2
0

02_masq 6.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265
  1. Testing that zone masquerading is properly mapped to chains.
  2. -- Testcase --
  3. {%
  4. include("./root/usr/share/firewall4/main.uc", {
  5. getenv: function(varname) {
  6. switch (varname) {
  7. case 'ACTION':
  8. return 'print';
  9. }
  10. }
  11. })
  12. %}
  13. -- End --
  14. -- File uci/helpers.json --
  15. {}
  16. -- End --
  17. -- File fs/open~_sys_class_net_zone1_flags.txt --
  18. 0x1103
  19. -- End --
  20. -- File fs/open~_sys_class_net_zone2_flags.txt --
  21. 0x1103
  22. -- End --
  23. -- File fs/open~_sys_class_net_zone3_flags.txt --
  24. 0x1103
  25. -- End --
  26. -- File uci/firewall.json --
  27. {
  28. "zone": [
  29. {
  30. ".description": "Setting masq to true should emit an IPv4 masquerading rule and inhibit default helper assignment",
  31. "name": "test1",
  32. "input": "ACCEPT",
  33. "output": "ACCEPT",
  34. "forward": "ACCEPT",
  35. "device": "zone1",
  36. "masq": "1"
  37. },
  38. {
  39. ".description": "Setting masq6 to true should emit an IPv6 masquerading rule and inhibit default helper assignment",
  40. "name": "test2",
  41. "input": "DROP",
  42. "output": "DROP",
  43. "forward": "DROP",
  44. "device": "zone2",
  45. "masq6": "1"
  46. },
  47. {
  48. ".description": "Setting both masq and masq6 should emit IPv4 and IPv6 masquerading and inhibit default helper assignment",
  49. "name": "test3",
  50. "input": "REJECT",
  51. "output": "REJECT",
  52. "forward": "REJECT",
  53. "device": "zone3",
  54. "masq": "1",
  55. "masq6": "1"
  56. }
  57. ]
  58. }
  59. -- End --
  60. -- Expect stdout --
  61. table inet fw4
  62. flush table inet fw4
  63. table inet fw4 {
  64. #
  65. # Defines
  66. #
  67. define test1_devices = { "zone1" }
  68. define test1_subnets = { }
  69. define test2_devices = { "zone2" }
  70. define test2_subnets = { }
  71. define test3_devices = { "zone3" }
  72. define test3_subnets = { }
  73. #
  74. # User includes
  75. #
  76. include "/etc/nftables.d/*.nft"
  77. #
  78. # Filter rules
  79. #
  80. chain input {
  81. type filter hook input priority filter; policy drop;
  82. iif "lo" accept comment "!fw4: Accept traffic from loopback"
  83. ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
  84. iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
  85. iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
  86. iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic"
  87. }
  88. chain forward {
  89. type filter hook forward priority filter; policy drop;
  90. ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
  91. iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
  92. iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
  93. iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic"
  94. }
  95. chain output {
  96. type filter hook output priority filter; policy drop;
  97. oif "lo" accept comment "!fw4: Accept traffic towards loopback"
  98. ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
  99. oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
  100. oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
  101. oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic"
  102. }
  103. chain prerouting {
  104. type filter hook prerouting priority filter; policy accept;
  105. }
  106. chain handle_reject {
  107. meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
  108. reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
  109. }
  110. chain input_test1 {
  111. jump accept_from_test1
  112. }
  113. chain output_test1 {
  114. jump accept_to_test1
  115. }
  116. chain forward_test1 {
  117. jump accept_to_test1
  118. }
  119. chain accept_from_test1 {
  120. iifname "zone1" counter accept comment "!fw4: accept test1 IPv4/IPv6 traffic"
  121. }
  122. chain accept_to_test1 {
  123. meta nfproto ipv4 oifname "zone1" ct state invalid counter drop comment "!fw4: Prevent NAT leakage"
  124. oifname "zone1" counter accept comment "!fw4: accept test1 IPv4/IPv6 traffic"
  125. }
  126. chain input_test2 {
  127. jump drop_from_test2
  128. }
  129. chain output_test2 {
  130. jump drop_to_test2
  131. }
  132. chain forward_test2 {
  133. jump drop_to_test2
  134. }
  135. chain drop_from_test2 {
  136. iifname "zone2" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic"
  137. }
  138. chain drop_to_test2 {
  139. oifname "zone2" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic"
  140. }
  141. chain input_test3 {
  142. jump reject_from_test3
  143. }
  144. chain output_test3 {
  145. jump reject_to_test3
  146. }
  147. chain forward_test3 {
  148. jump reject_to_test3
  149. }
  150. chain reject_from_test3 {
  151. iifname "zone3" counter jump handle_reject comment "!fw4: reject test3 IPv4/IPv6 traffic"
  152. }
  153. chain reject_to_test3 {
  154. oifname "zone3" counter jump handle_reject comment "!fw4: reject test3 IPv4/IPv6 traffic"
  155. }
  156. #
  157. # NAT rules
  158. #
  159. chain dstnat {
  160. type nat hook prerouting priority dstnat; policy accept;
  161. }
  162. chain srcnat {
  163. type nat hook postrouting priority srcnat; policy accept;
  164. oifname "zone1" jump srcnat_test1 comment "!fw4: Handle test1 IPv4/IPv6 srcnat traffic"
  165. oifname "zone2" jump srcnat_test2 comment "!fw4: Handle test2 IPv4/IPv6 srcnat traffic"
  166. oifname "zone3" jump srcnat_test3 comment "!fw4: Handle test3 IPv4/IPv6 srcnat traffic"
  167. }
  168. chain srcnat_test1 {
  169. meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 test1 traffic"
  170. }
  171. chain srcnat_test2 {
  172. meta nfproto ipv6 masquerade comment "!fw4: Masquerade IPv6 test2 traffic"
  173. }
  174. chain srcnat_test3 {
  175. meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 test3 traffic"
  176. meta nfproto ipv6 masquerade comment "!fw4: Masquerade IPv6 test3 traffic"
  177. }
  178. #
  179. # Raw rules (notrack)
  180. #
  181. chain raw_prerouting {
  182. type filter hook prerouting priority raw; policy accept;
  183. }
  184. chain raw_output {
  185. type filter hook output priority raw; policy accept;
  186. }
  187. #
  188. # Mangle rules
  189. #
  190. chain mangle_prerouting {
  191. type filter hook prerouting priority mangle; policy accept;
  192. }
  193. chain mangle_postrouting {
  194. type filter hook postrouting priority mangle; policy accept;
  195. }
  196. chain mangle_input {
  197. type filter hook input priority mangle; policy accept;
  198. }
  199. chain mangle_output {
  200. type route hook output priority mangle; policy accept;
  201. }
  202. chain mangle_forward {
  203. type filter hook forward priority mangle; policy accept;
  204. }
  205. }
  206. -- End --