1 Ensure that DSCP and MARK target rules end up in the appropriate chains,
2 depending on the src and dest options.
6 include("./root/usr/share/firewall4/main.uc", {
7 getenv: function(varname) {
17 -- File uci/helpers.json --
21 -- File fs/open~_sys_class_net_eth0_flags.txt --
25 -- File fs/open~_sys_class_net_eth1_flags.txt --
29 -- File uci/firewall.json --
43 ".description": "Source '*' and destination '*' should result in a forward rule",
44 "name": "Mangle rule #1",
51 ".description": "Source zone and destination zone should result in a forward rule",
52 "name": "Mangle rule #2",
59 ".description": "Any source zone and specific destination zone should result in a postrouting rule",
60 "name": "Mangle rule #3",
67 ".description": "Specific source zone and any destination zone should result in a prerouting rule",
68 "name": "Mangle rule #4",
75 ".description": "Specific source zone and no destination zone should result in an input rule",
76 "name": "Mangle rule #5",
82 ".description": "Any source zone and no destination zone should result in an input rule",
83 "name": "Mangle rule #6",
89 ".description": "No source zone and no destination zone should result in an output rule",
90 "name": "Mangle rule #7",
95 ".description": "No source zone and any destination zone should result in an output rule",
96 "name": "Mangle rule #8",
102 ".description": "No source zone and specific destination zone should result in an output rule",
103 "name": "Mangle rule #9",
126 define lan_devices = { "eth0" }
127 define wan_devices = { "eth1" }
133 include "/etc/nftables.d/*.nft"
141 type filter hook input priority filter; policy drop;
143 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
145 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
146 iifname "eth0" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
147 iifname "eth1" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
151 type filter hook forward priority filter; policy drop;
153 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
154 iifname "eth0" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
155 iifname "eth1" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
159 type filter hook output priority filter; policy drop;
161 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
163 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
164 oifname "eth0" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
165 oifname "eth1" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
168 chain handle_reject {
169 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
170 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
185 chain drop_from_lan {
186 iifname "eth0" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
190 oifname "eth0" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
205 chain drop_from_wan {
206 iifname "eth1" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
210 oifname "eth1" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
219 type nat hook prerouting priority dstnat; policy accept;
223 type nat hook postrouting priority srcnat; policy accept;
228 # Raw rules (notrack & helper)
231 chain raw_prerouting {
232 type filter hook prerouting priority raw; policy accept;
233 iifname "eth0" jump helper_lan comment "!fw4: lan IPv4/IPv6 CT helper assignment"
234 iifname "eth1" jump helper_wan comment "!fw4: wan IPv4/IPv6 CT helper assignment"
238 type filter hook output priority raw; policy accept;
252 chain mangle_prerouting {
253 type filter hook prerouting priority mangle; policy accept;
254 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #4"
255 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #4"
256 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #4"
257 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #4"
260 chain mangle_postrouting {
261 type filter hook postrouting priority mangle; policy accept;
262 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #3"
263 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #3"
264 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #3"
265 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #3"
269 type filter hook input priority mangle; policy accept;
270 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #5"
271 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #5"
272 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #5"
273 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #5"
274 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #6"
275 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #6"
276 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #6"
277 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #6"
280 chain mangle_output {
281 type filter hook output priority mangle; policy accept;
282 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #7"
283 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #7"
284 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #7"
285 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #7"
286 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #8"
287 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #8"
288 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #8"
289 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #8"
290 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #9"
291 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #9"
292 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #9"
293 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #9"
296 chain mangle_forward {
297 type filter hook forward priority mangle; policy accept;
298 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #1"
299 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #1"
300 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #1"
301 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #1"
302 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #2"
303 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #2"
304 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #2"
305 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #2"