projects / project / firewall4.git / blob
? search:


4f60557173ba57736d54d0da3bd5424b7e946529
[project/firewall4.git] / tests / 03_rules / 05_mangle
1 Ensure that DSCP and MARK target rules end up in the appropriate chains,
2 depending on the src and dest options.
3
4 -- Testcase --
5 {%
6 include("./root/usr/share/firewall4/main.uc", {
7 getenv: function(varname) {
8 switch (varname) {
9 case 'ACTION':
10 return 'print';
11 }
12 }
13 })
14 %}
15 -- End --
16
17 -- File uci/helpers.json --
18 {}
19 -- End --
20
21 -- File fs/open~_sys_class_net_eth0_flags.txt --
22 0x1103
23 -- End --
24
25 -- File fs/open~_sys_class_net_eth1_flags.txt --
26 0x1103
27 -- End --
28
29 -- File fs/open~_sys_class_net_eth2_flags.txt --
30 0x1103
31 -- End --
32
33 -- File fs/open~_sys_class_net_eth3_flags.txt --
34 0x1103
35 -- End --
36
37 -- File uci/firewall.json --
38 {
39 "zone": [
40 {
41 "name": "lan",
42 "device": [ "eth0", "eth1" ]
43 },
44 {
45 "name": "wan",
46 "device": [ "eth2", "eth3" ]
47 }
48 ],
49 "rule": [
50 {
51 ".description": "Source '*' and destination '*' should result in a forward rule",
52 "name": "Mangle rule #1",
53 "src": "*",
54 "dest": "*",
55 "target": "DSCP",
56 "set_dscp": "1"
57 },
58 {
59 ".description": "Source zone and destination zone should result in a forward rule",
60 "name": "Mangle rule #2",
61 "src": "lan",
62 "dest": "wan",
63 "target": "DSCP",
64 "set_dscp": "1"
65 },
66 {
67 ".description": "Any source zone and specific destination zone should result in a postrouting rule",
68 "name": "Mangle rule #3",
69 "src": "*",
70 "dest": "wan",
71 "target": "DSCP",
72 "set_dscp": "1"
73 },
74 {
75 ".description": "Specific source zone and any destination zone should result in a prerouting rule",
76 "name": "Mangle rule #4",
77 "src": "lan",
78 "dest": "*",
79 "target": "DSCP",
80 "set_dscp": "1"
81 },
82 {
83 ".description": "Specific source zone and no destination zone should result in an input rule",
84 "name": "Mangle rule #5",
85 "src": "lan",
86 "target": "DSCP",
87 "set_dscp": "1"
88 },
89 {
90 ".description": "Any source zone and no destination zone should result in an input rule",
91 "name": "Mangle rule #6",
92 "src": "*",
93 "target": "DSCP",
94 "set_dscp": "1"
95 },
96 {
97 ".description": "No source zone and no destination zone should result in an output rule",
98 "name": "Mangle rule #7",
99 "target": "DSCP",
100 "set_dscp": "1"
101 },
102 {
103 ".description": "No source zone and any destination zone should result in an output rule",
104 "name": "Mangle rule #8",
105 "dest": "*",
106 "target": "DSCP",
107 "set_dscp": "1"
108 },
109 {
110 ".description": "No source zone and specific destination zone should result in an output rule",
111 "name": "Mangle rule #9",
112 "dest": "wan",
113 "target": "DSCP",
114 "set_dscp": "1"
115 },
116 {
117 ".description": "Option device with no direction should override inbound ifname match",
118 "name": "Mangle rule #10",
119 "src": "*",
120 "dest": "wan",
121 "target": "DSCP",
122 "set_dscp": "1",
123 "device": "eth4"
124 },
125 {
126 ".description": "Option device with direction 'in' should override inbound ifname match",
127 "name": "Mangle rule #11",
128 "src": "*",
129 "dest": "wan",
130 "target": "DSCP",
131 "set_dscp": "1",
132 "device": "eth4",
133 "direction": "in"
134 },
135 {
136 ".description": "Option device with direction 'out' should override outbound ifname match",
137 "name": "Mangle rule #12",
138 "src": "*",
139 "dest": "wan",
140 "target": "DSCP",
141 "set_dscp": "1",
142 "device": "eth5",
143 "direction": "out"
144 }
145 ]
146 }
147 -- End --
148
149 -- Expect stdout --
150 table inet fw4
151 flush table inet fw4
152
153 table inet fw4 {
154 #
155 # Set definitions
156 #
157
158
159 #
160 # Defines
161 #
162
163 define lan_devices = { "eth0", "eth1" }
164 define wan_devices = { "eth2", "eth3" }
165
166 #
167 # User includes
168 #
169
170 include "/etc/nftables.d/*.nft"
171
172
173 #
174 # Filter rules
175 #
176
177 chain input {
178 type filter hook input priority filter; policy drop;
179
180 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
181
182 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
183 iifname { "eth0", "eth1" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
184 iifname { "eth2", "eth3" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
185 }
186
187 chain forward {
188 type filter hook forward priority filter; policy drop;
189
190 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
191 iifname { "eth0", "eth1" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
192 iifname { "eth2", "eth3" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
193 }
194
195 chain output {
196 type filter hook output priority filter; policy drop;
197
198 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
199
200 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
201 oifname { "eth0", "eth1" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
202 oifname { "eth2", "eth3" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
203 }
204
205 chain handle_reject {
206 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
207 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
208 }
209
210 chain input_lan {
211 jump drop_from_lan
212 }
213
214 chain output_lan {
215 jump drop_to_lan
216 }
217
218 chain forward_lan {
219 jump drop_to_lan
220 }
221
222 chain drop_from_lan {
223 iifname { "eth0", "eth1" } counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
224 }
225
226 chain drop_to_lan {
227 oifname { "eth0", "eth1" } counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
228 }
229
230 chain input_wan {
231 jump drop_from_wan
232 }
233
234 chain output_wan {
235 jump drop_to_wan
236 }
237
238 chain forward_wan {
239 jump drop_to_wan
240 }
241
242 chain drop_from_wan {
243 iifname { "eth2", "eth3" } counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
244 }
245
246 chain drop_to_wan {
247 oifname { "eth2", "eth3" } counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
248 }
249
250
251 #
252 # NAT rules
