OWEALs
/
firewall4
kopia lustrzana https://github.com/openwrt/firewall4


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360
							Test that wildcard devices are properly handled.

-- Testcase --
{%
	include("./root/usr/share/firewall4/main.uc", {
		getenv: function(varname) {
			switch (varname) {
			case 'ACTION':
				return 'print';
			}
		}
	})
%}
-- End --

-- File uci/helpers.json --
{}
-- End --

-- File fs/open~_sys_class_net_never_flags.txt --
0x0
-- End --

-- File fs/open~_sys_class_net_test_flags.txt --
0x0
-- End --

-- File fs/open~_sys_class_net_foo_flags.txt --
0x0
-- End --

-- File fs/open~_sys_class_net_bar_flags.txt --
0x0
-- End --

-- File fs/open~_sys_class_net_baz_flags.txt --
0x0
-- End --

-- File fs/open~_sys_class_net_qrx_flags.txt --
0x0
-- End --

-- File fs/open~_sys_class_net_test1_flags.txt --
0x1103
-- End --

-- File fs/open~_sys_class_net_test2_flags.txt --
0x1103
-- End --

-- File uci/firewall.json --
{
	"zone": [
		{
			".description": "A '+' device match should translate to no ifname match at all",
			"name": "test1",
			"device": [ "+" ]
		},
		{
			".description": "An inverted '+' device match should result in a match that always fails",
			"name": "test2",
			"device": [ "!+" ]
		},
		{
			".description": "A 'name+' device match should translate to an nft wildcard pattern",
			"name": "test3",
			"device": [ "test+" ]
		},
		{
			".description": "Wildcard matches must not be grouped into sets",
			"name": "test4",
			"device": [ "foo+", "bar+", "test1", "test2" ]
		},
		{
			".description": "Multiple inverted wildcard matches may be grouped into one rule",
			"name": "test5",
			"device": [ "foo+", "bar+", "!baz+", "!qrx+", "test1", "test2", "!test3", "!test4" ]
		}
	]
}
-- End --

-- Expect stdout --
table inet fw4
flush table inet fw4

table inet fw4 {
	#
	# Defines
	#

	define test1_devices = { "+" }
	define test1_subnets = {  }

	define test2_devices = { "/never/" }
	define test2_subnets = {  }

	define test3_devices = { "test*" }
	define test3_subnets = {  }

	define test4_devices = { "foo*", "bar*", "test1", "test2" }
	define test4_subnets = {  }

	define test5_devices = { "foo*", "bar*", "test1", "test2" }
	define test5_subnets = {  }


	#
	# User includes
	#

	include "/etc/nftables.d/*.nft"


	#
	# Filter rules
	#

	chain input {
		type filter hook input priority filter; policy drop;

		iifname "lo" accept comment "!fw4: Accept traffic from loopback"

		ct state established,related accept comment "!fw4: Allow inbound established and related flows"
		jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
		iifname "/never/" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
		iifname "test*" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic"
		iifname "foo*" jump input_test4 comment "!fw4: Handle test4 IPv4/IPv6 input traffic"
		iifname "bar*" jump input_test4 comment "!fw4: Handle test4 IPv4/IPv6 input traffic"
		iifname { "test1", "test2" } jump input_test4 comment "!fw4: Handle test4 IPv4/IPv6 input traffic"
		iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump input_test5 comment "!fw4: Handle test5 IPv4/IPv6 input traffic"
		iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump input_test5 comment "!fw4: Handle test5 IPv4/IPv6 input traffic"
		iifname { "test1", "test2" } iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump input_test5 comment "!fw4: Handle test5 IPv4/IPv6 input traffic"
	}

	chain forward {
		type filter hook forward priority filter; policy drop;

		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
		jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
		iifname "/never/" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
		iifname "test*" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic"
		iifname "foo*" jump forward_test4 comment "!fw4: Handle test4 IPv4/IPv6 forward traffic"
		iifname "bar*" jump forward_test4 comment "!fw4: Handle test4 IPv4/IPv6 forward traffic"
		iifname { "test1", "test2" } jump forward_test4 comment "!fw4: Handle test4 IPv4/IPv6 forward traffic"
		iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump forward_test5 comment "!fw4: Handle test5 IPv4/IPv6 forward traffic"
		iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump forward_test5 comment "!fw4: Handle test5 IPv4/IPv6 forward traffic"
		iifname { "test1", "test2" } iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump forward_test5 comment "!fw4: Handle test5 IPv4/IPv6 forward traffic"
	}

	chain output {
		type filter hook output priority filter; policy drop;

		oifname "lo" accept comment "!fw4: Accept traffic towards loopback"

