1 Testing various option constraints.
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
16 -- File uci/helpers.json --
20 -- File uci/firewall.json --
24 ".description": "A zone matching only IPv4 subnets is assumed to be an IPv4 only zone",
26 "subnet": "192.168.1.0/24",
31 ".description": "A zone with conflicting family and subnet settings should be skipped",
33 "subnet": "10.0.0.0/8",
51 ".description": "Rules referencing an IPv4 only zone should be restricted to IPv4 themselves",
60 ".description": "Rules whose family conflicts with their addresses should be skipped",
70 ".description": "Rules whose family conflicts with the zone family should be skipped",
80 ".description": "Rules whose family conflicts with the referenced set family should be skipped",
91 ".description": "Redirects whose family conflicts with the referenced zone family should be skipped",
96 "name": "Redirect #1",
102 ".description": "NAT rules whose family conflicts with the referenced zone family should be skipped",
106 "target": "masquerade"
110 ".description": "NAT rules whose family conflicts with their addresses should be skipped",
114 "src_ip": "fc00::/7",
115 "target": "masquerade"
119 ".description": "NAT rules without any AF specific bits and unspecified family should default to IPv4 for backwards compatibility",
122 "target": "masquerade"
126 ".description": "NAT rules without explicit family but IPv6 specific bits should be IPv6",
129 "src_ip": "fc00::/7",
130 "target": "masquerade"
135 ".description": "NAT rules with explicit family any should inherit zone restrictions",
138 "target": "masquerade"
142 ".description": "NAT rules without any AF specific bits but explicit family any should be IPv4/IPv6",
146 "target": "masquerade"
153 [!] Section @zone[1] (afconflict) is restricted to IPv6 but referenced subnet list is IPv4 only, skipping
154 [!] Section @rule[1] (Rule #2) is restricted to IPv6 but referenced source IP is IPv4 only, skipping
155 [!] Section @rule[2] (Rule #3) is restricted to IPv6 but referenced source zone is IPv4 only, skipping
156 [!] Section @rule[3] (Rule #4) is restricted to IPv6 but referenced set match is IPv4 only, skipping
157 [!] Section @redirect[0] (Redirect #1) is restricted to IPv6 but referenced source zone is IPv4 only, skipping
158 [!] Section @nat[0] (NAT #1) is restricted to IPv6 but referenced source zone is IPv4 only, skipping
159 [!] Section @nat[1] (NAT #2) is restricted to IPv4 but referenced source IP is IPv6 only, skipping
185 define ipv4only_devices = { }
186 define ipv4only_subnets = { 192.168.1.0/24 }
193 include "/etc/nftables.d/*.nft"
201 type filter hook input priority filter; policy drop;
203 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
205 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
206 meta nfproto ipv4 ip saddr 192.168.1.0/24 jump input_ipv4only comment "!fw4: Handle ipv4only IPv4 input traffic"
210 type filter hook forward priority filter; policy drop;
212 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
213 meta nfproto ipv4 ip saddr 192.168.1.0/24 jump forward_ipv4only comment "!fw4: Handle ipv4only IPv4 forward traffic"
217 type filter hook output priority filter; policy drop;
219 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
221 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
222 meta nfproto ipv4 ip daddr 192.168.1.0/24 jump output_ipv4only comment "!fw4: Handle ipv4only IPv4 output traffic"
226 type filter hook prerouting priority filter; policy accept;
229 chain handle_reject {
230 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
231 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
234 chain input_ipv4only {
235 meta nfproto ipv4 tcp dport 22 counter accept comment "!fw4: Rule #1"
236 ct status dnat accept comment "!fw4: Accept port redirections"
237 jump drop_from_ipv4only
240 chain output_ipv4only {
241 jump drop_to_ipv4only
244 chain forward_ipv4only {
245 ct status dnat accept comment "!fw4: Accept port forwards"
246 jump drop_to_ipv4only
249 chain drop_from_ipv4only {
250 meta nfproto ipv4 ip saddr 192.168.1.0/24 counter drop comment "!fw4: drop ipv4only IPv4 traffic"
253 chain drop_to_ipv4only {
254 meta nfproto ipv4 ip daddr 192.168.1.0/24 counter drop comment "!fw4: drop ipv4only IPv4 traffic"
263 type nat hook prerouting priority dstnat; policy accept;
264 meta nfproto ipv4 ip saddr 192.168.1.0/24 jump dstnat_ipv4only comment "!fw4: Handle ipv4only IPv4 dstnat traffic"
268 type nat hook postrouting priority srcnat; policy accept;
269 meta nfproto ipv4 counter masquerade comment "!fw4: NAT #3"
270 ip6 saddr fc00::/7 counter masquerade comment "!fw4: NAT #4"
271 counter masquerade comment "!fw4: NAT #6"
272 meta nfproto ipv4 ip daddr 192.168.1.0/24 jump srcnat_ipv4only comment "!fw4: Handle ipv4only IPv4 srcnat traffic"
275 chain dstnat_ipv4only {
278 chain srcnat_ipv4only {
279 meta nfproto ipv4 counter masquerade comment "!fw4: NAT #5"
284 # Raw rules (notrack)
287 chain raw_prerouting {
288 type filter hook prerouting priority raw; policy accept;
292 type filter hook output priority raw; policy accept;
300 chain mangle_prerouting {
301 type filter hook prerouting priority mangle; policy accept;
304 chain mangle_postrouting {
305 type filter hook postrouting priority mangle; policy accept;
309 type filter hook input priority mangle; policy accept;
312 chain mangle_output {
313 type route hook output priority mangle; policy accept;
316 chain mangle_forward {
317 type filter hook forward priority mangle; policy accept;