From f7f39de31dd7f63ed5d55507d33dac02d4c3ee13 Mon Sep 17 00:00:00 2001 From: Andris PE Date: Wed, 28 Feb 2024 17:01:10 +0200 Subject: [PATCH 1/9] Reorder early state dispatch for quicker outcome locate offload at the end of slowpath ... use builtin tcpudp filter in place of extra filter ... and directly yield to offload-add kworker drop invalid asap and avoid further activity on useless packets ... which accidentally simplifies main state dispatch ... so make use of optimized dispatch alternatives depending on global settings Thanks-to: @CallMeR for tcpudp filter avoidance idea Discussed: https://github.com/openwrt/firewall4/pull/20 Signed-Off-By: Andris PE --- root/usr/share/firewall4/templates/ruleset.uc | 25 +++++++++++++++---- tests/01_configuration/01_ruleset | 12 ++++++--- tests/01_configuration/02_rule_order | 6 ++--- tests/02_zones/01_policies | 6 ++--- tests/02_zones/02_masq | 6 ++--- tests/02_zones/03_masq_src_dest_restrictions | 6 ++--- tests/02_zones/04_masq_allow_invalid | 6 ++--- tests/02_zones/04_wildcard_devices | 6 ++--- tests/02_zones/05_subnet_mask_matches | 6 ++--- tests/02_zones/06_family_selections | 6 ++--- tests/02_zones/07_helpers | 6 ++--- tests/02_zones/08_log_limit | 6 ++--- tests/03_rules/01_direction | 6 ++--- tests/03_rules/02_enabled | 6 ++--- tests/03_rules/03_constraints | 6 ++--- tests/03_rules/04_icmp | 6 ++--- tests/03_rules/05_mangle | 6 ++--- tests/03_rules/06_subnet_mask_matches | 6 ++--- tests/03_rules/07_redirect | 6 ++--- tests/03_rules/08_family_inheritance | 6 ++--- tests/03_rules/09_time | 6 ++--- tests/03_rules/10_notrack | 6 ++--- tests/03_rules/11_log | 6 ++--- tests/03_rules/12_mark | 6 ++--- tests/04_forwardings/01_family_selections | 6 ++--- tests/05_ipsets/01_declaration | 6 ++--- tests/05_ipsets/02_usage | 6 ++--- tests/06_includes/01_nft_includes | 6 ++--- tests/06_includes/02_firewall.user_include | 6 ++--- tests/06_includes/04_disabled_include | 6 ++--- tests/06_includes/05_automatic_includes | 6 ++--- 31 files changed, 115 insertions(+), 96 deletions(-) diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc index 2bec4d9..8b1e717 100644 --- a/root/usr/share/firewall4/templates/ruleset.uc +++ b/root/usr/share/firewall4/templates/ruleset.uc @@ -115,7 +115,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" {% fw4.includes('chain-prepend', 'input') %} - ct state vmap { established : accept, related : accept{% if (fw4.default_option("drop_invalid")): %}, invalid : drop{% endif %} } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" {% if (fw4.default_option("synflood_protect") && fw4.default_option("synflood_rate")): %} tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets" {% endif %} @@ -134,11 +134,12 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy {{ fw4.forward_policy(true) }}; +{% fw4.includes('chain-prepend', 'forward') %} {% if (length(flowtable_devices) > 0): %} - meta l4proto { tcp, udp } flow offload @ft; + ct state vmap { established : jump handle_offload, related : accept } comment "!fw4: Handle forwarded flows" +{% else %} + ct state established,related accept comment "!fw4: Handle forwarded flows" {% endif %} -{% fw4.includes('chain-prepend', 'forward') %} - ct state vmap { established : accept, related : accept{% if (fw4.default_option("drop_invalid")): %}, invalid : drop{% endif %} } comment "!fw4: Handle forwarded flows" {% for (let rule in fw4.rules("forward")): %} {%+ include("rule.uc", { fw4, zone: (rule.src?.zone?.log_limit ? rule.src.zone : rule.dest?.zone), rule }) %} {% endfor %} @@ -157,7 +158,11 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" {% fw4.includes('chain-prepend', 'output') %} - ct state vmap { established : accept, related : accept{% if (fw4.default_option("drop_invalid")): %}, invalid : drop{% endif %} } comment "!fw4: Handle outbound flows" +{% if (fw4.default_option("drop_invalid")): %} + ct state vmap { established : accept, related : accept, invalid : drop } comment "!fw4: Handle outbound flows" +{% else %} + ct state established,related accept comment "!fw4: Handle outbound flows" +{% endif %} {% for (let rule in fw4.rules("output")): %} {%+ include("rule.uc", { fw4, zone: null, rule }) %} {% endfor %} @@ -181,6 +186,9 @@ table inet fw4 { chain prerouting { type filter hook prerouting priority filter; policy accept; +{% if (fw4.default_option("drop_invalid")): %} + iif != "lo" ct state invalid drop comment "!fw4: Drop packets in invalid flow state" +{% endif %} {% for (let zone in fw4.zones()): %} {% if (zone.dflags.helper): %} {% for (let rule in zone.match_rules): %} @@ -207,6 +215,13 @@ table inet fw4 { }} comment "!fw4: Reject any other traffic" } +{% if (length(flowtable_devices) > 0): %} + chain handle_offload { + flow offload @ft accept + accept + } + +{% endif %} {% if (fw4.default_option("synflood_protect") && fw4.default_option("synflood_rate")): let r = fw4.default_option("synflood_rate"); let b = fw4.default_option("synflood_burst"); diff --git a/tests/01_configuration/01_ruleset b/tests/01_configuration/01_ruleset index 108dff9..4d6173a 100644 --- a/tests/01_configuration/01_ruleset +++ b/tests/01_configuration/01_ruleset @@ -112,7 +112,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" @@ -122,8 +122,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - meta l4proto { tcp, udp } flow offload @ft; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state vmap { established : jump handle_offload, related : accept } comment "!fw4: Handle forwarded flows" iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" jump handle_reject @@ -134,7 +133,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" meta l4proto tcp counter comment "!fw4: Test-Deprecated-Rule-Option" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" @@ -150,6 +149,11 @@ table inet fw4 { reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic" } + chain handle_offload { + flow offload @ft accept + accept + } + chain syn_flood { limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit" drop comment "!fw4: Drop excess packets" diff --git a/tests/01_configuration/02_rule_order b/tests/01_configuration/02_rule_order index c5c52a4..a369727 100644 --- a/tests/01_configuration/02_rule_order +++ b/tests/01_configuration/02_rule_order @@ -93,7 +93,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" } @@ -101,7 +101,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" } @@ -111,7 +111,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" } diff --git a/tests/02_zones/01_policies b/tests/02_zones/01_policies index e956ad4..44d4803 100644 --- a/tests/02_zones/01_policies +++ b/tests/02_zones/01_policies @@ -95,7 +95,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" @@ -104,7 +104,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic" @@ -115,7 +115,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" diff --git a/tests/02_zones/02_masq b/tests/02_zones/02_masq index aedc9bd..ac12bea 100644 --- a/tests/02_zones/02_masq +++ b/tests/02_zones/02_masq @@ -99,7 +99,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" @@ -108,7 +108,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic" @@ -119,7 +119,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" diff --git a/tests/02_zones/03_masq_src_dest_restrictions b/tests/02_zones/03_masq_src_dest_restrictions index e173601..3a23698 100644 --- a/tests/02_zones/03_masq_src_dest_restrictions +++ b/tests/02_zones/03_masq_src_dest_restrictions @@ -122,7 +122,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" } @@ -130,7 +130,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" } @@ -140,7 +140,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" } diff --git a/tests/02_zones/04_masq_allow_invalid b/tests/02_zones/04_masq_allow_invalid index d5d1ccf..7ddf1bb 100644 --- a/tests/02_zones/04_masq_allow_invalid +++ b/tests/02_zones/04_masq_allow_invalid @@ -71,14 +71,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" } @@ -87,7 +87,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" } diff --git a/tests/02_zones/04_wildcard_devices b/tests/02_zones/04_wildcard_devices index 5e6809a..a9db318 100644 --- a/tests/02_zones/04_wildcard_devices +++ b/tests/02_zones/04_wildcard_devices @@ -122,7 +122,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "/never/" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" iifname "test*" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" @@ -137,7 +137,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" iifname "/never/" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" iifname "test*" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic" @@ -154,7 +154,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "/never/" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" oifname "test*" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" diff --git a/tests/02_zones/05_subnet_mask_matches b/tests/02_zones/05_subnet_mask_matches index 55c5635..891f556 100644 --- a/tests/02_zones/05_subnet_mask_matches +++ b/tests/02_zones/05_subnet_mask_matches @@ -81,7 +81,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" meta nfproto ipv6 ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::2 jump input_test1 comment "!fw4: Handle test1 IPv6 input traffic" meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic" meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic" @@ -91,7 +91,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" meta nfproto ipv6 ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::2 jump forward_test1 comment "!fw4: Handle test1 IPv6 forward traffic" meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic" meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic" @@ -103,7 +103,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" meta nfproto ipv6 ip6 daddr & ::ffff == ::1 ip6 daddr & ::ffff != ::2 jump output_test1 comment "!fw4: Handle test1 IPv6 output traffic" meta nfproto ipv6 ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff == ::1 ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic" meta nfproto ipv6 ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff == ::2 ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic" diff --git a/tests/02_zones/06_family_selections b/tests/02_zones/06_family_selections index d766be7..d0742a1 100644 --- a/tests/02_zones/06_family_selections +++ b/tests/02_zones/06_family_selections @@ -136,7 +136,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" meta nfproto ipv4 ip saddr 10.0.0.0/8 jump