1 Testing that `option log 1` enables rule logging and sets the rule name as
2 log prefix. Also testing that setting settin `option log` to a non-boolean
3 string uses that string verbatim as log prefix.
7 include("./root/usr/share/firewall4/main.uc", {
8 getenv: function(varname) {
18 -- File uci/helpers.json --
22 -- File uci/firewall.json --
35 "name": "Explicit rule name",
40 "log": "Explicit prefix: "
47 "dest_ip": "10.0.0.2",
52 "name": "Explicit redirect name",
55 "dest_ip": "10.0.0.3",
62 "dest_ip": "10.0.0.4",
64 "log": "Explicit prefix: "
70 "target": "MASQUERADE",
74 "name": "Explicit nat name",
76 "target": "MASQUERADE",
81 "target": "MASQUERADE",
82 "log": "Explicit log prefix: "
97 define wan_devices = { }
98 define wan_subnets = { }
105 include "/etc/nftables.d/*.nft"
113 type filter hook input priority filter; policy drop;
115 iif "lo" accept comment "!fw4: Accept traffic from loopback"
117 ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
121 type filter hook forward priority filter; policy drop;
123 ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
127 type filter hook output priority filter; policy drop;
129 oif "lo" accept comment "!fw4: Accept traffic towards loopback"
131 ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
132 counter log prefix "@rule[0]: " comment "!fw4: @rule[0]"
133 counter log prefix "Explicit rule name: " comment "!fw4: Explicit rule name"
134 counter log prefix "Explicit prefix: " comment "!fw4: @rule[2]"
138 type filter hook prerouting priority filter; policy accept;
141 chain handle_reject {
142 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
143 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
147 ct status dnat accept comment "!fw4: Accept port redirections"
156 ct status dnat accept comment "!fw4: Accept port forwards"
163 chain drop_from_wan {
175 type nat hook prerouting priority dstnat; policy accept;
179 type nat hook postrouting priority srcnat; policy accept;
183 meta nfproto ipv4 counter log prefix "@redirect[0]: " dnat 10.0.0.2:22 comment "!fw4: @redirect[0]"
184 meta nfproto ipv4 counter log prefix "Explicit redirect name: " dnat 10.0.0.3:23 comment "!fw4: Explicit redirect name"
185 meta nfproto ipv4 counter log prefix "Explicit prefix: " dnat 10.0.0.4:24 comment "!fw4: @redirect[2]"
189 meta nfproto ipv4 counter log prefix "@nat[0]: " masquerade comment "!fw4: @nat[0]"
190 meta nfproto ipv4 counter log prefix "Explicit nat name: " masquerade comment "!fw4: Explicit nat name"
191 meta nfproto ipv4 counter log prefix "Explicit log prefix: " masquerade comment "!fw4: @nat[2]"
196 # Raw rules (notrack)
199 chain raw_prerouting {
200 type filter hook prerouting priority raw; policy accept;
204 type filter hook output priority raw; policy accept;
212 chain mangle_prerouting {
213 type filter hook prerouting priority mangle; policy accept;
216 chain mangle_postrouting {
217 type filter hook postrouting priority mangle; policy accept;
221 type filter hook input priority mangle; policy accept;
224 chain mangle_output {
225 type route hook output priority mangle; policy accept;
228 chain mangle_forward {
229 type filter hook forward priority mangle; policy accept;