1 Testing the correct placement of potential include positions.
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
16 -- File uci/helpers.json --
20 -- File fs/open~_sys_class_net_eth0_flags.txt --
24 -- File fs/open~_usr_share_nftables_d_include-ruleset-start_nft.txt --
28 -- File fs/open~_usr_share_nftables_d_include-table-start_nft.txt --
32 -- File fs/open~_usr_share_nftables_d_include-chain-start-forward_nft.txt --
36 -- File fs/open~_usr_share_nftables_d_include-chain-end-forward_nft.txt --
40 -- File fs/open~_usr_share_nftables_d_include-table-end-1_nft.txt --
44 -- File fs/open~_usr_share_nftables_d_include-table-end-2_nft.txt --
48 -- File fs/open~_usr_share_nftables_d_include-ruleset-end_nft.txt --
52 -- File uci/firewall.json --
63 ".description": "Position 'table-pre' (or 'table-prepend') will place an include before the first chain",
64 "path": "/usr/share/nftables.d/include-table-start.nft",
66 "position": "table-pre"
70 ".description": "Position defaults to 'table-append', means after the last chain in the table scope",
71 "path": "/usr/share/nftables.d/include-table-end-1.nft",
76 ".description": "Position 'table-post' (or 'table-postpend') may be used as alias for 'table-append'",
77 "path": "/usr/share/nftables.d/include-table-end-2.nft",
79 "position": "table-post"
83 ".description": "Position 'ruleset-pre' (or 'ruleset-prepend') will place an include before the table declaration",
84 "path": "/usr/share/nftables.d/include-ruleset-start.nft",
86 "position": "ruleset-pre"
90 ".description": "Position 'ruleset-post' (or 'ruleset-append') will place an include after the table declaration",
91 "path": "/usr/share/nftables.d/include-ruleset-end.nft",
93 "position": "ruleset-post"
97 ".description": "Position 'chain-pre' (or 'chain-prepend') will place an include at the top of a specified chain",
98 "path": "/usr/share/nftables.d/include-chain-start-forward.nft",
100 "position": "chain-pre",
105 ".description": "Position 'chain-post' (or 'chain-append') will place an include at the bottom of a specified chain",
106 "path": "/usr/share/nftables.d/include-chain-end-forward.nft",
108 "position": "chain-post",
113 ".description": "Position 'chain-pre' or 'chain-post' without chain option will yield and error",
114 "path": "/usr/share/nftables.d/include-chain-end-forward.nft",
116 "position": "chain-post"
123 [!] Section @include[7] must specify 'chain' for position chain-append, ignoring section
130 include "/usr/share/nftables.d/include-ruleset-start.nft"
137 define test_devices = { "eth0" }
138 define test_subnets = { }
145 include "/etc/nftables.d/*.nft"
147 include "/usr/share/nftables.d/include-table-start.nft"
155 type filter hook input priority filter; policy drop;
157 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
159 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
160 iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic"
164 type filter hook forward priority filter; policy drop;
166 include "/usr/share/nftables.d/include-chain-start-forward.nft"
167 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
168 iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic"
169 include "/usr/share/nftables.d/include-chain-end-forward.nft"
173 type filter hook output priority filter; policy drop;
175 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
177 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
178 oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic"
182 type filter hook prerouting priority filter; policy accept;
185 chain handle_reject {
186 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
187 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
202 chain drop_from_test {
203 iifname "eth0" counter drop comment "!fw4: drop test IPv4/IPv6 traffic"
207 oifname "eth0" counter drop comment "!fw4: drop test IPv4/IPv6 traffic"
216 type nat hook prerouting priority dstnat; policy accept;
220 type nat hook postrouting priority srcnat; policy accept;
225 # Raw rules (notrack)
228 chain raw_prerouting {
229 type filter hook prerouting priority raw; policy accept;
233 type filter hook output priority raw; policy accept;
241 chain mangle_prerouting {
242 type filter hook prerouting priority mangle; policy accept;
245 chain mangle_postrouting {
246 type filter hook postrouting priority mangle; policy accept;
250 type filter hook input priority mangle; policy accept;
253 chain mangle_output {
254 type route hook output priority mangle; policy accept;
257 chain mangle_forward {
258 type filter hook forward priority mangle; policy accept;
261 include "/usr/share/nftables.d/include-table-end-1.nft"
262 include "/usr/share/nftables.d/include-table-end-2.nft"
265 include "/usr/share/nftables.d/include-ruleset-end.nft"