input_test1 comment "!fw4: Handle test1 IPv4 input traffic" meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic" meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test3 comment "!fw4: Handle test3 IPv6 input traffic" @@ -148,7 +148,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" meta nfproto ipv4 ip saddr 10.0.0.0/8 jump forward_test1 comment "!fw4: Handle test1 IPv4 forward traffic" meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic" meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump forward_test3 comment "!fw4: Handle test3 IPv6 forward traffic" @@ -162,7 +162,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" meta nfproto ipv4 ip daddr 10.0.0.0/8 jump output_test1 comment "!fw4: Handle test1 IPv4 output traffic" meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic" meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test3 comment "!fw4: Handle test3 IPv6 output traffic" diff --git a/tests/02_zones/07_helpers b/tests/02_zones/07_helpers index e4955a1..b032b2a 100644 --- a/tests/02_zones/07_helpers +++ b/tests/02_zones/07_helpers @@ -168,7 +168,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" @@ -178,7 +178,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic" @@ -190,7 +190,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" diff --git a/tests/02_zones/08_log_limit b/tests/02_zones/08_log_limit index 02bd201..cc5de8d 100644 --- a/tests/02_zones/08_log_limit +++ b/tests/02_zones/08_log_limit @@ -240,7 +240,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" tcp dport 1007 counter log prefix "@rule[6]: " comment "!fw4: @rule[6]" tcp dport 1008 counter comment "!fw4: @rule[7]" tcp dport 1009 limit rate 5/minute log prefix "@rule[12]: " @@ -254,7 +254,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" tcp dport 1005 limit name "lan.log_limit" log prefix "@rule[4]: " tcp dport 1005 counter comment "!fw4: @rule[4]" tcp dport 1006 counter comment "!fw4: @rule[5]" @@ -269,7 +269,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" meta nfproto ipv4 oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4 output traffic" oifname "br-guest" jump output_guest comment "!fw4: Handle guest IPv4/IPv6 output traffic" diff --git a/tests/03_rules/01_direction b/tests/03_rules/01_direction index 535ffcb..e9e5af7 100644 --- a/tests/03_rules/01_direction +++ b/tests/03_rules/01_direction @@ -71,14 +71,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" counter comment "!fw4: @rule[1]" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" counter comment "!fw4: @rule[3]" } @@ -87,7 +87,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" counter comment "!fw4: @rule[0]" counter comment "!fw4: @rule[2]" } diff --git a/tests/03_rules/02_enabled b/tests/03_rules/02_enabled index 9c14ed9..9ec1ca0 100644 --- a/tests/03_rules/02_enabled +++ b/tests/03_rules/02_enabled @@ -68,13 +68,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" } chain output { @@ -82,7 +82,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" counter comment "!fw4: Implicitly enabled" counter comment "!fw4: Explicitly enabled" } diff --git a/tests/03_rules/03_constraints b/tests/03_rules/03_constraints index 76f4c0c..30174cd 100644 --- a/tests/03_rules/03_constraints +++ b/tests/03_rules/03_constraints @@ -107,13 +107,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" } chain output { @@ -121,7 +121,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" meta nfproto ipv4 ip dscp 0x0 counter comment "!fw4: DSCP match rule #1" meta nfproto ipv6 ip6 dscp 0x0 counter comment "!fw4: DSCP match rule #1" } diff --git a/tests/03_rules/04_icmp b/tests/03_rules/04_icmp index f9eec47..f50abfa 100644 --- a/tests/03_rules/04_icmp +++ b/tests/03_rules/04_icmp @@ -77,13 +77,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" } chain output { @@ -91,7 +91,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" meta l4proto { "icmp", "ipv6-icmp" } counter comment "!fw4: ICMP rule #1" meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #2" meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #3" diff --git a/tests/03_rules/05_mangle b/tests/03_rules/05_mangle index fbb8141..bf9cde7 100644 --- a/tests/03_rules/05_mangle +++ b/tests/03_rules/05_mangle @@ -178,7 +178,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" iifname { "eth0", "eth1" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname { "eth2", "eth3" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" } @@ -186,7 +186,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" iifname { "eth0", "eth1" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" iifname { "eth2", "eth3" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" } @@ -196,7 +196,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" oifname { "eth0", "eth1" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname { "eth2", "eth3" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" } diff --git a/tests/03_rules/06_subnet_mask_matches b/tests/03_rules/06_subnet_mask_matches index b397066..012fe0c 100644 --- a/tests/03_rules/06_subnet_mask_matches +++ b/tests/03_rules/06_subnet_mask_matches @@ -133,7 +133,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "br-guest" jump input_guest comment "!fw4: Handle guest IPv4/IPv6 input traffic" @@ -142,7 +142,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" iifname "br-guest" jump forward_guest comment "!fw4: Handle guest IPv4/IPv6 forward traffic" @@ -153,7 +153,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" ip6 saddr & ::ffff == ::1 ip6 daddr & ::ffff != ::2 counter comment "!fw4: Mask rule #1" ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::9 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::10 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect index 80e24bb..4b8cba6 100644 --- a/tests/03_rules/07_redirect +++ b/tests/03_rules/07_redirect @@ -165,7 +165,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "wwan0" jump input_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 input traffic" @@ -174,7 +174,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" iifname "wwan0" jump forward_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 forward traffic" @@ -185,7 +185,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname "wwan0" jump output_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 output traffic" diff --git a/tests/03_rules/08_family_inheritance b/tests/03_rules/08_family_inheritance index 679f3b9..f098271 100644 --- a/tests/03_rules/08_family_inheritance +++ b/tests/03_rules/08_family_inheritance @@ -202,14 +202,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" meta nfproto ipv4 ip saddr 192.168.1.0/24 jump input_ipv4only comment "!fw4: Handle ipv4only IPv4 input traffic" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" meta nfproto ipv4 ip saddr 192.168.1.0/24 jump forward_ipv4only comment "!fw4: Handle ipv4only IPv4 forward traffic" } @@ -218,7 +218,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" meta nfproto ipv4 ip daddr 192.168.1.0/24 jump output_ipv4only comment "!fw4: Handle ipv4only IPv4 output traffic" } diff --git a/tests/03_rules/09_time b/tests/03_rules/09_time index 63c7724..6088598 100644 --- a/tests/03_rules/09_time +++ b/tests/03_rules/09_time @@ -139,13 +139,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" } chain output { @@ -153,7 +153,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" meta time >= "2022-05-30 21:51:23" counter accept comment "!fw4: Time rule #1" meta time >= "2022-05-30 21:51:00" counter accept comment "!fw4: Time rule #2" meta time >= "2022-05-30 21:00:00" counter accept comment "!fw4: Time rule #3" diff --git a/tests/03_rules/10_notrack b/tests/03_rules/10_notrack index 470f922..65b39e7 100644 --- a/tests/03_rules/10_notrack +++ b/tests/03_rules/10_notrack @@ -103,7 +103,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" iifname "eth0" jump input_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 input traffic" iifname "lo" jump input_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 input traffic" meta nfproto ipv4 ip saddr 127.0.0.0/8 jump input_zone3 comment "!fw4: Handle zone3 IPv4 input traffic" @@ -113,7 +113,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" iifname "eth0" jump forward_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 forward traffic" iifname "lo" jump forward_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 forward traffic" meta nfproto ipv4 ip saddr 127.0.0.0/8 jump forward_zone3 comment "!fw4: Handle zone3 IPv4 forward traffic" @@ -125,7 +125,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" oifname "eth0" jump output_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 output traffic" oifname "lo" jump output_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 output traffic" meta nfproto ipv4 ip daddr 127.0.0.0/8 jump output_zone3 comment "!fw4: Handle zone3 IPv4 output traffic" diff --git a/tests/03_rules/11_log b/tests/03_rules/11_log index f777291..cf89142 100644 --- a/tests/03_rules/11_log +++ b/tests/03_rules/11_log @@ -114,13 +114,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" } chain output { @@ -128,7 +128,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" counter log prefix "@rule[0]: " comment "!fw4: @rule[0]" counter log prefix "Explicit rule name: " comment "!fw4: Explicit rule name" counter log prefix "Explicit prefix: " comment "!fw4: @rule[2]" diff --git a/tests/03_rules/12_mark b/tests/03_rules/12_mark index 2744096..f73cf58 100644 --- a/tests/03_rules/12_mark +++ b/tests/03_rules/12_mark @@ -98,13 +98,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" } chain output { @@ -112,7 +112,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" } chain prerouting { diff --git a/tests/04_forwardings/01_family_selections b/tests/04_forwardings/01_family_selections index 029501a..5ca32dd 100644 --- a/tests/04_forwardings/01_family_selections +++ b/tests/04_forwardings/01_family_selections @@ -92,7 +92,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" iifname "eth0" jump input_wanA comment "!fw4: Handle wanA IPv4/IPv6 input traffic" iifname "eth1" jump input_wanB comment "!fw4: Handle wanB IPv4/IPv6 input traffic" iifname "eth2" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" @@ -101,7 +101,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" iifname "eth0" jump forward_wanA comment "!fw4: Handle wanA IPv4/IPv6 forward traffic" iifname "eth1" jump forward_wanB comment "!fw4: Handle wanB