projects / project / firewall4.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
ruleset: correct mangle_output chain type
[project/firewall4.git] / tests / 03_rules / 04_icmp
1 Testing handling of ICMP related options.
2
3 -- Testcase --
4 {%
5 include("./root/usr/share/firewall4/main.uc", {
6 getenv: function(varname) {
7 switch (varname) {
8 case 'ACTION':
9 return 'print';
10 }
11 }
12 })
13 %}
14 -- End --
15
16 -- File uci/helpers.json --
17 {}
18 -- End --
19
20 -- File uci/firewall.json --
21 {
22 "rule": [
23 {
24 ".description": "Proto 'icmp' maps to a single IPv4 and IPv6 rule",
25 "proto": "icmp",
26 "name": "ICMP rule #1"
27 },
28 {
29 ".description": "Proto 'icmpv6' maps to IPv6 rule only",
30 "proto": "icmpv6",
31 "name": "ICMP rule #2",
32 },
33 {
34 ".description": "Proto 'ipv6-icmp' is an alias for 'icmpv6'",
35 "proto": "ipv6-icmp",
36 "name": "ICMP rule #3",
37 },
38 {
39 ".description": "Proto 'icmp' with IPv4 specific types inhibits IPv6 rule",
40 "proto": "icmp",
41 "name": "ICMP rule #4",
42 "icmp_type": [ "ip-header-bad" ]
43 },
44 {
45 ".description": "Proto 'icmp' with IPv6 specific types inhibits IPv4 rule",
46 "proto": "icmp",
47 "name": "ICMP rule #5",
48 "icmp_type": [ "neighbour-advertisement" ]
49 }
50 ]
51 }
52 -- End --
53
54 -- Expect stdout --
55 table inet fw4
56 flush table inet fw4
57
58 table inet fw4 {
59 #
60 # Set definitions
61 #
62
63
64 #
65 # Defines
66 #
67
68
69 #
70 # User includes
71 #
72
73 include "/etc/nftables.d/*.nft"
74
75
76 #
77 # Filter rules
78 #
79
80 chain input {
81 type filter hook input priority filter; policy drop;
82
83 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
84
85 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
86 }
87
88 chain forward {
89 type filter hook forward priority filter; policy drop;
90
91 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
92 }
93
94 chain output {
95 type filter hook output priority filter; policy drop;
96
97 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
98
99 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
100 meta l4proto { "icmp", "ipv6-icmp" } counter comment "!fw4: ICMP rule #1"
101 meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #2"
102 meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #3"
103 meta nfproto ipv4 icmp type . icmp code { 12 . 0 } counter comment "!fw4: ICMP rule #4"
104 meta nfproto ipv6 icmpv6 type . icmpv6 code { 136 . 0 } counter comment "!fw4: ICMP rule #5"
105 }
106
107 chain handle_reject {
108 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
109 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
110 }
111
112
113 #
114 # NAT rules
115 #
116
117 chain dstnat {
118 type nat hook prerouting priority dstnat; policy accept;
119 }
120
121 chain srcnat {
122 type nat hook postrouting priority srcnat; policy accept;
123 }
124
125
126 #
127 # Raw rules (notrack & helper)
128 #
129
130 chain raw_prerouting {
131 type filter hook prerouting priority raw; policy accept;
132 }
133
134 chain raw_output {
135 type filter hook output priority raw; policy accept;
136 }
137
138
139 #
140 # Mangle rules
141 #
142
143 chain mangle_prerouting {
144 type filter hook prerouting priority mangle; policy accept;
145 }
146
147 chain mangle_postrouting {
148 type filter hook postrouting priority mangle; policy accept;
149 }
150
151 chain mangle_input {
152 type filter hook input priority mangle; policy accept;
153 }
154
155 chain mangle_output {
156 type route hook output priority mangle; policy accept;
157 }
158
159 chain mangle_forward {
160 type filter hook forward priority mangle; policy accept;
161 }
162 }
163 -- End --
OpenWrt nftables firewall