2
0

07_helpers 9.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386
  1. Testing zone helper assignments
  2. -- Testcase --
  3. {%
  4. include("./root/usr/share/firewall4/main.uc", {
  5. getenv: function(varname) {
  6. switch (varname) {
  7. case 'ACTION':
  8. return 'print';
  9. }
  10. }
  11. })
  12. %}
  13. -- End --
  14. -- File fs/open~_sys_class_net_zone1_flags.txt --
  15. 0x1103
  16. -- End --
  17. -- File fs/open~_sys_class_net_zone2_flags.txt --
  18. 0x1103
  19. -- End --
  20. -- File fs/open~_sys_class_net_zone3_flags.txt --
  21. 0x1103
  22. -- End --
  23. -- File fs/open~_sys_class_net_zone4_flags.txt --
  24. 0x1103
  25. -- End --
  26. -- File fs/open~_sys_class_net_zone5_flags.txt --
  27. 0x1103
  28. -- End --
  29. -- File uci/firewall.json --
  30. {
  31. "zone": [
  32. {
  33. ".description": "Setting masq to true for a zone with a helper should emit a helper chain for the zone with the configured helper",
  34. "name": "test1",
  35. "device": "zone1",
  36. "masq": "1",
  37. "helper": [ "tftp" ]
  38. },
  39. {
  40. ".description": "Setting masq6 to true for a zone with a helper should emit a helper chain for the zone with the configured helper",
  41. "name": "test2",
  42. "device": "zone2",
  43. "masq6": "1",
  44. "helper": [ "tftp" ]
  45. },
  46. {
  47. ".description": "Disabling both masq and masq6 for a zone with a helper should emit a helper chain for the zone with the configured helper",
  48. "name": "test3",
  49. "device": "zone3",
  50. "masq": "0",
  51. "masq6": "0",
  52. "helper": [ "tftp" ]
  53. },
  54. {
  55. ".description": "Disabling both masq and masq6 for a zone with a helper should configure default helper assignment",
  56. "name": "test4",
  57. "device": "zone4",
  58. "masq": "0",
  59. "masq6": "0",
  60. },
  61. {
  62. ".description": "Specifying an invalid helper should write a warning to stderr",
  63. "name": "test5",
  64. "device": "zone5",
  65. "masq": "0",
  66. "masq6": "0",
  67. "helper": [ "foo" ]
  68. }
  69. ]
  70. }
  71. -- End --
  72. -- Expect stdout --
  73. table inet fw4
  74. flush table inet fw4
  75. table inet fw4 {
  76. #
  77. # CT helper definitions
  78. #
  79. ct helper amanda {
  80. type "amanda" protocol udp;
  81. }
  82. ct helper ftp {
  83. type "ftp" protocol tcp;
  84. }
  85. ct helper RAS {
  86. type "RAS" protocol udp;
  87. }
  88. ct helper Q.931 {
  89. type "Q.931" protocol tcp;
  90. }
  91. ct helper irc {
  92. type "irc" protocol tcp;
  93. }
  94. ct helper netbios-ns {
  95. type "netbios-ns" protocol udp;
  96. }
  97. ct helper pptp {
  98. type "pptp" protocol tcp;
  99. }
  100. ct helper sane {
  101. type "sane" protocol tcp;
  102. }
  103. ct helper sip {
  104. type "sip" protocol udp;
  105. }
  106. ct helper snmp {
  107. type "snmp" protocol udp;
  108. }
  109. ct helper tftp {
  110. type "tftp" protocol udp;
  111. }
  112. ct helper rtsp {
  113. type "rtsp" protocol tcp;
  114. }
  115. #
  116. # Defines
  117. #
  118. define test1_devices = { "zone1" }
  119. define test1_subnets = { }
  120. define test2_devices = { "zone2" }
  121. define test2_subnets = { }
  122. define test3_devices = { "zone3" }
  123. define test3_subnets = { }
  124. define test4_devices = { "zone4" }
  125. define test4_subnets = { }
  126. #
  127. # User includes
  128. #
  129. include "/etc/nftables.d/*.nft"
  130. #
  131. # Filter rules
  132. #
  133. chain input {
  134. type filter hook input priority filter; policy drop;
  135. iif "lo" accept comment "!fw4: Accept traffic from loopback"
  136. ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
  137. iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
  138. iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
  139. iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic"
  140. iifname "zone4" jump input_test4 comment "!fw4: Handle test4 IPv4/IPv6 input traffic"
  141. }
  142. chain forward {
  143. type filter hook forward priority filter; policy drop;
  144. ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
  145. iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
  146. iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
  147. iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic"
  148. iifname "zone4" jump forward_test4 comment "!fw4: Handle test4 IPv4/IPv6 forward traffic"
  149. }
  150. chain output {
  151. type filter hook output priority filter; policy drop;
  152. oif "lo" accept comment "!fw4: Accept traffic towards loopback"
  153. ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
  154. oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
  155. oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
  156. oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic"
  157. oifname "zone4" jump output_test4 comment "!fw4: Handle test4 IPv4/IPv6 output traffic"
  158. }
  159. chain prerouting {
  160. type filter hook prerouting priority filter; policy accept;
  161. iifname "zone1" jump helper_test1 comment "!fw4: Handle test1 IPv4/IPv6 helper assignment"
  162. iifname "zone2" jump helper_test2 comment "!fw4: Handle test2 IPv4/IPv6 helper assignment"
