From: Jo-Philipp Wich Date: Fri, 3 Feb 2023 11:04:58 +0000 (+0100) Subject: tests: add testcase for automatic includes X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=ce9a37829a765c62ce8d9da37caa9bbfb5bb58ec;p=project%2Ffirewall4.git tests: add testcase for automatic includes Signed-off-by: Jo-Philipp Wich --- diff --git a/tests/06_includes/05_automatic_includes b/tests/06_includes/05_automatic_includes new file mode 100644 index 0000000..53cc6f8 --- /dev/null +++ b/tests/06_includes/05_automatic_includes @@ -0,0 +1,205 @@ +Testing that /usr/share/nftables.d/ includes are automatically processed. + +-- Testcase -- +{% + include("./root/usr/share/firewall4/main.uc", { + getenv: function(varname) { + switch (varname) { + case 'ACTION': + return 'print'; + } + } + }) +%} +-- End -- + +-- File uci/helpers.json -- +{} +-- End -- + +-- File fs/open~_sys_class_net_eth0_flags.txt -- +0x1103 +-- End -- + +-- File fs/open~_etc_testinclude1_nft.txt -- +# dummy +-- End -- + +-- File fs/open~_etc_testinclude2_nft.txt -- +# dummy +-- End -- + +-- File fs/open~_etc_testinclude3_nft.txt -- +# dummy +-- End -- + +-- File uci/firewall.json -- +{ + "zone": [ + { + "name": "test", + "device": [ "eth0" ], + "auto_helper": 0 + } + ], + "include": [ + { + ".description": "By default, this include should be processed due to implicit enabled 1", + "path": "/etc/testinclude1.nft", + "type": "nftables" + }, + + { + ".description": "This include should be processed due to explicit enabled 1", + "path": "/etc/testinclude2.nft", + "type": "nftables", + "enabled": "1" + }, + + { + ".description": "This include should be skipped due to explicit enabled 0", + "path": "/etc/testinclude3.nft", + "type": "nftables", + "enabled": "0" + } + ] +} +-- End -- + +-- Expect stderr -- +[!] Section @include[2] is disabled, ignoring section +-- End -- + +-- Expect stdout -- +table inet fw4 +flush table inet fw4 + +table inet fw4 { + # + # Defines + # + + define test_devices = { "eth0" } + define test_subnets = { } + + + # + # User includes + # + + include "/etc/nftables.d/*.nft" + + + # + # Filter rules + # + + chain input { + type filter hook input priority filter; policy drop; + + iifname "lo" accept comment "!fw4: Accept traffic from loopback" + + ct state established,related accept comment "!fw4: Allow inbound established and related flows" + iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" + } + + chain forward { + type filter hook forward priority filter; policy drop; + + ct state established,related accept comment "!fw4: Allow forwarded established and related flows" + iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic" + } + + chain output { + type filter hook output priority filter; policy drop; + + oifname "lo" accept comment "!fw4: Accept traffic towards loopback" + + ct state established,related accept comment "!fw4: Allow outbound established and related flows" + oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" + } + + chain prerouting { + type filter hook prerouting priority filter; policy accept; + } + + chain handle_reject { + meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" + reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" + } + + chain input_test { + jump drop_from_test + } + + chain output_test { + jump drop_to_test + } + + chain forward_test { + jump drop_to_test + } + + chain drop_from_test { + iifname "eth0" counter drop comment "!fw4: drop test IPv4/IPv6 traffic" + } + + chain drop_to_test { + oifname "eth0" counter drop comment "!fw4: drop test IPv4/IPv6 traffic" + } + + + # + # NAT rules + # + + chain dstnat { + type nat hook prerouting priority dstnat; policy accept; + } + + chain srcnat { + type nat hook postrouting priority srcnat; policy accept; + } + + + # + # Raw rules (notrack) + # + + chain raw_prerouting { + type filter hook prerouting priority raw; policy accept; + } + + chain raw_output { + type filter hook output priority raw; policy accept; + } + + + # + # Mangle rules + # + + chain mangle_prerouting { + type filter hook prerouting priority mangle; policy accept; + } + + chain mangle_postrouting { + type filter hook postrouting priority mangle; policy accept; + } + + chain mangle_input { + type filter hook input priority mangle; policy accept; + } + + chain mangle_output { + type route hook output priority mangle; policy accept; + } + + chain mangle_forward { + type filter hook forward priority mangle; policy accept; + } + + include "/etc/testinclude1.nft" + include "/etc/testinclude2.nft" +} +-- End --