1 Testing handling of ICMP related options.
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
16 -- File uci/helpers.json --
20 -- File uci/firewall.json --
24 ".description": "Proto 'icmp' maps to a single IPv4 and IPv6 rule",
26 "name": "ICMP rule #1"
29 ".description": "Proto 'icmpv6' maps to IPv6 rule only",
31 "name": "ICMP rule #2",
34 ".description": "Proto 'ipv6-icmp' is an alias for 'icmpv6'",
36 "name": "ICMP rule #3",
39 ".description": "Proto 'icmp' with IPv4 specific types inhibits IPv6 rule",
41 "name": "ICMP rule #4",
42 "icmp_type": [ "ip-header-bad" ]
45 ".description": "Proto 'icmp' with IPv6 specific types inhibits IPv4 rule",
47 "name": "ICMP rule #5",
48 "icmp_type": [ "neighbour-advertisement" ]
73 include "/etc/nftables.d/*.nft"
81 type filter hook input priority filter; policy drop;
83 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
85 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
89 type filter hook forward priority filter; policy drop;
91 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
95 type filter hook output priority filter; policy drop;
97 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
99 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
100 meta l4proto { "icmp", "ipv6-icmp" } counter comment "!fw4: ICMP rule #1"
101 meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #2"
102 meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #3"
103 meta nfproto ipv4 icmp type . icmp code { 12 . 0 } counter comment "!fw4: ICMP rule #4"
104 meta nfproto ipv6 icmpv6 type . icmpv6 code { 136 . 0 } counter comment "!fw4: ICMP rule #5"
108 type filter hook prerouting priority filter; policy accept;
111 chain handle_reject {
112 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
113 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
122 type nat hook prerouting priority dstnat; policy accept;
126 type nat hook postrouting priority srcnat; policy accept;
131 # Raw rules (notrack)
134 chain raw_prerouting {
135 type filter hook prerouting priority raw; policy accept;
139 type filter hook output priority raw; policy accept;
147 chain mangle_prerouting {
148 type filter hook prerouting priority mangle; policy accept;
151 chain mangle_postrouting {
152 type filter hook postrouting priority mangle; policy accept;
156 type filter hook input priority mangle; policy accept;
159 chain mangle_output {
160 type route hook output priority mangle; policy accept;
163 chain mangle_forward {
164 type filter hook forward priority mangle; policy accept;