projects / project / firewall4.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
ruleset: correct mangle_output chain type
[project/firewall4.git] / tests / 03_rules / 01_direction
1 Testing that rule declarations are mapped to the proper chains depending
2 on src and dest options.
3
4 -- Testcase --
5 {%
6 include("./root/usr/share/firewall4/main.uc", {
7 getenv: function(varname) {
8 switch (varname) {
9 case 'ACTION':
10 return 'print';
11 }
12 }
13 })
14 %}
15 -- End --
16
17 -- File uci/helpers.json --
18 {}
19 -- End --
20
21 -- File uci/firewall.json --
22 {
23 "rule": [
24 {
25 ".description": "Neither source, nor dest => should result in an output rule",
26 "proto": "any"
27 },
28 {
29 ".description": "Source any, no dest => should result in an input rule",
30 "proto": "any",
31 "src": "*"
32 },
33 {
34 ".description": "Dest any, no source => should result in an output rule",
35 "proto": "any",
36 "dest": "*"
37 },
38 {
39 ".description": "Source any, dest any => should result in a forward rule",
40 "proto": "any",
41 "src": "*",
42 "dest": "*"
43 }
44 ]
45 }
46 -- End --
47
48 -- Expect stdout --
49 table inet fw4
50 flush table inet fw4
51
52 table inet fw4 {
53 #
54 # Set definitions
55 #
56
57
58 #
59 # Defines
60 #
61
62
63 #
64 # User includes
65 #
66
67 include "/etc/nftables.d/*.nft"
68
69
70 #
71 # Filter rules
72 #
73
74 chain input {
75 type filter hook input priority filter; policy drop;
76
77 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
78
79 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
80 counter comment "!fw4: @rule[1]"
81 }
82
83 chain forward {
84 type filter hook forward priority filter; policy drop;
85
86 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
87 counter comment "!fw4: @rule[3]"
88 }
89
90 chain output {
91 type filter hook output priority filter; policy drop;
92
93 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
94
95 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
96 counter comment "!fw4: @rule[0]"
97 counter comment "!fw4: @rule[2]"
98 }
99
100 chain handle_reject {
101 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
102 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
103 }
104
105
106 #
107 # NAT rules
108 #
109
110 chain dstnat {
111 type nat hook prerouting priority dstnat; policy accept;
112 }
113
114 chain srcnat {
115 type nat hook postrouting priority srcnat; policy accept;
116 }
117
118
119 #
120 # Raw rules (notrack & helper)
121 #
122
123 chain raw_prerouting {
124 type filter hook prerouting priority raw; policy accept;
125 }
126
127 chain raw_output {
128 type filter hook output priority raw; policy accept;
129 }
130
131
132 #
133 # Mangle rules
134 #
135
136 chain mangle_prerouting {
137 type filter hook prerouting priority mangle; policy accept;
138 }
139
140 chain mangle_postrouting {
141 type filter hook postrouting priority mangle; policy accept;
142 }
143
144 chain mangle_input {
145 type filter hook input priority mangle; policy accept;
146 }
147
148 chain mangle_output {
149 type route hook output priority mangle; policy accept;
150 }
151
152 chain mangle_forward {
153 type filter hook forward priority mangle; policy accept;
154 }
155 }
156 -- End --
OpenWrt nftables firewall