IPv4/IPv6 forward traffic" iifname "eth2" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" @@ -112,7 +112,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" oifname "eth0" jump output_wanA comment "!fw4: Handle wanA IPv4/IPv6 output traffic" oifname "eth1" jump output_wanB comment "!fw4: Handle wanB IPv4/IPv6 output traffic" oifname "eth2" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" diff --git a/tests/05_ipsets/01_declaration b/tests/05_ipsets/01_declaration index 60c1514..52cc67d 100644 --- a/tests/05_ipsets/01_declaration +++ b/tests/05_ipsets/01_declaration @@ -88,13 +88,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" } chain output { @@ -102,7 +102,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" } chain prerouting { diff --git a/tests/05_ipsets/02_usage b/tests/05_ipsets/02_usage index 81ed6ed..fdc46df 100644 --- a/tests/05_ipsets/02_usage +++ b/tests/05_ipsets/02_usage @@ -162,13 +162,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" meta nfproto ipv4 meta l4proto tcp ip saddr . tcp dport @test-set-1 counter comment "!fw4: Rule using test set #1" meta nfproto ipv4 meta l4proto tcp ip saddr . tcp sport @test-set-2 counter comment "!fw4: Rule using test set #2, match direction should default to 'source'" meta nfproto ipv4 meta l4proto tcp ip daddr . tcp sport @test-set-1 counter comment "!fw4: Rule using test set #1, overriding match direction" @@ -182,7 +182,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" } chain prerouting { diff --git a/tests/06_includes/01_nft_includes b/tests/06_includes/01_nft_includes index d267f5c..57d7f85 100644 --- a/tests/06_includes/01_nft_includes +++ b/tests/06_includes/01_nft_includes @@ -156,7 +156,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" } @@ -164,7 +164,7 @@ table inet fw4 { type filter hook forward priority filter; policy drop; include "/usr/share/nftables.d/include-chain-start-forward.nft" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic" include "/usr/share/nftables.d/include-chain-end-forward.nft" } @@ -174,7 +174,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" } diff --git a/tests/06_includes/02_firewall.user_include b/tests/06_includes/02_firewall.user_include index 1f83b04..9da0525 100644 --- a/tests/06_includes/02_firewall.user_include +++ b/tests/06_includes/02_firewall.user_include @@ -93,14 +93,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic" } @@ -109,7 +109,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" } diff --git a/tests/06_includes/04_disabled_include b/tests/06_includes/04_disabled_include index 5b69540..df50b04 100644 --- a/tests/06_includes/04_disabled_include +++ b/tests/06_includes/04_disabled_include @@ -99,14 +99,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic" } @@ -115,7 +115,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" } diff --git a/tests/06_includes/05_automatic_includes b/tests/06_includes/05_automatic_includes index 83322b9..bf50bb9 100644 --- a/tests/06_includes/05_automatic_includes +++ b/tests/06_includes/05_automatic_includes @@ -99,14 +99,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Handle inbound flows" iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Handle forwarded flows" iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic" } @@ -115,7 +115,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Handle outbound flows" oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" } From 464753030ffaad6ea87b76b6a37c923c686975a0 Mon Sep 17 00:00:00 2001 From: Andris PE Date: Sat, 2 Mar 2024 11:45:07 +0200 Subject: [PATCH 2/9] Characterize rule workings better As in old days, guilty not having idea on splitting state handling earlier. --- root/usr/share/firewall4/templates/ruleset.uc | 6 +++--- tests/01_configuration/01_ruleset | 4 ++-- tests/01_configuration/02_rule_order | 6 +++--- tests/02_zones/01_policies | 6 +++--- tests/02_zones/02_masq | 6 +++--- tests/02_zones/03_masq_src_dest_restrictions | 6 +++--- tests/02_zones/04_masq_allow_invalid | 6 +++--- tests/02_zones/04_wildcard_devices | 6 +++--- tests/02_zones/05_subnet_mask_matches | 6 +++--- tests/02_zones/06_family_selections | 6 +++--- tests/02_zones/07_helpers | 6 +++--- tests/02_zones/08_log_limit | 6 +++--- tests/03_rules/01_direction | 6 +++--- tests/03_rules/02_enabled | 6 +++--- tests/03_rules/03_constraints | 6 +++--- tests/03_rules/04_icmp | 6 +++--- tests/03_rules/05_mangle | 6 +++--- tests/03_rules/06_subnet_mask_matches | 6 +++--- tests/03_rules/07_redirect | 6 +++--- tests/03_rules/08_family_inheritance | 6 +++--- tests/03_rules/09_time | 6 +++--- tests/03_rules/10_notrack | 6 +++--- tests/03_rules/11_log | 6 +++--- tests/03_rules/12_mark | 6 +++--- tests/04_forwardings/01_family_selections | 6 +++--- tests/05_ipsets/01_declaration | 6 +++--- tests/05_ipsets/02_usage | 6 +++--- tests/06_includes/01_nft_includes | 6 +++--- tests/06_includes/02_firewall.user_include | 6 +++--- tests/06_includes/04_disabled_include | 6 +++--- tests/06_includes/05_automatic_includes | 6 +++--- 31 files changed, 92 insertions(+), 92 deletions(-) diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc index 8b1e717..c232820 100644 --- a/root/usr/share/firewall4/templates/ruleset.uc +++ b/root/usr/share/firewall4/templates/ruleset.uc @@ -115,7 +115,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" {% fw4.includes('chain-prepend', 'input') %} - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" {% if (fw4.default_option("synflood_protect") && fw4.default_option("synflood_rate")): %} tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets" {% endif %} @@ -138,7 +138,7 @@ table inet fw4 { {% if (length(flowtable_devices) > 0): %} ct state vmap { established : jump handle_offload, related : accept } comment "!fw4: Handle forwarded flows" {% else %} - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" {% endif %} {% for (let rule in fw4.rules("forward")): %} {%+ include("rule.uc", { fw4, zone: (rule.src?.zone?.log_limit ? rule.src.zone : rule.dest?.zone), rule }) %} @@ -161,7 +161,7 @@ table inet fw4 { {% if (fw4.default_option("drop_invalid")): %} ct state vmap { established : accept, related : accept, invalid : drop } comment "!fw4: Handle outbound flows" {% else %} - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" {% endif %} {% for (let rule in fw4.rules("output")): %} {%+ include("rule.uc", { fw4, zone: null, rule }) %} diff --git a/tests/01_configuration/01_ruleset b/tests/01_configuration/01_ruleset index 4d6173a..c5c3159 100644 --- a/tests/01_configuration/01_ruleset +++ b/tests/01_configuration/01_ruleset @@ -112,7 +112,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" @@ -133,7 +133,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" meta l4proto tcp counter comment "!fw4: Test-Deprecated-Rule-Option" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" diff --git a/tests/01_configuration/02_rule_order b/tests/01_configuration/02_rule_order index a369727..6ed7f54 100644 --- a/tests/01_configuration/02_rule_order +++ b/tests/01_configuration/02_rule_order @@ -93,7 +93,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" } @@ -101,7 +101,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" } @@ -111,7 +111,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" } diff --git a/tests/02_zones/01_policies b/tests/02_zones/01_policies index 44d4803..5d693a0 100644 --- a/tests/02_zones/01_policies +++ b/tests/02_zones/01_policies @@ -95,7 +95,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" @@ -104,7 +104,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic" @@ -115,7 +115,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" diff --git a/tests/02_zones/02_masq b/tests/02_zones/02_masq index ac12bea..64e0880 100644 --- a/tests/02_zones/02_masq +++ b/tests/02_zones/02_masq @@ -99,7 +99,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" @@ -108,7 +108,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic" @@ -119,7 +119,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" diff --git a/tests/02_zones/03_masq_src_dest_restrictions b/tests/02_zones/03_masq_src_dest_restrictions index 3a23698..2bcfc8e 100644 --- a/tests/02_zones/03_masq_src_dest_restrictions +++ b/tests/02_zones/03_masq_src_dest_restrictions @@ -122,7 +122,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" } @@ -130,7 +130,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" } @@ -140,7 +140,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" } diff --git a/tests/02_zones/04_masq_allow_invalid b/tests/02_zones/04_masq_allow_invalid index 7ddf1bb..74414b4 100644 --- a/tests/02_zones/04_masq_allow_invalid +++ b/tests/02_zones/04_masq_allow_invalid @@ -71,14 +71,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" } @@ -87,7 +87,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" } diff --git a/tests/02_zones/04_wildcard_devices b/tests/02_zones/04_wildcard_devices index a9db318..f38d365 100644 --- a/tests/02_zones/04_wildcard_devices +++ b/tests/02_zones/04_wildcard_devices @@ -122,7 +122,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "/never/" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" iifname "test*" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" @@ -137,7 +137,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" iifname "/never/" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" iifname "test*" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic" @@ -154,7 +154,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "/never/" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" oifname "test*" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" diff --git a/tests/02_zones/05_subnet_mask_matches b/tests/02_zones/05_subnet_mask_matches index 891f556..a0138fe 100644 --- a/tests/02_zones/05_subnet_mask_matches +++ b/tests/02_zones/05_subnet_mask_matches @@ -81,7 +81,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" meta nfproto ipv6 ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::2 jump input_test1 comment "!fw4: Handle test1 IPv6 input traffic" meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic" meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic" @@ -91,7 +91,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" meta nfproto ipv6 ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::2 jump forward_test1 comment "!fw4: Handle test1 IPv6 forward traffic" meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic" meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic" @@ -103,7 +103,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" meta nfproto ipv6 ip6 daddr & ::ffff == ::1 ip6 daddr & ::ffff != ::2 jump output_test1 comment "!fw4: Handle test1 IPv6 output traffic" meta nfproto ipv6 ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff == ::1 ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic" meta nfproto ipv6 ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff == ::2 ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic" diff --git a/tests/02_zones/06_family_selections b/tests/02_zones/06_family_selections index d0742a1..c22e23b 100644 --- a/tests/02_zones/06_family_selections +++ b/tests/02_zones/06_family_selections @@ -136,7 +136,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" meta nfproto ipv4 ip saddr 10.0.0.0/8 jump input_test1 comment "!fw4: Handle test1 IPv4 input traffic" meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic" meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test3 comment "!fw4: Handle test3 IPv6 input traffic" @@ -148,7 +148,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" meta nfproto ipv4 ip saddr 10.0.0.0/8 jump forward_test1 comment "!fw4: Handle test1 IPv4 forward traffic" meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic" meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump forward_test3 comment "!fw4: Handle test3 IPv6 forward traffic" @@ -162,7 +162,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" meta nfproto ipv4 ip daddr 10.0.0.0/8 jump output_test1 comment "!fw4: Handle test1 IPv4 output traffic" meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic" meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test3 comment "!fw4: Handle test3 IPv6 output traffic" diff --git a/tests/02_zones/07_helpers b/tests/02_zones/07_helpers index b032b2a..4e420be 100644 --- a/tests/02_zones/07_helpers +++ b/tests/02_zones/07_helpers @@ -168,7 +168,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" @@ -178,7 +178,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic" @@ -190,7 +190,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" diff --git a/tests/02_zones/08_log_limit b/tests/02_zones/08_log_limit index cc5de8d..9793aa2 100644 --- a/tests/02_zones/08_log_limit +++ b/tests/02_zones/08_log_limit @@ -240,7 +240,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" tcp dport 1007 counter log prefix "@rule[6]: " comment "!fw4: @rule[6]" tcp dport 1008 counter comment "!fw4: @rule[7]" tcp dport 1009 limit rate 5/minute log prefix "@rule[12]: " @@ -254,7 +254,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" tcp dport 1005 limit name "lan.log_limit" log prefix "@rule[4]: " tcp dport 1005 counter comment "!fw4: @rule[4]" tcp dport 1006 counter comment "!fw4: @rule[5]" @@ -269,7 +269,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" meta nfproto ipv4 oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4 output traffic" oifname "br-guest" jump output_guest comment "!fw4: Handle guest IPv4/IPv6 output traffic" diff --git a/tests/03_rules/01_direction b/tests/03_rules/01_direction index e9e5af7..789363d 100644 --- a/tests/03_rules/01_direction +++ b/tests/03_rules/01_direction @@ -71,14 +71,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" counter comment "!fw4: @rule[1]" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" counter comment "!fw4: @rule[3]" } @@ -87,7 +87,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" counter comment "!fw4: @rule[0]" counter comment "!fw4: @rule[2]" } diff --git a/tests/03_rules/02_enabled b/tests/03_rules/02_enabled index 9ec1ca0..72b8165 100644 --- a/tests/03_rules/02_enabled +++ b/tests/03_rules/02_enabled @@ -68,13 +68,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" } chain output { @@ -82,7 +82,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" counter comment "!fw4: Implicitly enabled" counter comment "!fw4: Explicitly enabled" } diff --git a/tests/03_rules/03_constraints b/tests/03_rules/03_constraints index 30174cd..43a9c69 100644 --- a/tests/03_rules/03_constraints +++ b/tests/03_rules/03_constraints @@ -107,13 +107,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" } chain output { @@ -121,7 +121,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" meta nfproto ipv4 ip dscp 0x0 counter comment "!fw4: DSCP match rule #1" meta nfproto ipv6 ip6 dscp 0x0 counter comment "!fw4: DSCP match rule #1" } diff --git a/tests/03_rules/04_icmp b/tests/03_rules/04_icmp index f50abfa..b88c6c9 100644 --- a/tests/03_rules/04_icmp +++ b/tests/03_rules/04_icmp @@ -77,13 +77,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" } chain output { @@ -91,7 +91,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" meta l4proto { "icmp", "ipv6-icmp" } counter comment "!fw4: ICMP rule #1" meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #2" meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #3" diff --git a/tests/03_rules/05_mangle b/tests/03_rules/05_mangle index bf9cde7..6dab58e 100644 --- a/tests/03_rules/05_mangle +++ b/tests/03_rules/05_mangle @@ -178,7 +178,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname { "eth0", "eth1" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname { "eth2", "eth3" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" } @@ -186,7 +186,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname { "eth0", "eth1" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" iifname { "eth2", "eth3" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" } @@ -196,7 +196,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname { "eth0", "eth1" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname { "eth2", "eth3" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" } diff --git a/tests/03_rules/06_subnet_mask_matches b/tests/03_rules/06_subnet_mask_matches index 012fe0c..57bcb2a 100644 --- a/tests/03_rules/06_subnet_mask_matches +++ b/tests/03_rules/06_subnet_mask_matches @@ -133,7 +133,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "br-guest" jump input_guest comment "!fw4: Handle guest IPv4/IPv6 input traffic" @@ -142,7 +142,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" iifname "br-guest" jump forward_guest comment "!fw4: Handle guest IPv4/IPv6 forward traffic" @@ -153,7 +153,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" ip6 saddr & ::ffff == ::1 ip6 daddr & ::ffff != ::2 counter comment "!fw4: Mask rule #1" ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::9 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::10 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect index 4b8cba6..ad8555a 100644 --- a/tests/03_rules/07_redirect +++ b/tests/03_rules/07_redirect @@ -165,7 +165,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "wwan0" jump input_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 input traffic" @@ -174,7 +174,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" iifname "wwan0" jump forward_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 forward traffic" @@ -185,7 +185,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname "wwan0" jump output_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 output traffic" diff --git a/tests/03_rules/08_family_inheritance b/tests/03_rules/08_family_inheritance index f098271..08135ba 100644 --- a/tests/03_rules/08_family_inheritance +++ b/tests/03_rules/08_family_inheritance @@ -202,14 +202,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" meta nfproto ipv4 ip saddr 192.168.1.0/24 jump input_ipv4only comment "!fw4: Handle ipv4only IPv4 input traffic" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" meta nfproto ipv4 ip saddr 192.168.1.0/24 jump forward_ipv4only comment "!fw4: Handle ipv4only IPv4 forward traffic" } @@ -218,7 +218,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" meta nfproto ipv4 ip daddr 192.168.1.0/24 jump output_ipv4only comment "!fw4: Handle ipv4only IPv4 output traffic" } diff --git a/tests/03_rules/09_time b/tests/03_rules/09_time index 6088598..774ff67 100644 --- a/tests/03_rules/09_time +++ b/tests/03_rules/09_time @@ -139,13 +139,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" } chain output { @@ -153,7 +153,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" meta time >= "2022-05-30 21:51:23" counter accept comment "!fw4: Time rule #1" meta time >= "2022-05-30 21:51:00" counter accept comment "!fw4: Time rule #2" meta time >= "2022-05-30 21:00:00" counter accept comment "!fw4: Time rule #3" diff --git a/tests/03_rules/10_notrack b/tests/03_rules/10_notrack index 65b39e7..9239b6b 100644 --- a/tests/03_rules/10_notrack +++ b/tests/03_rules/10_notrack @@ -103,7 +103,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "eth0" jump input_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 input traffic" iifname "lo" jump input_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 input traffic" meta nfproto ipv4 ip saddr 127.0.0.0/8 jump input_zone3 comment "!fw4: Handle zone3 IPv4 input traffic" @@ -113,7 +113,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "eth0" jump forward_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 forward traffic" iifname "lo" jump forward_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 forward traffic" meta nfproto ipv4 ip saddr 127.0.0.0/8 jump forward_zone3 comment "!fw4: Handle zone3 IPv4 forward traffic" @@ -125,7 +125,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "eth0" jump output_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 output traffic" oifname "lo" jump output_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 output traffic" meta nfproto ipv4 ip daddr 127.0.0.0/8 jump output_zone3 comment "!fw4: Handle zone3 IPv4 output traffic" diff --git a/tests/03_rules/11_log b/tests/03_rules/11_log index cf89142..6dfa599 100644 --- a/tests/03_rules/11_log +++ b/tests/03_rules/11_log @@ -114,13 +114,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" } chain output { @@ -128,7 +128,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" counter log prefix "@rule[0]: " comment "!fw4: @rule[0]" counter log prefix "Explicit rule name: " comment "!fw4: Explicit rule name" counter log prefix "Explicit prefix: " comment "!fw4: @rule[2]" diff --git a/tests/03_rules/12_mark b/tests/03_rules/12_mark index f73cf58..d7888d5 100644 --- a/tests/03_rules/12_mark +++ b/tests/03_rules/12_mark @@ -98,13 +98,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" } chain output { @@ -112,7 +112,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" } chain