1 Testing various option constraints.
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
16 -- File uci/helpers.json --
20 -- File uci/firewall.json --
29 ".description": "Helper rules require an explicit source zone",
31 "name": "Helper rule #1",
35 ".description": "Helper rules require a set_helper option",
37 "name": "Helper rule #2",
43 ".description": "Notrack rules require an explicit source zone",
45 "name": "Notrack rule",
50 ".description": "DSCP target rules require a set_dscp option",
52 "name": "DSCP target rule #1",
57 ".description": "DSCP matches enforce AF specific rules due to required ip/ip6 prefix",
59 "name": "DSCP match rule #1",
64 ".description": "Mark rules require a set_xmark or set_mark option",
66 "name": "Mark rule #1",
74 [!] Section @rule[0] (Helper rule #1) must specify a source zone for target 'helper'
75 [!] Section @rule[1] (Helper rule #2) must specify option 'set_helper' for target 'helper'
76 [!] Section @rule[2] (Notrack rule) must specify a source zone for target 'notrack'
77 [!] Section @rule[3] (DSCP target rule #1) must specify option 'set_dscp' for target 'dscp'
78 [!] Section @rule[5] (Mark rule #1) must specify option 'set_mark' or 'set_xmark' for target 'mark'
100 include "/etc/nftables.d/*.nft"
108 type filter hook input priority filter; policy drop;
110 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
112 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
116 type filter hook forward priority filter; policy drop;
118 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
122 type filter hook output priority filter; policy drop;
124 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
126 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
127 meta nfproto ipv4 ip dscp 0x0 counter comment "!fw4: DSCP match rule #1"
128 meta nfproto ipv6 ip6 dscp 0x0 counter comment "!fw4: DSCP match rule #1"
131 chain handle_reject {
132 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
133 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
148 chain drop_from_lan {
160 type nat hook prerouting priority dstnat; policy accept;
164 type nat hook postrouting priority srcnat; policy accept;
169 # Raw rules (notrack & helper)
172 chain raw_prerouting {
173 type filter hook prerouting priority raw; policy accept;
177 type filter hook output priority raw; policy accept;
188 chain mangle_prerouting {
189 type filter hook prerouting priority mangle; policy accept;
192 chain mangle_postrouting {
193 type filter hook postrouting priority mangle; policy accept;
197 type filter hook input priority mangle; policy accept;
200 chain mangle_output {
201 type filter hook output priority mangle; policy accept;
204 chain mangle_forward {
205 type filter hook forward priority mangle; policy accept;