1 Ensure that DSCP and MARK target rules end up in the appropriate chains,
2 depending on the src and dest options.
6 include("./root/usr/share/firewall4/main.uc", {
7 getenv: function(varname) {
17 -- File uci/helpers.json --
21 -- File fs/open~_sys_class_net_eth0_flags.txt --
25 -- File fs/open~_sys_class_net_eth1_flags.txt --
29 -- File fs/open~_sys_class_net_eth2_flags.txt --
33 -- File fs/open~_sys_class_net_eth3_flags.txt --
37 -- File uci/firewall.json --
42 "device": [ "eth0", "eth1" ]
46 "device": [ "eth2", "eth3" ]
51 ".description": "Source '*' and destination '*' should result in a forward rule",
52 "name": "Mangle rule #1",
59 ".description": "Source zone and destination zone should result in a forward rule",
60 "name": "Mangle rule #2",
67 ".description": "Any source zone and specific destination zone should result in a postrouting rule",
68 "name": "Mangle rule #3",
75 ".description": "Specific source zone and any destination zone should result in a prerouting rule",
76 "name": "Mangle rule #4",
83 ".description": "Specific source zone and no destination zone should result in an input rule",
84 "name": "Mangle rule #5",
90 ".description": "Any source zone and no destination zone should result in an input rule",
91 "name": "Mangle rule #6",
97 ".description": "No source zone and no destination zone should result in an output rule",
98 "name": "Mangle rule #7",
103 ".description": "No source zone and any destination zone should result in an output rule",
104 "name": "Mangle rule #8",
110 ".description": "No source zone and specific destination zone should result in an output rule",
111 "name": "Mangle rule #9",
117 ".description": "Option device with no direction should override inbound ifname match",
118 "name": "Mangle rule #10",
126 ".description": "Option device with direction 'in' should override inbound ifname match",
127 "name": "Mangle rule #11",
136 ".description": "Option device with direction 'out' should override outbound ifname match",
137 "name": "Mangle rule #12",
163 define lan_devices = { "eth0", "eth1" }
164 define wan_devices = { "eth2", "eth3" }
170 include "/etc/nftables.d/*.nft"
178 type filter hook input priority filter; policy drop;
180 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
182 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
183 iifname { "eth0", "eth1" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
184 iifname { "eth2", "eth3" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
188 type filter hook forward priority filter; policy drop;
190 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
191 iifname { "eth0", "eth1" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
192 iifname { "eth2", "eth3" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
196 type filter hook output priority filter; policy drop;
198 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
200 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
201 oifname { "eth0", "eth1" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
202 oifname { "eth2", "eth3" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
206 type filter hook prerouting priority filter; policy accept;
207 iifname { "eth0", "eth1" } jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
208 iifname { "eth2", "eth3" } jump helper_wan comment "!fw4: Handle wan IPv4/IPv6 helper assignment"
211 chain handle_reject {
212 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
213 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
231 chain drop_from_lan {
232 iifname { "eth0", "eth1" } counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
236 oifname { "eth0", "eth1" } counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
254 chain drop_from_wan {
255 iifname { "eth2", "eth3" } counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
259 oifname { "eth2", "eth3" } counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
268 type nat hook prerouting priority dstnat; policy accept;
272 type nat hook postrouting priority srcnat; policy accept;
277 # Raw rules (notrack)
280 chain raw_prerouting {
281 type filter hook prerouting priority raw; policy accept;
285 type filter hook output priority raw; policy accept;
293 chain mangle_prerouting {
294 type filter hook prerouting priority mangle; policy accept;
295 meta nfproto ipv4 meta l4proto tcp iifname { "eth0", "eth1" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #4"
296 meta nfproto ipv6 meta l4proto tcp iifname { "eth0", "eth1" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #4"
297 meta nfproto ipv4 meta l4proto udp iifname { "eth0", "eth1" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #4"
298 meta nfproto ipv6 meta l4proto udp iifname { "eth0", "eth1" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #4"
301 chain mangle_postrouting {
302 type filter hook postrouting priority mangle; policy accept;
303 meta nfproto ipv4 meta l4proto tcp oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #3"
304 meta nfproto ipv6 meta l4proto tcp oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #3"
305 meta nfproto ipv4 meta l4proto udp oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #3"
306 meta nfproto ipv6 meta l4proto udp oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #3"
307 meta nfproto ipv4 meta l4proto tcp iifname "eth4" oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #10"
308 meta nfproto ipv6 meta l4proto tcp iifname "eth4" oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #10"
309 meta nfproto ipv4 meta l4proto udp iifname "eth4" oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #10"
310 meta nfproto ipv6 meta l4proto udp iifname "eth4" oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #10"
311 meta nfproto ipv4 meta l4proto tcp iifname "eth4" oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #11"
312 meta nfproto ipv6 meta l4proto tcp iifname "eth4" oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #11"
313 meta nfproto ipv4 meta l4proto udp iifname "eth4" oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #11"
314 meta nfproto ipv6 meta l4proto udp iifname "eth4" oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #11"
315 meta nfproto ipv4 meta l4proto tcp oifname "eth5" counter ip dscp set 0x1 comment "!fw4: Mangle rule #12"
316 meta nfproto ipv6 meta l4proto tcp oifname "eth5" counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #12"
317 meta nfproto ipv4 meta l4proto udp oifname "eth5" counter ip dscp set 0x1 comment "!fw4: Mangle rule #12"
318 meta nfproto ipv6 meta l4proto udp oifname "eth5" counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #12"
322 type filter hook input priority mangle; policy accept;
323 meta nfproto ipv4 meta l4proto tcp iifname { "eth0", "eth1" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #5"
324 meta nfproto ipv6 meta l4proto tcp iifname { "eth0", "eth1" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #5"
325 meta nfproto ipv4 meta l4proto udp iifname { "eth0", "eth1" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #5"
326 meta nfproto ipv6 meta l4proto udp iifname { "eth0", "eth1" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #5"
327 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #6"
328 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #6"
329 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #6"
330 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #6"
333 chain mangle_output {
334 type route hook output priority mangle; policy accept;
335 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #7"
336 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #7"
337 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #7"
338 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #7"
339 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #8"
340 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #8"
341 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #8"
342 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #8"
343 meta nfproto ipv4 meta l4proto tcp oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #9"
344 meta nfproto ipv6 meta l4proto tcp oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #9"
345 meta nfproto ipv4 meta l4proto udp oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #9"
346 meta nfproto ipv6 meta l4proto udp oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #9"
349 chain mangle_forward {
350 type filter hook forward priority mangle; policy accept;
351 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #1"
352 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #1"
353 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #1"
354 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #1"
355 meta nfproto ipv4 meta l4proto tcp iifname { "eth0", "eth1" } oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #2"
356 meta nfproto ipv6 meta l4proto tcp iifname { "eth0", "eth1" } oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #2"
357 meta nfproto ipv4 meta l4proto udp iifname { "eth0", "eth1" } oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #2"
358 meta nfproto ipv6 meta l4proto udp iifname { "eth0", "eth1" } oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #2"