253 #
254
255 chain dstnat {
256 type nat hook prerouting priority dstnat; policy accept;
257 }
258
259 chain srcnat {
260 type nat hook postrouting priority srcnat; policy accept;
261 }
262
263
264 #
265 # Raw rules (notrack & helper)
266 #
267
268 chain raw_prerouting {
269 type filter hook prerouting priority raw; policy accept;
270 iifname { "eth0", "eth1" } jump helper_lan comment "!fw4: lan IPv4/IPv6 CT helper assignment"
271 iifname { "eth2", "eth3" } jump helper_wan comment "!fw4: wan IPv4/IPv6 CT helper assignment"
272 }
273
274 chain raw_output {
275 type filter hook output priority raw; policy accept;
276 }
277
278 chain helper_lan {
279 }
280
281 chain helper_wan {
282 }
283
284
285 #
286 # Mangle rules
287 #
288
289 chain mangle_prerouting {
290 type filter hook prerouting priority mangle; policy accept;
291 meta nfproto ipv4 meta l4proto tcp iifname { "eth0", "eth1" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #4"
292 meta nfproto ipv6 meta l4proto tcp iifname { "eth0", "eth1" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #4"
293 meta nfproto ipv4 meta l4proto udp iifname { "eth0", "eth1" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #4"
294 meta nfproto ipv6 meta l4proto udp iifname { "eth0", "eth1" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #4"
295 }
296
297 chain mangle_postrouting {
298 type filter hook postrouting priority mangle; policy accept;
299 meta nfproto ipv4 meta l4proto tcp oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #3"
300 meta nfproto ipv6 meta l4proto tcp oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #3"
301 meta nfproto ipv4 meta l4proto udp oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #3"
302 meta nfproto ipv6 meta l4proto udp oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #3"
303 meta nfproto ipv4 meta l4proto tcp iifname "eth4" oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #10"
304 meta nfproto ipv6 meta l4proto tcp iifname "eth4" oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #10"
305 meta nfproto ipv4 meta l4proto udp iifname "eth4" oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #10"
306 meta nfproto ipv6 meta l4proto udp iifname "eth4" oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #10"
307 meta nfproto ipv4 meta l4proto tcp iifname "eth4" oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #11"
308 meta nfproto ipv6 meta l4proto tcp iifname "eth4" oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #11"
309 meta nfproto ipv4 meta l4proto udp iifname "eth4" oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #11"
310 meta nfproto ipv6 meta l4proto udp iifname "eth4" oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #11"
311 meta nfproto ipv4 meta l4proto tcp oifname "eth5" counter ip dscp set 0x1 comment "!fw4: Mangle rule #12"
312 meta nfproto ipv6 meta l4proto tcp oifname "eth5" counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #12"
313 meta nfproto ipv4 meta l4proto udp oifname "eth5" counter ip dscp set 0x1 comment "!fw4: Mangle rule #12"
314 meta nfproto ipv6 meta l4proto udp oifname "eth5" counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #12"
315 }
316
317 chain mangle_input {
318 type filter hook input priority mangle; policy accept;
319 meta nfproto ipv4 meta l4proto tcp iifname { "eth0", "eth1" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #5"
320 meta nfproto ipv6 meta l4proto tcp iifname { "eth0", "eth1" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #5"
321 meta nfproto ipv4 meta l4proto udp iifname { "eth0", "eth1" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #5"
322 meta nfproto ipv6 meta l4proto udp iifname { "eth0", "eth1" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #5"
323 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #6"
324 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #6"
325 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #6"
326 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #6"
327 }
328
329 chain mangle_output {
330 type filter hook output priority mangle; policy accept;
331 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #7"
332 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #7"
333 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #7"
334 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #7"
335 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #8"
336 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #8"
337 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #8"
338 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #8"
339 meta nfproto ipv4 meta l4proto tcp oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #9"
340 meta nfproto ipv6 meta l4proto tcp oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #9"
341 meta nfproto ipv4 meta l4proto udp oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #9"
342 meta nfproto ipv6 meta l4proto udp oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #9"
343 }
344
345 chain mangle_forward {
346 type filter hook forward priority mangle; policy accept;
347 meta nfproto ipv4 meta l4proto tcp counter ip dscp set 0x1 comment "!fw4: Mangle rule #1"
348 meta nfproto ipv6 meta l4proto tcp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #1"
349 meta nfproto ipv4 meta l4proto udp counter ip dscp set 0x1 comment "!fw4: Mangle rule #1"
350 meta nfproto ipv6 meta l4proto udp counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #1"
351 meta nfproto ipv4 meta l4proto tcp iifname { "eth0", "eth1" } oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #2"
352 meta nfproto ipv6 meta l4proto tcp iifname { "eth0", "eth1" } oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #2"
353 meta nfproto ipv4 meta l4proto udp iifname { "eth0", "eth1" } oifname { "eth2", "eth3" } counter ip dscp set 0x1 comment "!fw4: Mangle rule #2"
354 meta nfproto ipv6 meta l4proto udp iifname { "eth0", "eth1" } oifname { "eth2", "eth3" } counter ip6 dscp set 0x1 comment "!fw4: Mangle rule #2"
355 }
356 }
357 -- End --
OpenWrt nftables firewall