prerouting { diff --git a/tests/04_forwardings/01_family_selections b/tests/04_forwardings/01_family_selections index 5ca32dd..46e866d 100644 --- a/tests/04_forwardings/01_family_selections +++ b/tests/04_forwardings/01_family_selections @@ -92,7 +92,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "eth0" jump input_wanA comment "!fw4: Handle wanA IPv4/IPv6 input traffic" iifname "eth1" jump input_wanB comment "!fw4: Handle wanB IPv4/IPv6 input traffic" iifname "eth2" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" @@ -101,7 +101,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "eth0" jump forward_wanA comment "!fw4: Handle wanA IPv4/IPv6 forward traffic" iifname "eth1" jump forward_wanB comment "!fw4: Handle wanB IPv4/IPv6 forward traffic" iifname "eth2" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" @@ -112,7 +112,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "eth0" jump output_wanA comment "!fw4: Handle wanA IPv4/IPv6 output traffic" oifname "eth1" jump output_wanB comment "!fw4: Handle wanB IPv4/IPv6 output traffic" oifname "eth2" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" diff --git a/tests/05_ipsets/01_declaration b/tests/05_ipsets/01_declaration index 52cc67d..3cf8920 100644 --- a/tests/05_ipsets/01_declaration +++ b/tests/05_ipsets/01_declaration @@ -88,13 +88,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" } chain output { @@ -102,7 +102,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" } chain prerouting { diff --git a/tests/05_ipsets/02_usage b/tests/05_ipsets/02_usage index fdc46df..6ae16b1 100644 --- a/tests/05_ipsets/02_usage +++ b/tests/05_ipsets/02_usage @@ -162,13 +162,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" meta nfproto ipv4 meta l4proto tcp ip saddr . tcp dport @test-set-1 counter comment "!fw4: Rule using test set #1" meta nfproto ipv4 meta l4proto tcp ip saddr . tcp sport @test-set-2 counter comment "!fw4: Rule using test set #2, match direction should default to 'source'" meta nfproto ipv4 meta l4proto tcp ip daddr . tcp sport @test-set-1 counter comment "!fw4: Rule using test set #1, overriding match direction" @@ -182,7 +182,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" } chain prerouting { diff --git a/tests/06_includes/01_nft_includes b/tests/06_includes/01_nft_includes index 57d7f85..06418f0 100644 --- a/tests/06_includes/01_nft_includes +++ b/tests/06_includes/01_nft_includes @@ -156,7 +156,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" } @@ -164,7 +164,7 @@ table inet fw4 { type filter hook forward priority filter; policy drop; include "/usr/share/nftables.d/include-chain-start-forward.nft" - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic" include "/usr/share/nftables.d/include-chain-end-forward.nft" } @@ -174,7 +174,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" } diff --git a/tests/06_includes/02_firewall.user_include b/tests/06_includes/02_firewall.user_include index 9da0525..49275cf 100644 --- a/tests/06_includes/02_firewall.user_include +++ b/tests/06_includes/02_firewall.user_include @@ -93,14 +93,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic" } @@ -109,7 +109,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" } diff --git a/tests/06_includes/04_disabled_include b/tests/06_includes/04_disabled_include index df50b04..27eece3 100644 --- a/tests/06_includes/04_disabled_include +++ b/tests/06_includes/04_disabled_include @@ -99,14 +99,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic" } @@ -115,7 +115,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" } diff --git a/tests/06_includes/05_automatic_includes b/tests/06_includes/05_automatic_includes index bf50bb9..f3c9d54 100644 --- a/tests/06_includes/05_automatic_includes +++ b/tests/06_includes/05_automatic_includes @@ -99,14 +99,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Handle inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Handle forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic" } @@ -115,7 +115,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Handle outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" } From c3b6b68d60d24593bf6db62ae9de6d2072ad8e23 Mon Sep 17 00:00:00 2001 From: Andris PE Date: Wed, 27 Mar 2024 21:38:50 +0200 Subject: [PATCH 3/9] Reduce default weight. No need to consume CPU in default case for unrealistic corner case. loopback invalid thus better dropped at ease. Signed-off-by: Andris PE --- root/usr/share/firewall4/templates/ruleset.uc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc index c232820..e6264c4 100644 --- a/root/usr/share/firewall4/templates/ruleset.uc +++ b/root/usr/share/firewall4/templates/ruleset.uc @@ -187,7 +187,7 @@ table inet fw4 { chain prerouting { type filter hook prerouting priority filter; policy accept; {% if (fw4.default_option("drop_invalid")): %} - iif != "lo" ct state invalid drop comment "!fw4: Drop packets in invalid flow state" + ct state invalid drop comment "!fw4: Drop packets in invalid flow state" {% endif %} {% for (let zone in fw4.zones()): %} {% if (zone.dflags.helper): %} From a625924e002c50206509e85f32084707c18f22cb Mon Sep 17 00:00:00 2001 From: Andris PE Date: Thu, 6 Jun 2024 12:21:13 +0300 Subject: [PATCH 4/9] Stay with vmapized versions firstly netfilter doc now has only vmap-y dispatch examples secondly vmap includes "immediate" action in itself, as opposed to setting bool in lookup and in separate bytecode insnis doing immediate or full action. --- root/usr/share/firewall4/templates/ruleset.uc | 6 +++--- tests/01_configuration/01_ruleset | 4 ++-- tests/01_configuration/02_rule_order | 6 +++--- tests/02_zones/01_policies | 6 +++--- tests/02_zones/02_masq | 6 +++--- tests/02_zones/03_masq_src_dest_restrictions | 6 +++--- tests/02_zones/04_masq_allow_invalid | 6 +++--- tests/02_zones/04_wildcard_devices | 6 +++--- tests/02_zones/05_subnet_mask_matches | 6 +++--- tests/02_zones/06_family_selections | 6 +++--- tests/02_zones/07_helpers | 6 +++--- tests/02_zones/08_log_limit | 6 +++--- tests/03_rules/01_direction | 6 +++--- tests/03_rules/02_enabled | 6 +++--- tests/03_rules/03_constraints | 6 +++--- tests/03_rules/04_icmp | 6 +++--- tests/03_rules/05_mangle | 6 +++--- tests/03_rules/06_subnet_mask_matches | 6 +++--- tests/03_rules/07_redirect | 6 +++--- tests/03_rules/08_family_inheritance | 6 +++--- tests/03_rules/09_time | 6 +++--- tests/03_rules/10_notrack | 6 +++--- tests/03_rules/11_log | 6 +++--- tests/03_rules/12_mark | 6 +++--- tests/04_forwardings/01_family_selections | 6 +++--- tests/05_ipsets/01_declaration | 6 +++--- tests/05_ipsets/02_usage | 6 +++--- tests/06_includes/01_nft_includes | 6 +++--- tests/06_includes/02_firewall.user_include | 6 +++--- tests/06_includes/04_disabled_include | 6 +++--- tests/06_includes/05_automatic_includes | 6 +++--- 31 files changed, 92 insertions(+), 92 deletions(-) diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc index e6264c4..e6c7866 100644 --- a/root/usr/share/firewall4/templates/ruleset.uc +++ b/root/usr/share/firewall4/templates/ruleset.uc @@ -115,7 +115,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" {% fw4.includes('chain-prepend', 'input') %} - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" {% if (fw4.default_option("synflood_protect") && fw4.default_option("synflood_rate")): %} tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets" {% endif %} @@ -138,7 +138,7 @@ table inet fw4 { {% if (length(flowtable_devices) > 0): %} ct state vmap { established : jump handle_offload, related : accept } comment "!fw4: Handle forwarded flows" {% else %} - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" {% endif %} {% for (let rule in fw4.rules("forward")): %} {%+ include("rule.uc", { fw4, zone: (rule.src?.zone?.log_limit ? rule.src.zone : rule.dest?.zone), rule }) %} @@ -161,7 +161,7 @@ table inet fw4 { {% if (fw4.default_option("drop_invalid")): %} ct state vmap { established : accept, related : accept, invalid : drop } comment "!fw4: Handle outbound flows" {% else %} - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" {% endif %} {% for (let rule in fw4.rules("output")): %} {%+ include("rule.uc", { fw4, zone: null, rule }) %} diff --git a/tests/01_configuration/01_ruleset b/tests/01_configuration/01_ruleset index c5c3159..8e492dc 100644 --- a/tests/01_configuration/01_ruleset +++ b/tests/01_configuration/01_ruleset @@ -112,7 +112,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" @@ -133,7 +133,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" meta l4proto tcp counter comment "!fw4: Test-Deprecated-Rule-Option" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" diff --git a/tests/01_configuration/02_rule_order b/tests/01_configuration/02_rule_order index 6ed7f54..0e9742c 100644 --- a/tests/01_configuration/02_rule_order +++ b/tests/01_configuration/02_rule_order @@ -93,7 +93,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" } @@ -101,7 +101,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" } @@ -111,7 +111,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" } diff --git a/tests/02_zones/01_policies b/tests/02_zones/01_policies index 5d693a0..bc4ed57 100644 --- a/tests/02_zones/01_policies +++ b/tests/02_zones/01_policies @@ -95,7 +95,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" @@ -104,7 +104,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic" @@ -115,7 +115,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" diff --git a/tests/02_zones/02_masq b/tests/02_zones/02_masq index 64e0880..cb5a693 100644 --- a/tests/02_zones/02_masq +++ b/tests/02_zones/02_masq @@ -99,7 +99,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" @@ -108,7 +108,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic" @@ -119,7 +119,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" diff --git a/tests/02_zones/03_masq_src_dest_restrictions b/tests/02_zones/03_masq_src_dest_restrictions index 2bcfc8e..7749f58 100644 --- a/tests/02_zones/03_masq_src_dest_restrictions +++ b/tests/02_zones/03_masq_src_dest_restrictions @@ -122,7 +122,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" } @@ -130,7 +130,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" } @@ -140,7 +140,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" } diff --git a/tests/02_zones/04_masq_allow_invalid b/tests/02_zones/04_masq_allow_invalid index 74414b4..6dbbc79 100644 --- a/tests/02_zones/04_masq_allow_invalid +++ b/tests/02_zones/04_masq_allow_invalid @@ -71,14 +71,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" } @@ -87,7 +87,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" } diff --git a/tests/02_zones/04_wildcard_devices b/tests/02_zones/04_wildcard_devices index f38d365..3d6ee4a 100644 --- a/tests/02_zones/04_wildcard_devices +++ b/tests/02_zones/04_wildcard_devices @@ -122,7 +122,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "/never/" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" iifname "test*" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" @@ -137,7 +137,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" iifname "/never/" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" iifname "test*" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic" @@ -154,7 +154,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "/never/" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" oifname "test*" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" diff --git a/tests/02_zones/05_subnet_mask_matches b/tests/02_zones/05_subnet_mask_matches index a0138fe..2d70f1d 100644 --- a/tests/02_zones/05_subnet_mask_matches +++ b/tests/02_zones/05_subnet_mask_matches @@ -81,7 +81,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" meta nfproto ipv6 ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::2 jump input_test1 comment "!fw4: Handle test1 IPv6 input traffic" meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic" meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic" @@ -91,7 +91,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" meta nfproto ipv6 ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::2 jump forward_test1 comment "!fw4: Handle test1 IPv6 forward traffic" meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic" meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic" @@ -103,7 +103,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" meta nfproto ipv6 ip6 daddr & ::ffff == ::1 ip6 daddr & ::ffff != ::2 jump output_test1 comment "!fw4: Handle test1 IPv6 output traffic" meta nfproto ipv6 ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff == ::1 ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic" meta nfproto ipv6 ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff == ::2 ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic" diff --git a/tests/02_zones/06_family_selections b/tests/02_zones/06_family_selections index c22e23b..69f3a7e 100644 --- a/tests/02_zones/06_family_selections +++ b/tests/02_zones/06_family_selections @@ -136,7 +136,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" meta nfproto ipv4 ip saddr 10.0.0.0/8 jump input_test1 comment "!fw4: Handle test1 IPv4 input traffic" meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic" meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test3 comment "!fw4: Handle test3 IPv6 input traffic" @@ -148,7 +148,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" meta nfproto ipv4 ip saddr 10.0.0.0/8 jump forward_test1 comment "!fw4: Handle test1 IPv4 forward traffic" meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic" meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump forward_test3 comment "!fw4: Handle test3 IPv6 forward traffic" @@ -162,7 +162,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" meta nfproto ipv4 ip daddr 10.0.0.0/8 jump output_test1 comment "!fw4: Handle test1 IPv4 output traffic" meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic" meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test3 comment "!fw4: Handle test3 IPv6 output traffic" diff --git a/tests/02_zones/07_helpers b/tests/02_zones/07_helpers index 4e420be..8fe3cae 100644 --- a/tests/02_zones/07_helpers +++ b/tests/02_zones/07_helpers @@ -168,7 +168,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" @@ -178,7 +178,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic" @@ -190,7 +190,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" diff --git a/tests/02_zones/08_log_limit b/tests/02_zones/08_log_limit index 9793aa2..f82a268 100644 --- a/tests/02_zones/08_log_limit +++ b/tests/02_zones/08_log_limit @@ -240,7 +240,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" tcp dport 1007 counter log prefix "@rule[6]: " comment "!fw4: @rule[6]" tcp dport 1008 counter comment "!fw4: @rule[7]" tcp dport 1009 limit rate 5/minute log prefix "@rule[12]: " @@ -254,7 +254,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" tcp dport 1005 limit name "lan.log_limit" log prefix "@rule[4]: " tcp dport 1005 counter comment "!fw4: @rule[4]" tcp dport 1006 counter comment "!fw4: @rule[5]" @@ -269,7 +269,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" meta nfproto ipv4 oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4 output traffic" oifname "br-guest" jump output_guest comment "!fw4: Handle guest IPv4/IPv6 output traffic" diff --git a/tests/03_rules/01_direction b/tests/03_rules/01_direction index 789363d..11c7a5c 100644 --- a/tests/03_rules/01_direction +++ b/tests/03_rules/01_direction @@ -71,14 +71,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" counter comment "!fw4: @rule[1]" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" counter comment "!fw4: @rule[3]" } @@ -87,7 +87,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" counter comment "!fw4: @rule[0]" counter comment "!fw4: @rule[2]" } diff --git a/tests/03_rules/02_enabled b/tests/03_rules/02_enabled index 72b8165..a94d31f 100644 --- a/tests/03_rules/02_enabled +++ b/tests/03_rules/02_enabled @@ -68,13 +68,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" } chain output { @@ -82,7 +82,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" counter comment "!fw4: Implicitly enabled" counter comment "!fw4: Explicitly enabled" } diff --git a/tests/03_rules/03_constraints b/tests/03_rules/03_constraints index 43a9c69..dc8da62 100644 --- a/tests/03_rules/03_constraints +++ b/tests/03_rules/03_constraints @@ -107,13 +107,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" } chain output { @@ -121,7 +121,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" meta nfproto ipv4 ip dscp 0x0 counter comment "!fw4: DSCP match rule #1" meta nfproto ipv6 ip6 dscp 0x0 counter comment "!fw4: DSCP match rule #1" } diff --git a/tests/03_rules/04_icmp b/tests/03_rules/04_icmp index b88c6c9..0202a23 100644 --- a/tests/03_rules/04_icmp +++ b/tests/03_rules/04_icmp @@ -77,13 +77,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" } chain output { @@ -91,7 +91,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" meta l4proto { "icmp", "ipv6-icmp" } counter comment "!fw4: ICMP rule #1" meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #2" meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #3" diff --git a/tests/03_rules/05_mangle b/tests/03_rules/05_mangle index 6dab58e..5ad1d2e 100644 --- a/tests/03_rules/05_mangle +++ b/tests/03_rules/05_mangle @@ -178,7 +178,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" iifname { "eth0", "eth1" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname { "eth2", "eth3" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" } @@ -186,7 +186,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" iifname { "eth0", "eth1" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" iifname { "eth2", "eth3" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" } @@ -196,7 +196,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" oifname { "eth0", "eth1" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname { "eth2", "eth3" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" } diff --git a/tests/03_rules/06_subnet_mask_matches b/tests/03_rules/06_subnet_mask_matches index 57bcb2a..19b2eea 100644 --- a/tests/03_rules/06_subnet_mask_matches +++ b/tests/03_rules/06_subnet_mask_matches @@ -133,7 +133,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "br-guest" jump input_guest comment "!fw4: Handle guest IPv4/IPv6 input traffic" @@ -142,7 +142,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" iifname "br-guest" jump forward_guest comment "!fw4: Handle guest IPv4/IPv6 forward traffic" @@ -153,7 +153,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" ip6 saddr & ::ffff == ::1 ip6 daddr & ::ffff != ::2 counter comment "!fw4: Mask rule #1" ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::9 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::10 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect index ad8555a..2ead3d0 100644 --- a/tests/03_rules/07_redirect +++ b/tests/03_rules/07_redirect @@ -165,7 +165,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "wwan0" jump input_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 input traffic" @@ -174,7 +174,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" iifname "wwan0" jump forward_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 forward traffic" @@ -185,7 +185,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname "wwan0" jump output_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 output traffic" diff --git a/tests/03_rules/08_family_inheritance b/tests/03_rules/08_family_inheritance index 08135ba..edace6d 100644 --- a/tests/03_rules/08_family_inheritance +++ b/tests/03_rules/08_family_inheritance @@ -202,14 +202,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" meta nfproto ipv4 ip saddr 192.168.1.0/24 jump input_ipv4only comment "!fw4: Handle ipv4only IPv4 input traffic" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" meta nfproto ipv4 ip saddr 192.168.1.0/24 jump forward_ipv4only comment "!fw4: Handle ipv4only IPv4 forward traffic" } @@ -218,7 +218,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" meta nfproto ipv4 ip daddr 192.168.1.0/24 jump output_ipv4only comment "!fw4: Handle ipv4only IPv4 output traffic" } diff --git a/tests/03_rules/09_time b/tests/03_rules/09_time index 774ff67..6df46dc 100644 --- a/tests/03_rules/09_time +++ b/tests/03_rules/09_time @@ -139,13 +139,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" } chain output { @@ -153,7 +153,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" meta time >= "2022-05-30 21:51:23" counter accept comment "!fw4: Time rule #1" meta time >= "2022-05-30 21:51:00" counter accept comment "!fw4: Time rule #2" meta time >= "2022-05-30 21:00:00" counter accept comment "!fw4: Time rule #3" diff --git a/tests/03_rules/10_notrack b/tests/03_rules/10_notrack index 9239b6b..5f9bc0b 100644 --- a/tests/03_rules/10_notrack +++ b/tests/03_rules/10_notrack @@ -103,7 +103,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" iifname "eth0" jump