1 Testing various option constraints.
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
16 -- File uci/helpers.json --
20 -- File uci/firewall.json --
29 ".description": "Helper rules require an explicit source zone",
31 "name": "Helper rule #1",
35 ".description": "Helper rules require a set_helper option",
37 "name": "Helper rule #2",
43 ".description": "Notrack rules require an explicit source zone",
45 "name": "Notrack rule",
50 ".description": "DSCP target rules require a set_dscp option",
52 "name": "DSCP target rule #1",
57 ".description": "DSCP matches enforce AF specific rules due to required ip/ip6 prefix",
59 "name": "DSCP match rule #1",
64 ".description": "Mark rules require a set_xmark or set_mark option",
66 "name": "Mark rule #1",
74 [!] Section @rule[0] (Helper rule #1) must specify a source zone for target 'helper'
75 [!] Section @rule[1] (Helper rule #2) must specify option 'set_helper' for target 'helper'
76 [!] Section @rule[2] (Notrack rule) must specify a source zone for target 'notrack'
77 [!] Section @rule[3] (DSCP target rule #1) must specify option 'set_dscp' for target 'dscp'
78 [!] Section @rule[5] (Mark rule #1) must specify option 'set_mark' or 'set_xmark' for target 'mark'
90 define lan_devices = { }
91 define lan_subnets = { }
98 include "/etc/nftables.d/*.nft"
106 type filter hook input priority filter; policy drop;
108 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
110 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
114 type filter hook forward priority filter; policy drop;
116 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
120 type filter hook output priority filter; policy drop;
122 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
124 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
125 meta nfproto ipv4 ip dscp 0x0 counter comment "!fw4: DSCP match rule #1"
126 meta nfproto ipv6 ip6 dscp 0x0 counter comment "!fw4: DSCP match rule #1"
130 type filter hook prerouting priority filter; policy accept;
133 chain handle_reject {
134 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
135 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
153 chain drop_from_lan {
165 type nat hook prerouting priority dstnat; policy accept;
169 type nat hook postrouting priority srcnat; policy accept;
174 # Raw rules (notrack)
177 chain raw_prerouting {
178 type filter hook prerouting priority raw; policy accept;
182 type filter hook output priority raw; policy accept;
190 chain mangle_prerouting {
191 type filter hook prerouting priority mangle; policy accept;
194 chain mangle_postrouting {
195 type filter hook postrouting priority mangle; policy accept;
199 type filter hook input priority mangle; policy accept;
202 chain mangle_output {
203 type route hook output priority mangle; policy accept;
206 chain mangle_forward {
207 type filter hook forward priority mangle; policy accept;