1 Ensure that DSCP and MARK target rules end up in the appropriate chains,
2 depending on the src and dest options.
6 include("./root/usr/share/firewall4/main.uc", {
7 getenv: function(varname) {
17 -- File uci/helpers.json --
21 -- File fs/open~_sys_class_net_eth0_flags.txt --
25 -- File fs/open~_sys_class_net_eth1_flags.txt --
29 -- File fs/open~_sys_class_net_eth2_flags.txt --
33 -- File fs/open~_sys_class_net_eth3_flags.txt --
37 -- File uci/firewall.json --
42 "device": [ "eth0", "eth1" ]
46 "device": [ "eth2", "eth3" ]
51 ".description": "Source '*' and destination '*' should result in a forward rule",
52 "name": "Mangle rule #1",
59 ".description": "Source zone and destination zone should result in a forward rule",
60 "name": "Mangle rule #2",
67 ".description": "Any source zone and specific destination zone should result in a postrouting rule",
68 "name": "Mangle rule #3",
75 ".description": "Specific source zone and any destination zone should result in a prerouting rule",
76 "name": "Mangle rule #4",
83 ".description": "Specific source zone and no destination zone should result in an input rule",
84 "name": "Mangle rule #5",
90 ".description": "Any source zone and no destination zone should result in an input rule",
91 "name": "Mangle rule #6",
97 ".description": "No source zone and no destination zone should result in an output rule",
98 "name": "Mangle rule #7",
103 ".description": "No source zone and any destination zone should result in an output rule",
104 "name": "Mangle rule #8",
110 ".description": "No source zone and specific destination zone should result in an output rule",
111 "name": "Mangle rule #9",
117 ".description": "Option device with no direction should override inbound ifname match",
118 "name": "Mangle rule #10",
126 ".description": "Option device with direction 'in' should override inbound ifname match",
127 "name": "Mangle rule #11",
136 ".description": "Option device with direction 'out' should override outbound ifname match",
137 "name": "Mangle rule #12",
163 define lan_devices = { "eth0", "eth1" }
164 define wan_devices = { "eth2", "eth3" }
170 include "/etc/nftables.d/*.nft"
178 type filter hook input priority filter; policy drop;
180 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
182 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
183 iifname { "eth0", "eth1" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
184 iifname { "eth2", "eth3" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
188 type filter hook forward priority filter; policy drop;
190 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
191 iifname { "eth0", "eth1" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
192 iifname { "eth2", "eth3" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
196 type filter hook output priority filter; policy drop;
198 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
200 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
201 oifname { "eth0", "eth1" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
202 oifname { "eth2", "eth3" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
205 chain handle_reject {
206 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
207 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
222 chain drop_from_lan {
223 iifname { "eth0", "eth1" } counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
227 oifname { "eth0", "eth1" } counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
242 chain drop_from_wan {
243 iifname { "eth2", "eth3" } counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
247 oifname { "eth2", "eth3" } counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
256 type nat hook prerouting priority dstnat; policy accept;
260 type nat hook postrouting priority srcnat; policy accept;
265 # Raw rules (notrack & helper)
268 chain raw_prerouting {
269 type filter hook prerouting priority raw; policy accept;
270 iifname { "eth0", "eth1" } jump helper_lan comment "!fw4: lan IPv4/IPv6 CT helper assignment"
271 iifname { "eth2", "eth3" } jump helper_wan comment "!fw4: wan IPv4/IPv6 CT helper assignment"
275 type filter hook output priority raw; policy accept;
289 chain mangle_prerouting {
290 type filter hook prerouting priority mangle; policy accept;
291 meta nfproto ipv4 meta l4proto tcp iifname { "eth0", "eth1" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #4"
292 meta nfproto ipv6 meta l4proto tcp iifname { "eth0", "eth1" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #4"
293 meta nfproto ipv4 meta l4proto udp iifname { "eth0", "eth1" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #4"
294 meta nfproto ipv6 meta l4proto udp iifname { "eth0", "eth1" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #4"
297 chain mangle_postrouting {
298 type filter hook postrouting priority mangle; policy accept;
299 meta nfproto ipv4 meta l4proto tcp oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #3"
300 meta nfproto ipv6 meta l4proto tcp oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #3"
301 meta nfproto ipv4 meta l4proto udp oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #3"
302 meta nfproto ipv6 meta l4proto udp oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #3"
303 meta nfproto ipv4 meta l4proto tcp iifname "eth4" oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #10"
304 meta nfproto ipv6 meta l4proto tcp iifname "eth4" oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #10"
305 meta nfproto ipv4 meta l4proto udp iifname "eth4" oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #10"
306 meta nfproto ipv6 meta l4proto udp iifname "eth4" oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #10"
307 meta nfproto ipv4 meta l4proto tcp iifname "eth4" oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #11"
308 meta nfproto ipv6 meta l4proto tcp iifname "eth4" oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #11"
309 meta nfproto ipv4 meta l4proto udp iifname "eth4" oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #11"
310 meta nfproto ipv6 meta l4proto udp iifname "eth4" oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #11"
311 meta nfproto ipv4 meta l4proto tcp oifname "eth5" counter ip dscp set 0x1 comment "!fw4: Mangle rule #12"
312 meta nfproto ipv6 meta l4proto tcp oifname "eth5" counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #12"
313 meta nfproto ipv4 meta l4proto udp oifname "eth5" counter ip dscp set 0x1 comment "!fw4: Mangle rule #12"
314 meta nfproto ipv6 meta l4proto udp oifname "eth5" counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #12"
318 type filter hook input priority mangle; policy accept;
319 meta nfproto ipv4 meta l4proto tcp iifname { "eth0", "eth1" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #5"
320 meta nfproto ipv6 meta l4proto tcp iifname { "eth0", "eth1" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #5"
321 meta nfproto ipv4 meta l4proto udp iifname { "eth0", "eth1" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #5"
322 meta nfproto ipv6 meta l4proto udp iifname { "eth0", "eth1" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #5"
323 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #6"
324 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #6"
325 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #6"
326 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #6"
329 chain mangle_output {
330 type filter hook output priority mangle; policy accept;
331 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #7"
332 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #7"
333 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #7"
334 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #7"
335 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #8"
336 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #8"
337 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #8"
338 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #8"
339 meta nfproto ipv4 meta l4proto tcp oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #9"
340 meta nfproto ipv6 meta l4proto tcp oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #9"
341 meta nfproto ipv4 meta l4proto udp oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #9"
342 meta nfproto ipv6 meta l4proto udp oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #9"
345 chain mangle_forward {
346 type filter hook forward priority mangle; policy accept;
347 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #1"
348 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #1"
349 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #1"
350 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #1"
351 meta nfproto ipv4 meta l4proto tcp iifname { "eth0", "eth1" } oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #2"
352 meta nfproto ipv6 meta l4proto tcp iifname { "eth0", "eth1" } oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #2"
353 meta nfproto ipv4 meta l4proto udp iifname { "eth0", "eth1" } oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #2"
354 meta nfproto ipv6 meta l4proto udp iifname { "eth0", "eth1" } oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #2"