input_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 input traffic" iifname "lo" jump input_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 input traffic" meta nfproto ipv4 ip saddr 127.0.0.0/8 jump input_zone3 comment "!fw4: Handle zone3 IPv4 input traffic" @@ -113,7 +113,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" iifname "eth0" jump forward_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 forward traffic" iifname "lo" jump forward_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 forward traffic" meta nfproto ipv4 ip saddr 127.0.0.0/8 jump forward_zone3 comment "!fw4: Handle zone3 IPv4 forward traffic" @@ -125,7 +125,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" oifname "eth0" jump output_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 output traffic" oifname "lo" jump output_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 output traffic" meta nfproto ipv4 ip daddr 127.0.0.0/8 jump output_zone3 comment "!fw4: Handle zone3 IPv4 output traffic" diff --git a/tests/03_rules/11_log b/tests/03_rules/11_log index 6dfa599..2de8f0b 100644 --- a/tests/03_rules/11_log +++ b/tests/03_rules/11_log @@ -114,13 +114,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" } chain output { @@ -128,7 +128,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" counter log prefix "@rule[0]: " comment "!fw4: @rule[0]" counter log prefix "Explicit rule name: " comment "!fw4: Explicit rule name" counter log prefix "Explicit prefix: " comment "!fw4: @rule[2]" diff --git a/tests/03_rules/12_mark b/tests/03_rules/12_mark index d7888d5..941e3e8 100644 --- a/tests/03_rules/12_mark +++ b/tests/03_rules/12_mark @@ -98,13 +98,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" } chain output { @@ -112,7 +112,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" } chain prerouting { diff --git a/tests/04_forwardings/01_family_selections b/tests/04_forwardings/01_family_selections index 46e866d..bd1f447 100644 --- a/tests/04_forwardings/01_family_selections +++ b/tests/04_forwardings/01_family_selections @@ -92,7 +92,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" iifname "eth0" jump input_wanA comment "!fw4: Handle wanA IPv4/IPv6 input traffic" iifname "eth1" jump input_wanB comment "!fw4: Handle wanB IPv4/IPv6 input traffic" iifname "eth2" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" @@ -101,7 +101,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" iifname "eth0" jump forward_wanA comment "!fw4: Handle wanA IPv4/IPv6 forward traffic" iifname "eth1" jump forward_wanB comment "!fw4: Handle wanB IPv4/IPv6 forward traffic" iifname "eth2" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" @@ -112,7 +112,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" oifname "eth0" jump output_wanA comment "!fw4: Handle wanA IPv4/IPv6 output traffic" oifname "eth1" jump output_wanB comment "!fw4: Handle wanB IPv4/IPv6 output traffic" oifname "eth2" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" diff --git a/tests/05_ipsets/01_declaration b/tests/05_ipsets/01_declaration index 3cf8920..82b4625 100644 --- a/tests/05_ipsets/01_declaration +++ b/tests/05_ipsets/01_declaration @@ -88,13 +88,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" } chain output { @@ -102,7 +102,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" } chain prerouting { diff --git a/tests/05_ipsets/02_usage b/tests/05_ipsets/02_usage index 6ae16b1..2b93737 100644 --- a/tests/05_ipsets/02_usage +++ b/tests/05_ipsets/02_usage @@ -162,13 +162,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" meta nfproto ipv4 meta l4proto tcp ip saddr . tcp dport @test-set-1 counter comment "!fw4: Rule using test set #1" meta nfproto ipv4 meta l4proto tcp ip saddr . tcp sport @test-set-2 counter comment "!fw4: Rule using test set #2, match direction should default to 'source'" meta nfproto ipv4 meta l4proto tcp ip daddr . tcp sport @test-set-1 counter comment "!fw4: Rule using test set #1, overriding match direction" @@ -182,7 +182,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" } chain prerouting { diff --git a/tests/06_includes/01_nft_includes b/tests/06_includes/01_nft_includes index 06418f0..9bb4729 100644 --- a/tests/06_includes/01_nft_includes +++ b/tests/06_includes/01_nft_includes @@ -156,7 +156,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" } @@ -164,7 +164,7 @@ table inet fw4 { type filter hook forward priority filter; policy drop; include "/usr/share/nftables.d/include-chain-start-forward.nft" - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic" include "/usr/share/nftables.d/include-chain-end-forward.nft" } @@ -174,7 +174,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" } diff --git a/tests/06_includes/02_firewall.user_include b/tests/06_includes/02_firewall.user_include index 49275cf..ddc517c 100644 --- a/tests/06_includes/02_firewall.user_include +++ b/tests/06_includes/02_firewall.user_include @@ -93,14 +93,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic" } @@ -109,7 +109,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" } diff --git a/tests/06_includes/04_disabled_include b/tests/06_includes/04_disabled_include index 27eece3..0172a4c 100644 --- a/tests/06_includes/04_disabled_include +++ b/tests/06_includes/04_disabled_include @@ -99,14 +99,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic" } @@ -115,7 +115,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" } diff --git a/tests/06_includes/05_automatic_includes b/tests/06_includes/05_automatic_includes index f3c9d54..ee3ea04 100644 --- a/tests/06_includes/05_automatic_includes +++ b/tests/06_includes/05_automatic_includes @@ -99,14 +99,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" } chain forward { type filter hook forward priority filter; policy drop; - ct state established,related accept comment "!fw4: Accept forwarded flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic" } @@ -115,7 +115,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" } From 786ea40882cf7e1fac3890bc0b845284d2ed5347 Mon Sep 17 00:00:00 2001 From: Andris PE Date: Sat, 8 Jun 2024 14:30:35 +0300 Subject: [PATCH 5/9] Offloading can also happen when ramips hw offload rejects on ICMP3 Additionally since jump target is terminal no need to preserve callaback and use goto in place of jump. --- root/usr/share/firewall4/templates/ruleset.uc | 2 +- tests/01_configuration/01_ruleset | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc index e6c7866..fdd96b7 100644 --- a/root/usr/share/firewall4/templates/ruleset.uc +++ b/root/usr/share/firewall4/templates/ruleset.uc @@ -136,7 +136,7 @@ table inet fw4 { {% fw4.includes('chain-prepend', 'forward') %} {% if (length(flowtable_devices) > 0): %} - ct state vmap { established : jump handle_offload, related : accept } comment "!fw4: Handle forwarded flows" + ct state vmap { established : goto handle_offload, related : goto handle_offload } comment "!fw4: Handle forwarded flows" {% else %} ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" {% endif %} diff --git a/tests/01_configuration/01_ruleset b/tests/01_configuration/01_ruleset index 8e492dc..5ddc736 100644 --- a/tests/01_configuration/01_ruleset +++ b/tests/01_configuration/01_ruleset @@ -122,7 +122,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : jump handle_offload, related : accept } comment "!fw4: Handle forwarded flows" + ct state vmap { established : goto handle_offload, related : goto handle_offload } comment "!fw4: Handle forwarded flows" iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" jump handle_reject From d4d7578a76e6f9d9f20e9187c6a885747033bc37 Mon Sep 17 00:00:00 2001 From: Andris PE Date: Tue, 23 Jul 2024 21:44:29 +0300 Subject: [PATCH 6/9] Cosmetic fix - use readback/kernel.org syntax ipo nftables wiki Suggested by forums user kvic in https://forum.openwrt.org/t/first-rule-in-chain-input-output-for-firewall4/204723 --- root/usr/share/firewall4/templates/ruleset.uc | 2 +- tests/01_configuration/01_ruleset | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc index fdd96b7..25cf82f 100644 --- a/root/usr/share/firewall4/templates/ruleset.uc +++ b/root/usr/share/firewall4/templates/ruleset.uc @@ -217,7 +217,7 @@ table inet fw4 { {% if (length(flowtable_devices) > 0): %} chain handle_offload { - flow offload @ft accept + flow add @ft accept accept } diff --git a/tests/01_configuration/01_ruleset b/tests/01_configuration/01_ruleset index 5ddc736..449873e 100644 --- a/tests/01_configuration/01_ruleset +++ b/tests/01_configuration/01_ruleset @@ -150,7 +150,7 @@ table inet fw4 { } chain handle_offload { - flow offload @ft accept + flow add @ft accept accept } From 5dc4d82932ae0c7a9416f0969dc695b60250be2c Mon Sep 17 00:00:00 2001 From: Andris PE Date: Wed, 24 Jul 2024 00:13:09 +0300 Subject: [PATCH 7/9] Replace vmap with bitmask match ct state Suggested by forum user kvic at https://forum.openwrt.org/t/first-rule-in-chain-input-output-for-firewall4/204723 Average latency is same, the jitter/distribution is halved, also max latency conclusively reduced. --- root/usr/share/firewall4/templates/ruleset.uc | 8 ++++---- tests/01_configuration/01_ruleset | 6 +++--- tests/01_configuration/02_rule_order | 6 +++--- tests/02_zones/01_policies | 6 +++--- tests/02_zones/02_masq | 6 +++--- tests/02_zones/03_masq_src_dest_restrictions | 6 +++--- tests/02_zones/04_masq_allow_invalid | 6 +++--- tests/02_zones/04_wildcard_devices | 6 +++--- tests/02_zones/05_subnet_mask_matches | 6 +++--- tests/02_zones/06_family_selections | 6 +++--- tests/02_zones/07_helpers | 6 +++--- tests/02_zones/08_log_limit | 6 +++--- tests/03_rules/01_direction | 6 +++--- tests/03_rules/02_enabled | 6 +++--- tests/03_rules/03_constraints | 6 +++--- tests/03_rules/04_icmp | 6 +++--- tests/03_rules/05_mangle | 6 +++--- tests/03_rules/06_subnet_mask_matches | 6 +++--- tests/03_rules/07_redirect | 6 +++--- tests/03_rules/08_family_inheritance | 6 +++--- tests/03_rules/09_time | 6 +++--- tests/03_rules/10_notrack | 6 +++--- tests/03_rules/11_log | 6 +++--- tests/03_rules/12_mark | 6 +++--- tests/04_forwardings/01_family_selections | 6 +++--- tests/05_ipsets/01_declaration | 6 +++--- tests/05_ipsets/02_usage | 6 +++--- tests/06_includes/01_nft_includes | 6 +++--- tests/06_includes/02_firewall.user_include | 6 +++--- tests/06_includes/04_disabled_include | 6 +++--- tests/06_includes/05_automatic_includes | 6 +++--- 31 files changed, 94 insertions(+), 94 deletions(-) diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc index 