firewall4/tests/mocks, branch master

config: drop input traffic by default

2022-11-02T15:24:20Z

This is necessary with firewall4 to avoid a hard-to-diagnose race condition during boot, causing DNAT rules not to be taken into account correctly. The root cause is that, during boot, the ruleset is mostly empty, and interface-related rules (including DNAT rules) are added incrementally. If a packet hits the input chain before the DNAT rules are setup, it can create buggy conntrack entries that will persist indefinitely. This new default should be safe because firewall4 explicitly accepts authorized traffic and rejects the rest. Thus, in normal operations, the default policy is not used. Fixes: #10749 Ref: https://github.com/openwrt/openwrt/issues/10749 Signed-off-by: Baptiste Jonglez

fw4: support automatic includes

2022-08-12T12:35:58Z

Introduce a new directory tree /usr/share/nftables.d/ which may contain partial nftables files being included into the rendered ruleset. The include position is derived from the file path; - Files in .../nftables.d/table-pre/ and .../nftables.d/table-post/ are included before and after the `table inet fw4 { ... }` declaration respectively - Files in .../nftables.d/ruleset-pre/ and .../nftables.d/ruleset-post/ are included before the first chain and after the last chain declaration within the fw4 table respectively - Files in .../nftables.d/chain-pre/${chain}/ and .../chain-post/${chain}/ are included before the first and after the last rule within the mentioned chain of the fw4 table respectively Automatic includes can be disabled by setting the `auto_includes` option to `0` in the global defaults section. Also adjust testcases accordingly. Signed-off-by: Jo-Philipp Wich

tests: add missing fs.stat) mock data for `nf_conntrack_dummy`

2022-08-08T19:09:12Z

Fixes: 111a7f7 ("fw4: don't inherit zone family from ct helpers") Signed-off-by: Jo-Philipp Wich

tests: change mocked wan interface type to PPPoE

2022-02-12T19:36:46Z

Change the WAN interface type in the mock data to PPPoE. PPPoE interfaces are special because their L3 device differs from the L2 one which becomes important later for resolving hw offloaded flowtable devices. Adjust the test cases accordingly. Signed-off-by: Jo-Philipp Wich

fw4: only stage reflection rules if all required addrs are known

2022-02-10T18:52:00Z

Do not stage reflection rules if any of the internal, external or rewrite IP addrs cannot be determined. Also emit a warning in this case and extend the redirect test case to cover this. Fixes: #5067 Signed-off-by: Jo-Philipp Wich

fw4: consolidate helper code

2022-02-05T23:33:04Z

- Move various local helper functions out of main.uc into the fw4 class - Rework settype reading to use nft JSON output as terse mode now works - Simplify testing flowtable enable conditions - Adjust testcases to changed flowtable logic Signed-off-by: Jo-Philipp Wich

tests: update interface dump mock data

2022-01-27T15:22:11Z

Reorder and extend ubus interface dump mock. Ensure that the lan interface has two IPv4 and IPv6 addresses each to cover address selection logic in various fw4 parts. Signed-off-by: Jo-Philipp Wich

tests: add test for unknown rule option

2022-01-09T13:22:25Z

Signed-off-by: Stijn Tintel Reviewed-by: Jo-Philipp Wich

tests: add test for deprecated rule option

2022-01-09T13:22:20Z

Signed-off-by: Stijn Tintel Reviewed-by: Jo-Philipp Wich

tests: add test for unknown defaults option

2022-01-09T13:22:16Z

Signed-off-by: Stijn Tintel Reviewed-by: Jo-Philipp Wich