		ct state established,related accept comment "!fw4: Allow outbound established and related flows"
		jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
		oifname "/never/" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
		oifname "test*" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic"
		oifname "foo*" jump output_test4 comment "!fw4: Handle test4 IPv4/IPv6 output traffic"
		oifname "bar*" jump output_test4 comment "!fw4: Handle test4 IPv4/IPv6 output traffic"
		oifname { "test1", "test2" } jump output_test4 comment "!fw4: Handle test4 IPv4/IPv6 output traffic"
		oifname "foo*" oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" jump output_test5 comment "!fw4: Handle test5 IPv4/IPv6 output traffic"
		oifname "bar*" oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" jump output_test5 comment "!fw4: Handle test5 IPv4/IPv6 output traffic"
		oifname { "test1", "test2" } oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" jump output_test5 comment "!fw4: Handle test5 IPv4/IPv6 output traffic"
	}

	chain prerouting {
		type filter hook prerouting priority filter; policy accept;
		iifname "/never/" jump helper_test2 comment "!fw4: Handle test2 IPv4/IPv6 helper assignment"
		iifname "test*" jump helper_test3 comment "!fw4: Handle test3 IPv4/IPv6 helper assignment"
		iifname "foo*" jump helper_test4 comment "!fw4: Handle test4 IPv4/IPv6 helper assignment"
		iifname "bar*" jump helper_test4 comment "!fw4: Handle test4 IPv4/IPv6 helper assignment"
		iifname { "test1", "test2" } jump helper_test4 comment "!fw4: Handle test4 IPv4/IPv6 helper assignment"
		iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: Handle test5 IPv4/IPv6 helper assignment"
		iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: Handle test5 IPv4/IPv6 helper assignment"
		iifname { "test1", "test2" } iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" jump helper_test5 comment "!fw4: Handle test5 IPv4/IPv6 helper assignment"
	}

	chain handle_reject {
		meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
		reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
	}

	chain input_test1 {
		jump drop_from_test1
	}

	chain output_test1 {
		jump drop_to_test1
	}

	chain forward_test1 {
		jump drop_to_test1
	}

	chain helper_test1 {
	}

	chain drop_from_test1 {
		counter drop comment "!fw4: drop test1 IPv4/IPv6 traffic"
	}

	chain drop_to_test1 {
		counter drop comment "!fw4: drop test1 IPv4/IPv6 traffic"
	}

	chain input_test2 {
		jump drop_from_test2
	}

	chain output_test2 {
		jump drop_to_test2
	}

	chain forward_test2 {
		jump drop_to_test2
	}

	chain helper_test2 {
	}

	chain drop_from_test2 {
		iifname "/never/" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic"
	}

	chain drop_to_test2 {
		oifname "/never/" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic"
	}

	chain input_test3 {
		jump drop_from_test3
	}

	chain output_test3 {
		jump drop_to_test3
	}

	chain forward_test3 {
		jump drop_to_test3
	}

	chain helper_test3 {
	}

	chain drop_from_test3 {
		iifname "test*" counter drop comment "!fw4: drop test3 IPv4/IPv6 traffic"
	}

	chain drop_to_test3 {
		oifname "test*" counter drop comment "!fw4: drop test3 IPv4/IPv6 traffic"
	}

	chain input_test4 {
		jump drop_from_test4
	}

	chain output_test4 {
		jump drop_to_test4
	}

	chain forward_test4 {
		jump drop_to_test4
	}

	chain helper_test4 {
	}

	chain drop_from_test4 {
		iifname "foo*" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
		iifname "bar*" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
		iifname { "test1", "test2" } counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
	}

	chain drop_to_test4 {
		oifname "foo*" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
		oifname "bar*" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
		oifname { "test1", "test2" } counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
	}

	chain input_test5 {
		jump drop_from_test5
	}

	chain output_test5 {
		jump drop_to_test5
	}

	chain forward_test5 {
		jump drop_to_test5
	}

	chain helper_test5 {
	}

	chain drop_from_test5 {
		iifname "foo*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic"
		iifname "bar*" iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic"
		iifname { "test1", "test2" } iifname != { "test3", "test4" } iifname != "baz*" iifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic"
	}

	chain drop_to_test5 {
		oifname "foo*" oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic"
		oifname "bar*" oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic"
		oifname { "test1", "test2" } oifname != { "test3", "test4" } oifname != "baz*" oifname != "qrx*" counter drop comment "!fw4: drop test5 IPv4/IPv6 traffic"
	}


	#
	# NAT rules
	#

	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
	}

	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
	}


	#
	# Raw rules (notrack)
	#

	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
	}

	chain raw_output {
		type filter hook output priority raw; policy accept;
	}


	#
	# Mangle rules
	#

	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain mangle_postrouting {
		type filter hook postrouting priority mangle; policy accept;
	}

	chain mangle_input {
		type filter hook input priority mangle; policy accept;
	}

	chain mangle_output {
		type route hook output priority mangle; policy accept;
	}

	chain mangle_forward {
		type filter hook forward priority mangle; policy accept;
	}
}
-- End --