projects / project / firewall4.git / blob
? search:


05aed75af81842f1844a0c0eae3eee9b7a0f3af3
[project/firewall4.git] / tests / 03_rules / 05_mangle
1 Ensure that DSCP and MARK target rules end up in the appropriate chains,
2 depending on the src and dest options.
3
4 -- Testcase --
5 {%
6 include("./root/usr/share/firewall4/main.uc", {
7 getenv: function(varname) {
8 switch (varname) {
9 case 'ACTION':
10 return 'print';
11 }
12 }
13 })
14 %}
15 -- End --
16
17 -- File uci/helpers.json --
18 {}
19 -- End --
20
21 -- File fs/open~_sys_class_net_eth0_flags.txt --
22 0x1103
23 -- End --
24
25 -- File fs/open~_sys_class_net_eth1_flags.txt --
26 0x1103
27 -- End --
28
29 -- File uci/firewall.json --
30 {
31 "zone": [
32 {
33 "name": "lan",
34 "device": "eth0"
35 },
36 {
37 "name": "wan",
38 "device": "eth1"
39 }
40 ],
41 "rule": [
42 {
43 ".description": "Source '*' and destination '*' should result in a forward rule",
44 "name": "Mangle rule #1",
45 "src": "*",
46 "dest": "*",
47 "target": "DSCP",
48 "set_dscp": "1"
49 },
50 {
51 ".description": "Source zone and destination zone should result in a forward rule",
52 "name": "Mangle rule #2",
53 "src": "lan",
54 "dest": "wan",
55 "target": "DSCP",
56 "set_dscp": "1"
57 },
58 {
59 ".description": "Any source zone and specific destination zone should result in a postrouting rule",
60 "name": "Mangle rule #3",
61 "src": "*",
62 "dest": "wan",
63 "target": "DSCP",
64 "set_dscp": "1"
65 },
66 {
67 ".description": "Specific source zone and any destination zone should result in a prerouting rule",
68 "name": "Mangle rule #4",
69 "src": "lan",
70 "dest": "*",
71 "target": "DSCP",
72 "set_dscp": "1"
73 },
74 {
75 ".description": "Specific source zone and no destination zone should result in an input rule",
76 "name": "Mangle rule #5",
77 "src": "lan",
78 "target": "DSCP",
79 "set_dscp": "1"
80 },
81 {
82 ".description": "Any source zone and no destination zone should result in an input rule",
83 "name": "Mangle rule #6",
84 "src": "*",
85 "target": "DSCP",
86 "set_dscp": "1"
87 },
88 {
89 ".description": "No source zone and no destination zone should result in an output rule",
90 "name": "Mangle rule #7",
91 "target": "DSCP",
92 "set_dscp": "1"
93 },
94 {
95 ".description": "No source zone and any destination zone should result in an output rule",
96 "name": "Mangle rule #8",
97 "dest": "*",
98 "target": "DSCP",
99 "set_dscp": "1"
100 },
101 {
102 ".description": "No source zone and specific destination zone should result in an output rule",
103 "name": "Mangle rule #9",
104 "dest": "wan",
105 "target": "DSCP",
106 "set_dscp": "1"
107 }
108 ]
109 }
110 -- End --
111
112 -- Expect stdout --
113 table inet fw4
114 flush table inet fw4
115
116 table inet fw4 {
117 #
118 # Set definitions
119 #
120
121
122 #
123 # Defines
124 #
125
126 define lan_devices = { "eth0" }
127 define wan_devices = { "eth1" }
128
129 #
130 # User includes
131 #
132
133 include "/etc/nftables.d/*.nft"
134
135
136 #
137 # Filter rules
138 #
139
140 chain input {
141 type filter hook input priority filter; policy drop;
142
143 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
144
145 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
146 iifname "eth0" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
147 iifname "eth1" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
148 }
149
150 chain forward {
151 type filter hook forward priority filter; policy drop;
152
153 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
154 iifname "eth0" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
155 iifname "eth1" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
156 }
157
158 chain output {
159 type filter hook output priority filter; policy drop;
160
161 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
162
163 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
164 oifname "eth0" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
165 oifname "eth1" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
166 }
167
168 chain handle_reject {
169 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
170 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
171 }
172
173 chain input_lan {
174 jump drop_from_lan
175 }
176
177 chain output_lan {
178 jump drop_to_lan
179 }
180
181 chain forward_lan {
182 jump drop_to_lan
183 }
184
185 chain drop_from_lan {
186 iifname "eth0" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
187 }
188
189 chain drop_to_lan {
190 oifname "eth0" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
191 }
192
193 chain input_wan {
194 jump drop_from_wan
195 }
196
197 chain output_wan {
198 jump drop_to_wan
199 }
200
201 chain forward_wan {
202 jump drop_to_wan
203 }
204
205 chain drop_from_wan {
206 iifname "eth1" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
207 }
208
209 chain drop_to_wan {
210 oifname "eth1" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
211 }
212
213
214 #
215 # NAT rules
216 #
217
218 chain dstnat {
219 type nat hook prerouting priority dstnat; policy accept;
220 }
221
222 chain srcnat {
223 type nat hook postrouting priority srcnat; policy accept;
224 }
225
226
227 #
228 # Raw rules (notrack & helper)
229 #
230
231 chain raw_prerouting {
232 type filter hook prerouting priority raw; policy accept;
233 iifname "eth0" jump helper_lan comment "!fw4: lan IPv4/IPv6 CT helper assignment"
234 iifname "eth1" jump helper_wan comment "!fw4: wan IPv4/IPv6 CT helper assignment"
235 }
236
237 chain raw_output {
238 type filter hook output priority raw; policy accept;
239 }
240
241 chain helper_lan {
242 }
243
244 chain helper_wan {
245 }
246
247
248 #
249 # Mangle rules
250 #
251
252 chain mangle_prerouting {
253 type filter hook prerouting priority mangle; policy accept;
254 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #4"
255 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #4"
256 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #4"
257 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #4"
258 }
259
260 chain mangle_postrouting {
261 type filter hook postrouting priority mangle; policy accept;
262 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #3"
263 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #3"
264 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #3"
265 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #3"
266 }
267
268 chain mangle_input {
269 type filter hook input priority mangle; policy accept;
270 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #5"
271 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #5"
272 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #5"
273 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #5"
274 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #6"
275 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #6"
276 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #6"
277 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #6"
278 }
279
280 chain mangle_output {
281 type filter hook output priority mangle; policy accept;
282 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #7"
283 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #7"
284 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #7"
285 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #7"
286 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #8"
287 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #8"
288 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #8"
289 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #8"
290 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #9"
291 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #9"
292 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #9"
293 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #9"
294 }
295
296 chain mangle_forward {
297 type filter hook forward priority mangle; policy accept;
298 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #1"
299 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #1"
300 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #1"
301 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #1"
302 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #2"
303 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #2"
304 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #2"
305 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #2"
306 }
307 }
308 -- End --
OpenWrt nftables firewall