1 Testing handling of ICMP related options.
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
16 -- File uci/helpers.json --
20 -- File uci/firewall.json --
24 ".description": "Proto 'icmp' maps to a single IPv4 and IPv6 rule",
26 "name": "ICMP rule #1"
29 ".description": "Proto 'icmpv6' maps to IPv6 rule only",
31 "name": "ICMP rule #2",
34 ".description": "Proto 'ipv6-icmp' is an alias for 'icmpv6'",
36 "name": "ICMP rule #3",
39 ".description": "Proto 'icmp' with IPv4 specific types inhibits IPv6 rule",
41 "name": "ICMP rule #4",
42 "icmp_type": [ "ip-header-bad" ]
45 ".description": "Proto 'icmp' with IPv6 specific types inhibits IPv4 rule",
47 "name": "ICMP rule #5",
48 "icmp_type": [ "neighbour-advertisement" ]
68 include "/etc/nftables.d/*.nft"
76 type filter hook input priority filter; policy drop;
78 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
80 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
84 type filter hook forward priority filter; policy drop;
86 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
90 type filter hook output priority filter; policy drop;
92 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
94 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
95 meta l4proto { "icmp", "ipv6-icmp" } counter comment "!fw4: ICMP rule #1"
96 meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #2"
97 meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #3"
98 meta nfproto ipv4 icmp type . icmp code { 12 . 0 } counter comment "!fw4: ICMP rule #4"
99 meta nfproto ipv6 icmpv6 type . icmpv6 code { 136 . 0 } counter comment "!fw4: ICMP rule #5"
103 type filter hook prerouting priority filter; policy accept;
106 chain handle_reject {
107 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
108 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
117 type nat hook prerouting priority dstnat; policy accept;
121 type nat hook postrouting priority srcnat; policy accept;
126 # Raw rules (notrack)
129 chain raw_prerouting {
130 type filter hook prerouting priority raw; policy accept;
134 type filter hook output priority raw; policy accept;
142 chain mangle_prerouting {
143 type filter hook prerouting priority mangle; policy accept;
146 chain mangle_postrouting {
147 type filter hook postrouting priority mangle; policy accept;
151 type filter hook input priority mangle; policy accept;
154 chain mangle_output {
155 type route hook output priority mangle; policy accept;
158 chain mangle_forward {
159 type filter hook forward priority mangle; policy accept;