05_automatic_includes 3.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205
  1. Testing that /usr/share/nftables.d/ includes are automatically processed.
  2. -- Testcase --
  3. {%
  4. include("./root/usr/share/firewall4/main.uc", {
  5. getenv: function(varname) {
  6. switch (varname) {
  7. case 'ACTION':
  8. return 'print';
  9. }
  10. }
  11. })
  12. %}
  13. -- End --
  14. -- File uci/helpers.json --
  15. {}
  16. -- End --
  17. -- File fs/open~_sys_class_net_eth0_flags.txt --
  18. 0x1103
  19. -- End --
  20. -- File fs/open~_etc_testinclude1_nft.txt --
  21. # dummy
  22. -- End --
  23. -- File fs/open~_etc_testinclude2_nft.txt --
  24. # dummy
  25. -- End --
  26. -- File fs/open~_etc_testinclude3_nft.txt --
  27. # dummy
  28. -- End --
  29. -- File uci/firewall.json --
  30. {
  31. "zone": [
  32. {
  33. "name": "test",
  34. "device": [ "eth0" ],
  35. "auto_helper": 0
  36. }
  37. ],
  38. "include": [
  39. {
  40. ".description": "By default, this include should be processed due to implicit enabled 1",
  41. "path": "/etc/testinclude1.nft",
  42. "type": "nftables"
  43. },
  44. {
  45. ".description": "This include should be processed due to explicit enabled 1",
  46. "path": "/etc/testinclude2.nft",
  47. "type": "nftables",
  48. "enabled": "1"
  49. },
  50. {
  51. ".description": "This include should be skipped due to explicit enabled 0",
  52. "path": "/etc/testinclude3.nft",
  53. "type": "nftables",
  54. "enabled": "0"
  55. }
  56. ]
  57. }
  58. -- End --
  59. -- Expect stderr --
  60. [!] Section @include[2] is disabled, ignoring section
  61. -- End --
  62. -- Expect stdout --
  63. table inet fw4
  64. flush table inet fw4
  65. table inet fw4 {
  66. #
  67. # Defines
  68. #
  69. define test_devices = { "eth0" }
  70. define test_subnets = { }
  71. #
  72. # User includes
  73. #
  74. include "/etc/nftables.d/*.nft"
  75. #
  76. # Filter rules
  77. #
  78. chain input {
  79. type filter hook input priority filter; policy drop;
  80. iif "lo" accept comment "!fw4: Accept traffic from loopback"
  81. ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
  82. iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic"
  83. }
  84. chain forward {
  85. type filter hook forward priority filter; policy drop;
  86. ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
  87. iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic"
  88. }
  89. chain output {
  90. type filter hook output priority filter; policy drop;
  91. oif "lo" accept comment "!fw4: Accept traffic towards loopback"
  92. ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
  93. oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic"
  94. }
  95. chain prerouting {
  96. type filter hook prerouting priority filter; policy accept;
  97. }
  98. chain handle_reject {
  99. meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
  100. reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
  101. }
  102. chain input_test {
  103. jump drop_from_test
  104. }
  105. chain output_test {
  106. jump drop_to_test
  107. }
  108. chain forward_test {
  109. jump drop_to_test
  110. }
  111. chain drop_from_test {
  112. iifname "eth0" counter drop comment "!fw4: drop test IPv4/IPv6 traffic"
  113. }
  114. chain drop_to_test {
  115. oifname "eth0" counter drop comment "!fw4: drop test IPv4/IPv6 traffic"
  116. }
  117. #
  118. # NAT rules
  119. #
  120. chain dstnat {
  121. type nat hook prerouting priority dstnat; policy accept;
  122. }
  123. chain srcnat {
  124. type nat hook postrouting priority srcnat; policy accept;
  125. }
  126. #
  127. # Raw rules (notrack)
  128. #
  129. chain raw_prerouting {
  130. type filter hook prerouting priority raw; policy accept;
  131. }
  132. chain raw_output {
  133. type filter hook output priority raw; policy accept;
  134. }
  135. #
  136. # Mangle rules
  137. #
  138. chain mangle_prerouting {
  139. type filter hook prerouting priority mangle; policy accept;
  140. }
  141. chain mangle_postrouting {
  142. type filter hook postrouting priority mangle; policy accept;
  143. }
  144. chain mangle_input {
  145. type filter hook input priority mangle; policy accept;
  146. }
  147. chain mangle_output {
  148. type route hook output priority mangle; policy accept;
  149. }
  150. chain mangle_forward {
  151. type filter hook forward priority mangle; policy accept;
  152. }
  153. include "/etc/testinclude1.nft"
  154. include "/etc/testinclude2.nft"
  155. }
  156. -- End --