projects / project / firewall4.git / blob
? search:


4c33868c5fc4e5f26d8abf3b0d8edb6059cc603d
[project/firewall4.git] / tests / 03_rules / 01_direction
1 Testing that rule declarations are mapped to the proper chains depending
2 on src and dest options.
3
4 -- Testcase --
5 {%
6 include("./root/usr/share/firewall4/main.uc", {
7 getenv: function(varname) {
8 switch (varname) {
9 case 'ACTION':
10 return 'print';
11 }
12 }
13 })
14 %}
15 -- End --
16
17 -- File uci/helpers.json --
18 {}
19 -- End --
20
21 -- File uci/firewall.json --
22 {
23 "rule": [
24 {
25 ".description": "Neither source, nor dest => should result in an output rule",
26 "proto": "any"
27 },
28 {
29 ".description": "Source any, no dest => should result in an input rule",
30 "proto": "any",
31 "src": "*"
32 },
33 {
34 ".description": "Dest any, no source => should result in an output rule",
35 "proto": "any",
36 "dest": "*"
37 },
38 {
39 ".description": "Source any, dest any => should result in a forward rule",
40 "proto": "any",
41 "src": "*",
42 "dest": "*"
43 }
44 ]
45 }
46 -- End --
47
48 -- Expect stdout --
49 table inet fw4
50 flush table inet fw4
51
52 table inet fw4 {
53 #
54 # Set definitions
55 #
56
57
58 #
59 # Defines
60 #
61
62
63 #
64 # User includes
65 #
66
67 include "/etc/nftables.d/*.nft"
68
69
70 #
71 # Filter rules
72 #
73
74 chain input {
75 type filter hook input priority filter; policy drop;
76
77 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
78
79 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
80 counter comment "!fw4: @rule[1]"
81 }
82
83 chain forward {
84 type filter hook forward priority filter; policy drop;
85
86 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
87 counter comment "!fw4: @rule[3]"
88 }
89
90 chain output {
91 type filter hook output priority filter; policy drop;
92
93 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
94
95 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
96 counter comment "!fw4: @rule[0]"
97 counter comment "!fw4: @rule[2]"
98 }
99
100 chain prerouting {
101 type filter hook prerouting priority filter; policy accept;
102 }
103
104 chain handle_reject {
105 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
106 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
107 }
108
109
110 #
111 # NAT rules
112 #
113
114 chain dstnat {
115 type nat hook prerouting priority dstnat; policy accept;
116 }
117
118 chain srcnat {
119 type nat hook postrouting priority srcnat; policy accept;
120 }
121
122
123 #
124 # Raw rules (notrack)
125 #
126
127 chain raw_prerouting {
128 type filter hook prerouting priority raw; policy accept;
129 }
130
131 chain raw_output {
132 type filter hook output priority raw; policy accept;
133 }
134
135
136 #
137 # Mangle rules
138 #
139
140 chain mangle_prerouting {
141 type filter hook prerouting priority mangle; policy accept;
142 }
143
144 chain mangle_postrouting {
145 type filter hook postrouting priority mangle; policy accept;
146 }
147
148 chain mangle_input {
149 type filter hook input priority mangle; policy accept;
150 }
151
152 chain mangle_output {
153 type route hook output priority mangle; policy accept;
154 }
155
156 chain mangle_forward {
157 type filter hook forward priority mangle; policy accept;
158 }
159 }
160 -- End --
OpenWrt nftables firewall