1 Testing various option constraints.
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
16 -- File uci/helpers.json --
20 -- File uci/firewall.json --
24 ".description": "A zone matching only IPv4 subnets is assumed to be an IPv4 only zone",
26 "subnet": "192.168.1.0/24",
31 ".description": "A zone with conflicting family and subnet settings should be skipped",
33 "subnet": "10.0.0.0/8",
51 ".description": "Rules referencing an IPv4 only zone should be restricted to IPv4 themselves",
60 ".description": "Rules whose family conflicts with their addresses should be skipped",
70 ".description": "Rules whose family conflicts with the zone family should be skipped",
80 ".description": "Rules whose family conflicts with the referenced set family should be skipped",
91 ".description": "Redirects whose family conflicts with the referenced zone family should be skipped",
96 "name": "Redirect #1",
102 ".description": "NAT rules whose family conflicts with the referenced zone family should be skipped",
106 "target": "masquerade"
110 ".description": "NAT rules whose family conflicts with their addresses should be skipped",
114 "src_ip": "fc00::/7",
115 "target": "masquerade"
119 ".description": "NAT rules without any AF specific bits and unspecified family should default to IPv4 for backwards compatibility",
122 "target": "masquerade"
126 ".description": "NAT rules without explicit family but IPv6 specific bits should be IPv6",
129 "src_ip": "fc00::/7",
130 "target": "masquerade"
135 ".description": "NAT rules with explicit family any should inherit zone restrictions",
138 "target": "masquerade"
142 ".description": "NAT rules without any AF specific bits but explicit family any should be IPv4/IPv6",
146 "target": "masquerade"
153 [!] Section @zone[1] (afconflict) is restricted to IPv6 but referenced subnet list is IPv4 only, skipping
154 [!] Section @rule[1] (Rule #2) is restricted to IPv6 but referenced source IP is IPv4 only, skipping
155 [!] Section @rule[2] (Rule #3) is restricted to IPv6 but referenced source zone is IPv4 only, skipping
156 [!] Section @rule[3] (Rule #4) is restricted to IPv6 but referenced set match is IPv4 only, skipping
157 [!] Section @redirect[0] (Redirect #1) is restricted to IPv6 but referenced source zone is IPv4 only, skipping
158 [!] Section @nat[0] (NAT #1) is restricted to IPv6 but referenced source zone is IPv4 only, skipping
159 [!] Section @nat[1] (NAT #2) is restricted to IPv4 but referenced source IP is IPv6 only, skipping
185 define ipv4only_subnets = { 192.168.1.0/24 }
191 include "/etc/nftables.d/*.nft"
199 type filter hook input priority filter; policy drop;
201 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
203 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
204 meta nfproto ipv4 ip saddr 192.168.1.0/24 jump input_ipv4only comment "!fw4: Handle ipv4only IPv4 input traffic"
208 type filter hook forward priority filter; policy drop;
210 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
211 meta nfproto ipv4 ip saddr 192.168.1.0/24 jump forward_ipv4only comment "!fw4: Handle ipv4only IPv4 forward traffic"
215 type filter hook output priority filter; policy drop;
217 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
219 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
220 meta nfproto ipv4 ip daddr 192.168.1.0/24 jump output_ipv4only comment "!fw4: Handle ipv4only IPv4 output traffic"
223 chain handle_reject {
224 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
225 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
228 chain input_ipv4only {
229 meta nfproto ipv4 tcp dport 22 counter accept comment "!fw4: Rule #1"
230 ct status dnat accept comment "!fw4: Accept port redirections"
231 jump drop_from_ipv4only
234 chain output_ipv4only {
235 jump drop_to_ipv4only
238 chain forward_ipv4only {
239 ct status dnat accept comment "!fw4: Accept port forwards"
240 jump drop_to_ipv4only
243 chain drop_from_ipv4only {
244 meta nfproto ipv4 ip saddr 192.168.1.0/24 counter drop comment "!fw4: drop ipv4only IPv4 traffic"
247 chain drop_to_ipv4only {
248 meta nfproto ipv4 ip daddr 192.168.1.0/24 counter drop comment "!fw4: drop ipv4only IPv4 traffic"
257 type nat hook prerouting priority dstnat; policy accept;
258 meta nfproto ipv4 ip saddr 192.168.1.0/24 jump dstnat_ipv4only comment "!fw4: Handle ipv4only IPv4 dstnat traffic"
262 type nat hook postrouting priority srcnat; policy accept;
263 meta nfproto ipv4 masquerade comment "!fw4: NAT #3"
264 ip6 saddr fc00::/7 masquerade comment "!fw4: NAT #4"
265 masquerade comment "!fw4: NAT #6"
266 meta nfproto ipv4 ip daddr 192.168.1.0/24 jump srcnat_ipv4only comment "!fw4: Handle ipv4only IPv4 srcnat traffic"
269 chain dstnat_ipv4only {
272 chain srcnat_ipv4only {
273 meta nfproto ipv4 masquerade comment "!fw4: NAT #5"
278 # Raw rules (notrack & helper)
281 chain raw_prerouting {
282 type filter hook prerouting priority raw; policy accept;
286 type filter hook output priority raw; policy accept;
294 chain mangle_prerouting {
295 type filter hook prerouting priority mangle; policy accept;
298 chain mangle_postrouting {
299 type filter hook postrouting priority mangle; policy accept;
303 type filter hook input priority mangle; policy accept;
306 chain mangle_output {
307 type route hook output priority mangle; policy accept;
310 chain mangle_forward {
311 type filter hook forward priority mangle; policy accept;