1 Testing various option constraints.
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
16 -- File uci/helpers.json --
20 -- File uci/firewall.json --
24 ".description": "A zone matching only IPv4 subnets is assumed to be an IPv4 only zone",
26 "subnet": "192.168.1.0/24",
31 ".description": "A zone with conflicting family and subnet settings should be skipped",
33 "subnet": "10.0.0.0/8",
51 ".description": "Rules referencing an IPv4 only zone should be restricted to IPv4 themselves",
60 ".description": "Rules whose family conflicts with their addresses should be skipped",
70 ".description": "Rules whose family conflicts with the zone family should be skipped",
80 ".description": "Rules whose family conflicts with the referenced set family should be skipped",
91 ".description": "Redirects rhose family conflicts with the referenced zone family should be skipped",
96 "name": "Redirect #1",
104 [!] Section @zone[1] (afconflict) is restricted to IPv6 but referenced subnet list is IPv4 only, skipping
105 [!] Section @rule[1] (Rule #2) is restricted to IPv6 but referenced source IP is IPv4 only, skipping
106 [!] Section @rule[2] (Rule #3) is restricted to IPv6 but referenced source zone is IPv4 only, skipping
107 [!] Section @rule[3] (Rule #4) is restricted to IPv6 but referenced set match is IPv4 only, skipping
108 [!] Section @redirect[0] (Redirect #1) is restricted to IPv6 but referenced source zone is IPv4 only, skipping
134 define ipv4only_subnets = { 192.168.1.0/24 }
140 include "/etc/nftables.d/*.nft"
148 type filter hook input priority filter; policy drop;
150 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
152 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
153 meta nfproto ipv4 ip saddr 192.168.1.0/24 jump input_ipv4only comment "!fw4: Handle ipv4only IPv4 input traffic"
157 type filter hook forward priority filter; policy drop;
159 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
160 meta nfproto ipv4 ip saddr 192.168.1.0/24 jump forward_ipv4only comment "!fw4: Handle ipv4only IPv4 forward traffic"
164 type filter hook output priority filter; policy drop;
166 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
168 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
169 meta nfproto ipv4 ip daddr 192.168.1.0/24 jump output_ipv4only comment "!fw4: Handle ipv4only IPv4 output traffic"
172 chain handle_reject {
173 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
174 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
177 chain input_ipv4only {
178 meta nfproto ipv4 tcp dport 22 counter accept comment "!fw4: Rule #1"
179 ct status dnat accept comment "!fw4: Accept port redirections"
180 jump drop_from_ipv4only
183 chain output_ipv4only {
184 jump drop_to_ipv4only
187 chain forward_ipv4only {
188 ct status dnat accept comment "!fw4: Accept port forwards"
189 jump drop_to_ipv4only
192 chain drop_from_ipv4only {
193 meta nfproto ipv4 ip saddr 192.168.1.0/24 counter drop comment "!fw4: drop ipv4only IPv4 traffic"
196 chain drop_to_ipv4only {
197 meta nfproto ipv4 ip daddr 192.168.1.0/24 counter drop comment "!fw4: drop ipv4only IPv4 traffic"
206 type nat hook prerouting priority dstnat; policy accept;
207 meta nfproto ipv4 ip saddr 192.168.1.0/24 jump dstnat_ipv4only comment "!fw4: Handle ipv4only IPv4 dstnat traffic"
211 type nat hook postrouting priority srcnat; policy accept;
214 chain dstnat_ipv4only {
219 # Raw rules (notrack & helper)
222 chain raw_prerouting {
223 type filter hook prerouting priority raw; policy accept;
227 type filter hook output priority raw; policy accept;
235 chain mangle_prerouting {
236 type filter hook prerouting priority mangle; policy accept;
239 chain mangle_postrouting {
240 type filter hook postrouting priority mangle; policy accept;
244 type filter hook input priority mangle; policy accept;
247 chain mangle_output {
248 type filter hook output priority mangle; policy accept;
251 chain mangle_forward {
252 type filter hook forward priority mangle; policy accept;