  163. iifname "zone3" jump helper_test3 comment "!fw4: Handle test3 IPv4/IPv6 helper assignment"
  164. iifname "zone4" jump helper_test4 comment "!fw4: Handle test4 IPv4/IPv6 helper assignment"
  165. }
  166. chain handle_reject {
  167. meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
  168. reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
  169. }
  170. chain input_test1 {
  171. jump drop_from_test1
  172. }
  173. chain output_test1 {
  174. jump drop_to_test1
  175. }
  176. chain forward_test1 {
  177. jump drop_to_test1
  178. }
  179. chain helper_test1 {
  180. meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
  181. }
  182. chain drop_from_test1 {
  183. iifname "zone1" counter drop comment "!fw4: drop test1 IPv4/IPv6 traffic"
  184. }
  185. chain drop_to_test1 {
  186. oifname "zone1" counter drop comment "!fw4: drop test1 IPv4/IPv6 traffic"
  187. }
  188. chain input_test2 {
  189. jump drop_from_test2
  190. }
  191. chain output_test2 {
  192. jump drop_to_test2
  193. }
  194. chain forward_test2 {
  195. jump drop_to_test2
  196. }
  197. chain helper_test2 {
  198. meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
  199. }
  200. chain drop_from_test2 {
  201. iifname "zone2" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic"
  202. }
  203. chain drop_to_test2 {
  204. oifname "zone2" counter drop comment "!fw4: drop test2 IPv4/IPv6 traffic"
  205. }
  206. chain input_test3 {
  207. jump drop_from_test3
  208. }
  209. chain output_test3 {
  210. jump drop_to_test3
  211. }
  212. chain forward_test3 {
  213. jump drop_to_test3
  214. }
  215. chain helper_test3 {
  216. meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
  217. }
  218. chain drop_from_test3 {
  219. iifname "zone3" counter drop comment "!fw4: drop test3 IPv4/IPv6 traffic"
  220. }
  221. chain drop_to_test3 {
  222. oifname "zone3" counter drop comment "!fw4: drop test3 IPv4/IPv6 traffic"
  223. }
  224. chain input_test4 {
  225. jump drop_from_test4
  226. }
  227. chain output_test4 {
  228. jump drop_to_test4
  229. }
  230. chain forward_test4 {
  231. jump drop_to_test4
  232. }
  233. chain helper_test4 {
  234. meta l4proto udp udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto"
  235. meta l4proto tcp tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking"
  236. meta l4proto udp udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking"
  237. meta l4proto tcp tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking"
  238. meta nfproto ipv4 meta l4proto tcp tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking"
  239. meta nfproto ipv4 meta l4proto udp udp dport 137 ct helper set "netbios-ns" comment "!fw4: NetBIOS name service broadcast tracking"
  240. meta nfproto ipv4 meta l4proto tcp tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking"
  241. meta l4proto tcp tcp dport 6566 ct helper set "sane" comment "!fw4: SANE scanner connection tracking"
  242. meta l4proto udp udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking"
  243. meta nfproto ipv4 meta l4proto udp udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking"
  244. meta l4proto udp udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking"
  245. meta nfproto ipv4 meta l4proto tcp tcp dport 554 ct helper set "rtsp" comment "!fw4: RTSP connection tracking"
  246. }
  247. chain drop_from_test4 {
  248. iifname "zone4" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
  249. }
  250. chain drop_to_test4 {
  251. oifname "zone4" counter drop comment "!fw4: drop test4 IPv4/IPv6 traffic"
  252. }
  253. #
  254. # NAT rules
  255. #
  256. chain dstnat {
  257. type nat hook prerouting priority dstnat; policy accept;
  258. }
  259. chain srcnat {
  260. type nat hook postrouting priority srcnat; policy accept;
  261. oifname "zone1" jump srcnat_test1 comment "!fw4: Handle test1 IPv4/IPv6 srcnat traffic"
  262. oifname "zone2" jump srcnat_test2 comment "!fw4: Handle test2 IPv4/IPv6 srcnat traffic"
  263. }
  264. chain srcnat_test1 {
  265. meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 test1 traffic"
  266. }
  267. chain srcnat_test2 {
  268. meta nfproto ipv6 masquerade comment "!fw4: Masquerade IPv6 test2 traffic"
  269. }
  270. #
  271. # Raw rules (notrack)
  272. #
  273. chain raw_prerouting {
  274. type filter hook prerouting priority raw; policy accept;
  275. }
  276. chain raw_output {
  277. type filter hook output priority raw; policy accept;
  278. }
  279. #
  280. # Mangle rules
  281. #
  282. chain mangle_prerouting {
  283. type filter hook prerouting priority mangle; policy accept;
  284. }
  285. chain mangle_postrouting {
  286. type filter hook postrouting priority mangle; policy accept;
  287. }
  288. chain mangle_input {
  289. type filter hook input priority mangle; policy accept;
  290. }
  291. chain mangle_output {
  292. type route hook output priority mangle; policy accept;
  293. }
  294. chain mangle_forward {
  295. type filter hook forward priority mangle; policy accept;
  296. }
  297. }
  298. -- End --
  299. -- Expect stderr --
  300. [!] Section @zone[4] (test5) option 'helper' specifies invalid value 'foo'
  301. [!] Section @zone[4] (test5) skipped due to invalid options
  302. -- End --