projects / project / firewall4.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
ruleset: correct mangle_output chain type
[project/firewall4.git] / tests / 03_rules / 02_enabled
1 Testing that not enabled rules are ignored.
2
3 -- Testcase --
4 {%
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
7 switch (varname) {
8 case 'ACTION':
9 return 'print';
10 }
11 }
12 })
13 %}
14 -- End --
15
16 -- File uci/helpers.json --
17 {}
18 -- End --
19
20 -- File uci/firewall.json --
21 {
22 "rule": [
23 {
24 "proto": "any",
25 "name": "Implicitly enabled"
26 },
27 {
28 "proto": "any",
29 "name": "Explicitly enabled",
30 "enabled": "1"
31 },
32 {
33 "proto": "any",
34 "name": "Explicitly disabled",
35 "enabled": "0"
36 }
37 ]
38 }
39 -- End --
40
41 -- Expect stderr --
42 [!] Section @rule[2] (Explicitly disabled) is disabled, ignoring section
43 -- End --
44
45 -- Expect stdout --
46 table inet fw4
47 flush table inet fw4
48
49 table inet fw4 {
50 #
51 # Set definitions
52 #
53
54
55 #
56 # Defines
57 #
58
59
60 #
61 # User includes
62 #
63
64 include "/etc/nftables.d/*.nft"
65
66
67 #
68 # Filter rules
69 #
70
71 chain input {
72 type filter hook input priority filter; policy drop;
73
74 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
75
76 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
77 }
78
79 chain forward {
80 type filter hook forward priority filter; policy drop;
81
82 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
83 }
84
85 chain output {
86 type filter hook output priority filter; policy drop;
87
88 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
89
90 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
91 counter comment "!fw4: Implicitly enabled"
92 counter comment "!fw4: Explicitly enabled"
93 }
94
95 chain handle_reject {
96 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
97 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
98 }
99
100
101 #
102 # NAT rules
103 #
104
105 chain dstnat {
106 type nat hook prerouting priority dstnat; policy accept;
107 }
108
109 chain srcnat {
110 type nat hook postrouting priority srcnat; policy accept;
111 }
112
113
114 #
115 # Raw rules (notrack & helper)
116 #
117
118 chain raw_prerouting {
119 type filter hook prerouting priority raw; policy accept;
120 }
121
122 chain raw_output {
123 type filter hook output priority raw; policy accept;
124 }
125
126
127 #
128 # Mangle rules
129 #
130
131 chain mangle_prerouting {
132 type filter hook prerouting priority mangle; policy accept;
133 }
134
135 chain mangle_postrouting {
136 type filter hook postrouting priority mangle; policy accept;
137 }
138
139 chain mangle_input {
140 type filter hook input priority mangle; policy accept;
141 }
142
143 chain mangle_output {
144 type route hook output priority mangle; policy accept;
145 }
146
147 chain mangle_forward {
148 type filter hook forward priority mangle; policy accept;
149 }
150 }
151 -- End --
OpenWrt nftables firewall