OWEALs
/
firewall4
同期ミラー https://github.com/openwrt/firewall4


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251
							Test that the zone family is honoured when setting up inter-zone forwarding rules.

-- Testcase --
{%
	include("./root/usr/share/firewall4/main.uc", {
		getenv: function(varname) {
			switch (varname) {
			case 'ACTION':
				return 'print';
			}
		}
	})
%}
-- End --

-- File uci/helpers.json --
{}
-- End --

-- File uci/firewall.json --
{
	"zone": [
		{
			"name": "wanA",
			"device": [ "eth0" ],
			"auto_helper": 0
		},

		{
			"name": "wanB",
			"device": [ "eth1" ],
			"auto_helper": 0
		},

		{
			"name": "lan",
			"device": [ "eth2" ],
			"auto_helper": 0
		}
	],

	"forwarding": [
		{
			".description": "This should only allow IPv6 forwarding from lan to wanA",
			"src": "lan",
			"dest": "wanA",
			"family": "IPv6"
		},

		{
			".description": "This should only allow IPv4 forwarding from lan to wanB",
			"src": "lan",
			"dest": "wanB",
			"family": "IPv4"
		}
	]
}
-- End --

-- Expect stdout --
table inet fw4
flush table inet fw4

table inet fw4 {
	#
	# Defines
	#

	define wanA_devices = { "eth0" }
	define wanA_subnets = {  }

	define wanB_devices = { "eth1" }
	define wanB_subnets = {  }

	define lan_devices = { "eth2" }
	define lan_subnets = {  }


	#
	# User includes
	#

	include "/etc/nftables.d/*.nft"


	#
	# Filter rules
	#

	chain input {
		type filter hook input priority filter; policy drop;

		iif "lo" accept comment "!fw4: Accept traffic from loopback"

		ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
		iifname "eth0" jump input_wanA comment "!fw4: Handle wanA IPv4/IPv6 input traffic"
		iifname "eth1" jump input_wanB comment "!fw4: Handle wanB IPv4/IPv6 input traffic"
		iifname "eth2" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
	}

	chain forward {
		type filter hook forward priority filter; policy drop;

		ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
		iifname "eth0" jump forward_wanA comment "!fw4: Handle wanA IPv4/IPv6 forward traffic"
		iifname "eth1" jump forward_wanB comment "!fw4: Handle wanB IPv4/IPv6 forward traffic"
		iifname "eth2" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
	}

	chain output {
		type filter hook output priority filter; policy drop;

		oif "lo" accept comment "!fw4: Accept traffic towards loopback"

		ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
		oifname "eth0" jump output_wanA comment "!fw4: Handle wanA IPv4/IPv6 output traffic"
		oifname "eth1" jump output_wanB comment "!fw4: Handle wanB IPv4/IPv6 output traffic"
		oifname "eth2" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
	}

	chain prerouting {
		type filter hook prerouting priority filter; policy accept;
	}

	chain handle_reject {
		meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
		reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
	}

	chain input_wanA {
		jump drop_from_wanA
	}

	chain output_wanA {
		jump drop_to_wanA
	}

	chain forward_wanA {
		jump drop_to_wanA
	}

	chain accept_to_wanA {
		oifname "eth0" counter accept comment "!fw4: accept wanA IPv4/IPv6 traffic"
	}

	chain drop_from_wanA {
		iifname "eth0" counter drop comment "!fw4: drop wanA IPv4/IPv6 traffic"
	}

	chain drop_to_wanA {
		oifname "eth0" counter drop comment "!fw4: drop wanA IPv4/IPv6 traffic"
	}

	chain input_wanB {
		jump drop_from_wanB
	}

	chain output_wanB {
		jump drop_to_wanB
	}

	chain forward_wanB {
		jump drop_to_wanB
	}

	chain accept_to_wanB {
		oifname "eth1" counter accept comment "!fw4: accept wanB IPv4/IPv6 traffic"
	}

	chain drop_from_wanB {
		iifname "eth1" counter drop comment "!fw4: drop wanB IPv4/IPv6 traffic"
	}

	chain drop_to_wanB {
		oifname "eth1" counter drop comment "!fw4: drop wanB IPv4/IPv6 traffic"
	}

	chain input_lan {
		jump drop_from_lan
	}

	chain output_lan {
		jump drop_to_lan
	}

	chain forward_lan {
		meta nfproto ipv6 jump accept_to_wanA comment "!fw4: Accept lan to wanA IPv6 forwarding"
		meta nfproto ipv4 jump accept_to_wanB comment "!fw4: Accept lan to wanB IPv4 forwarding"
		jump drop_to_lan
	}

	chain drop_from_lan {
		iifname "eth2" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
	}

	chain drop_to_lan {
		oifname "eth2" counter drop comment "!fw4: drop lan IPv4/IPv6 traffic"
	}


	#
	# NAT rules
	#

	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
	}

	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
	}


	#
	# Raw rules (notrack)
	#

	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
	}

	chain raw_output {
		type filter hook output priority raw; policy accept;
	}


	#
	# Mangle rules
	#

	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain mangle_postrouting {
		type filter hook postrouting priority mangle; policy accept;
	}

	chain mangle_input {
		type filter hook input priority mangle; policy accept;
	}

	chain mangle_output {
		type route hook output priority mangle; policy accept;
	}

	chain mangle_forward {
		type filter hook forward priority mangle; policy accept;
	}
}
-- End --