iifname "pppoe-wan" limit name "wan.log_limit" log prefix "drop wan in: "
349 meta nfproto ipv4 iifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4 traffic"
353 meta nfproto ipv4 oifname "pppoe-wan" limit name "wan.log_limit" log prefix "drop wan out: "
354 meta nfproto ipv4 oifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4 traffic"
362 meta l4proto { "icmp", "ipv6-icmp" } counter jump drop_to_guest comment "!fw4: Deny guest with no log"
363 meta l4proto { "icmp", "ipv6-icmp" } limit name "guest.log_limit" log prefix "Deny guest with log: "
364 meta l4proto { "icmp", "ipv6-icmp" } counter jump drop_to_guest comment "!fw4: Deny guest with log"
368 chain forward_guest {
372 chain drop_from_guest {
373 iifname "br-guest" counter drop comment "!fw4: drop guest IPv4/IPv6 traffic"
376 chain drop_to_guest {
377 oifname "br-guest" counter drop comment "!fw4: drop guest IPv4/IPv6 traffic"
390 log prefix "drop wan6 forward: "
393 chain drop_from_wan6 {
394 meta nfproto ipv6 iifname "pppoe-wan" counter log prefix "drop wan6 in: " drop comment "!fw4: drop wan6 IPv6 traffic"
398 meta nfproto ipv6 oifname "pppoe-wan" counter log prefix "drop wan6 out: " drop comment "!fw4: drop wan6 IPv6 traffic"
407 type nat hook prerouting priority dstnat; policy accept;
408 iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
409 meta nfproto ipv4 iifname "pppoe-wan" jump dstnat_wan comment "!fw4: Handle wan IPv4 dstnat traffic"
413 type nat hook postrouting priority srcnat; policy accept;
414 oifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
415 meta nfproto ipv4 oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4 srcnat traffic"
419 ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.11.12.194 dnat 10.0.0.2:22 comment "!fw4: @redirect[0] (reflection)"
420 ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.11.12.194 dnat 10.0.0.2:23 comment "!fw4: @redirect[1] (reflection)"
424 ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.0.0.2 tcp dport 22 snat 10.0.0.1 comment "!fw4: @redirect[0] (reflection)"
425 ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.0.0.2 tcp dport 23 snat 10.0.0.1 comment "!fw4: @redirect[1] (reflection)"
429 meta nfproto ipv4 limit name "wan.log_limit" log prefix "@redirect[0]: "
430 meta nfproto ipv4 counter dnat 10.0.0.2:22 comment "!fw4: @redirect[0]"
431 meta nfproto ipv4 limit rate 4/minute log prefix "@redirect[1]: "
432 meta nfproto ipv4 counter dnat 10.0.0.2:23 comment "!fw4: @redirect[1]"
436 meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
441 # Raw rules (notrack)
444 chain raw_prerouting {
445 type filter hook prerouting priority raw; policy accept;
449 type filter hook output priority raw; policy accept;
457 chain mangle_prerouting {
458 type filter hook prerouting priority mangle; policy accept;
461 chain mangle_postrouting {
462 type filter hook postrouting priority mangle; policy accept;
466 type filter hook input priority mangle; policy accept;
469 chain mangle_output {
470 type route hook output priority mangle; policy accept;
473 chain mangle_forward {
474 type filter hook forward priority mangle; policy accept;