1 Test matching an ipset in rules.
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
16 -- File uci/helpers.json --
20 -- File fs/open~_proc_version.txt --
21 Linux version 5.10.113 (jow@j7) (mipsel-openwrt-linux-musl-gcc (OpenWrt GCC 11.2.0 r17858+262-2c3e8bed3f) 11.2.0, GNU ld (GNU Binutils) 2.37) #0 SMP Tue May 17 19:05:07 2022
24 -- File uci/firewall.json --
29 "comment": "Test set #1 with traffic direction in type declaration",
30 "match": [ "src_ip", "dest_port" ],
38 "comment": "Test set #2 with unspecified traffic direction",
39 "match": [ "ip", "port" ],
47 "comment": "Test set #3 with IPv6 addresses",
49 "match": [ "net", "net", "port" ],
51 "db80:1234:4567::1/64 db80:1234:abcd::1/64 80",
52 "db80:8765:aaaa::1/64 db80:8765:ffff::1/64 22",
53 "db80:1:2:3:4:0:0:1 0:0:0:0:0:0:0:0/0 443",
59 "name": "Rule using test set #1",
66 "name": "Rule using test set #2, match direction should default to 'source'",
73 "name": "Rule using test set #1, overriding match direction",
77 "ipset": "test-set-1 dst src"
80 "name": "Rule using test set #2, specifiying match direction",
84 "ipset": "test-set-2 dst dst"
87 "name": "Rule using test set #1, overriding direction and inverting match",
91 "ipset": "!test-set-1 dst src"
94 "name": "Rule using test set #3 with alternative direction notation, should inherit IPv6 family",
98 "ipset": "test-set-3 src,dest,dest"
114 comment "Test set #1 with traffic direction in type declaration"
115 type ipv4_addr . inet_service
123 comment "Test set #2 with unspecified traffic direction"
124 type ipv4_addr . inet_service
132 comment "Test set #3 with IPv6 addresses"
133 type ipv6_addr . ipv6_addr . inet_service
137 db80:1234:4567::1/64 . db80:1234:abcd::1/64 . 80,
138 db80:8765:aaaa::1/64 . db80:8765:ffff::1/64 . 22,
139 db80:1:2:3:4::1/128 . ::/0 . 443,
153 include "/etc/nftables.d/*.nft"
161 type filter hook input priority filter; policy drop;
163 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
165 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
169 type filter hook forward priority filter; policy drop;
171 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
172 meta nfproto ipv4 meta l4proto tcp ip saddr . tcp dport @test-set-1 counter comment "!fw4: Rule using test set #1"
173 meta nfproto ipv4 meta l4proto tcp ip saddr . tcp sport @test-set-2 counter comment "!fw4: Rule using test set #2, match direction should default to 'source'"
174 meta nfproto ipv4 meta l4proto tcp ip daddr . tcp sport @test-set-1 counter comment "!fw4: Rule using test set #1, overriding match direction"
175 meta nfproto ipv4 meta l4proto tcp ip daddr . tcp dport @test-set-2 counter comment "!fw4: Rule using test set #2, specifiying match direction"
176 meta nfproto ipv4 meta l4proto tcp ip daddr . tcp sport != @test-set-1 counter comment "!fw4: Rule using test set #1, overriding direction and inverting match"
177 meta nfproto ipv6 meta l4proto tcp ip6 saddr . ip6 daddr . tcp dport @test-set-3 counter comment "!fw4: Rule using test set #3 with alternative direction notation, should inherit IPv6 family"
181 type filter hook output priority filter; policy drop;
183 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
185 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
189 type filter hook prerouting priority filter; policy accept;
192 chain handle_reject {
193 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
194 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
203 type nat hook prerouting priority dstnat; policy accept;
207 type nat hook postrouting priority srcnat; policy accept;
212 # Raw rules (notrack)
215 chain raw_prerouting {
216 type filter hook prerouting priority raw; policy accept;
220 type filter hook output priority raw; policy accept;
228 chain mangle_prerouting {
229 type filter hook prerouting priority mangle; policy accept;
232 chain mangle_postrouting {
233 type filter hook postrouting priority mangle; policy accept;
237 type filter hook input priority mangle; policy accept;
240 chain mangle_output {
241 type route hook output priority mangle; policy accept;
244 chain mangle_forward {
245 type filter hook forward priority mangle; policy accept;