25cf82f..c278bf7 100644 --- a/root/usr/share/firewall4/templates/ruleset.uc +++ b/root/usr/share/firewall4/templates/ruleset.uc @@ -115,7 +115,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" {% fw4.includes('chain-prepend', 'input') %} - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" {% if (fw4.default_option("synflood_protect") && fw4.default_option("synflood_rate")): %} tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets" {% endif %} @@ -136,9 +136,9 @@ table inet fw4 { {% fw4.includes('chain-prepend', 'forward') %} {% if (length(flowtable_devices) > 0): %} - ct state vmap { established : goto handle_offload, related : goto handle_offload } comment "!fw4: Handle forwarded flows" + ct state established,related goto handle_offload comment "!fw4: Handle forwarded flows" {% else %} - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" {% endif %} {% for (let rule in fw4.rules("forward")): %} {%+ include("rule.uc", { fw4, zone: (rule.src?.zone?.log_limit ? rule.src.zone : rule.dest?.zone), rule }) %} @@ -161,7 +161,7 @@ table inet fw4 { {% if (fw4.default_option("drop_invalid")): %} ct state vmap { established : accept, related : accept, invalid : drop } comment "!fw4: Handle outbound flows" {% else %} - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" {% endif %} {% for (let rule in fw4.rules("output")): %} {%+ include("rule.uc", { fw4, zone: null, rule }) %} diff --git a/tests/01_configuration/01_ruleset b/tests/01_configuration/01_ruleset index 449873e..b52cf25 100644 --- a/tests/01_configuration/01_ruleset +++ b/tests/01_configuration/01_ruleset @@ -112,7 +112,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" @@ -122,7 +122,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : goto handle_offload, related : goto handle_offload } comment "!fw4: Handle forwarded flows" + ct state established,related goto handle_offload comment "!fw4: Handle forwarded flows" iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" jump handle_reject @@ -133,7 +133,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" meta l4proto tcp counter comment "!fw4: Test-Deprecated-Rule-Option" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" diff --git a/tests/01_configuration/02_rule_order b/tests/01_configuration/02_rule_order index 0e9742c..6ed7f54 100644 --- a/tests/01_configuration/02_rule_order +++ b/tests/01_configuration/02_rule_order @@ -93,7 +93,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" } @@ -101,7 +101,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" } @@ -111,7 +111,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" } diff --git a/tests/02_zones/01_policies b/tests/02_zones/01_policies index bc4ed57..5d693a0 100644 --- a/tests/02_zones/01_policies +++ b/tests/02_zones/01_policies @@ -95,7 +95,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" @@ -104,7 +104,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic" @@ -115,7 +115,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" diff --git a/tests/02_zones/02_masq b/tests/02_zones/02_masq index cb5a693..64e0880 100644 --- a/tests/02_zones/02_masq +++ b/tests/02_zones/02_masq @@ -99,7 +99,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" @@ -108,7 +108,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic" @@ -119,7 +119,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" diff --git a/tests/02_zones/03_masq_src_dest_restrictions b/tests/02_zones/03_masq_src_dest_restrictions index 7749f58..2bcfc8e 100644 --- a/tests/02_zones/03_masq_src_dest_restrictions +++ b/tests/02_zones/03_masq_src_dest_restrictions @@ -122,7 +122,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" } @@ -130,7 +130,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" } @@ -140,7 +140,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" } diff --git a/tests/02_zones/04_masq_allow_invalid b/tests/02_zones/04_masq_allow_invalid index 6dbbc79..74414b4 100644 --- a/tests/02_zones/04_masq_allow_invalid +++ b/tests/02_zones/04_masq_allow_invalid @@ -71,14 +71,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" } @@ -87,7 +87,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" } diff --git a/tests/02_zones/04_wildcard_devices b/tests/02_zones/04_wildcard_devices index 3d6ee4a..f38d365 100644 --- a/tests/02_zones/04_wildcard_devices +++ b/tests/02_zones/04_wildcard_devices @@ -122,7 +122,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "/never/" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" iifname "test*" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" @@ -137,7 +137,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" iifname "/never/" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" iifname "test*" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic" @@ -154,7 +154,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "/never/" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" oifname "test*" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" diff --git a/tests/02_zones/05_subnet_mask_matches b/tests/02_zones/05_subnet_mask_matches index 2d70f1d..a0138fe 100644 --- a/tests/02_zones/05_subnet_mask_matches +++ b/tests/02_zones/05_subnet_mask_matches @@ -81,7 +81,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" meta nfproto ipv6 ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::2 jump input_test1 comment "!fw4: Handle test1 IPv6 input traffic" meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic" meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic" @@ -91,7 +91,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" meta nfproto ipv6 ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::2 jump forward_test1 comment "!fw4: Handle test1 IPv6 forward traffic" meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic" meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic" @@ -103,7 +103,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" meta nfproto ipv6 ip6 daddr & ::ffff == ::1 ip6 daddr & ::ffff != ::2 jump output_test1 comment "!fw4: Handle test1 IPv6 output traffic" meta nfproto ipv6 ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff == ::1 ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic" meta nfproto ipv6 ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff == ::2 ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic" diff --git a/tests/02_zones/06_family_selections b/tests/02_zones/06_family_selections index 69f3a7e..c22e23b 100644 --- a/tests/02_zones/06_family_selections +++ b/tests/02_zones/06_family_selections @@ -136,7 +136,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" meta nfproto ipv4 ip saddr 10.0.0.0/8 jump input_test1 comment "!fw4: Handle test1 IPv4 input traffic" meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic" meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test3 comment "!fw4: Handle test3 IPv6 input traffic" @@ -148,7 +148,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" meta nfproto ipv4 ip saddr 10.0.0.0/8 jump forward_test1 comment "!fw4: Handle test1 IPv4 forward traffic" meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump forward_test2 comment "!fw4: Handle test2 IPv6 forward traffic" meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump forward_test3 comment "!fw4: Handle test3 IPv6 forward traffic" @@ -162,7 +162,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" meta nfproto ipv4 ip daddr 10.0.0.0/8 jump output_test1 comment "!fw4: Handle test1 IPv4 output traffic" meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic" meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test3 comment "!fw4: Handle test3 IPv6 output traffic" diff --git a/tests/02_zones/07_helpers b/tests/02_zones/07_helpers index 8fe3cae..4e420be 100644 --- a/tests/02_zones/07_helpers +++ b/tests/02_zones/07_helpers @@ -168,7 +168,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" @@ -178,7 +178,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic" iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic" iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic" @@ -190,7 +190,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" diff --git a/tests/02_zones/08_log_limit b/tests/02_zones/08_log_limit index f82a268..9793aa2 100644 --- a/tests/02_zones/08_log_limit +++ b/tests/02_zones/08_log_limit @@ -240,7 +240,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" tcp dport 1007 counter log prefix "@rule[6]: " comment "!fw4: @rule[6]" tcp dport 1008 counter comment "!fw4: @rule[7]" tcp dport 1009 limit rate 5/minute log prefix "@rule[12]: " @@ -254,7 +254,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" tcp dport 1005 limit name "lan.log_limit" log prefix "@rule[4]: " tcp dport 1005 counter comment "!fw4: @rule[4]" tcp dport 1006 counter comment "!fw4: @rule[5]" @@ -269,7 +269,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" meta nfproto ipv4 oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4 output traffic" oifname "br-guest" jump output_guest comment "!fw4: Handle guest IPv4/IPv6 output traffic" diff --git a/tests/03_rules/01_direction b/tests/03_rules/01_direction index 11c7a5c..789363d 100644 --- a/tests/03_rules/01_direction +++ b/tests/03_rules/01_direction @@ -71,14 +71,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" counter comment "!fw4: @rule[1]" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" counter comment "!fw4: @rule[3]" } @@ -87,7 +87,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" counter comment "!fw4: @rule[0]" counter comment "!fw4: @rule[2]" } diff --git a/tests/03_rules/02_enabled b/tests/03_rules/02_enabled index a94d31f..72b8165 100644 --- a/tests/03_rules/02_enabled +++ b/tests/03_rules/02_enabled @@ -68,13 +68,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" } chain output { @@ -82,7 +82,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" counter comment "!fw4: Implicitly enabled" counter comment "!fw4: Explicitly enabled" } diff --git a/tests/03_rules/03_constraints b/tests/03_rules/03_constraints index dc8da62..43a9c69 100644 --- a/tests/03_rules/03_constraints +++ b/tests/03_rules/03_constraints @@ -107,13 +107,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" } chain output { @@ -121,7 +121,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" meta nfproto ipv4 ip dscp 0x0 counter comment "!fw4: DSCP match rule #1" meta nfproto ipv6 ip6 dscp 0x0 counter comment "!fw4: DSCP match rule #1" } diff --git a/tests/03_rules/04_icmp b/tests/03_rules/04_icmp index 0202a23..b88c6c9 100644 --- a/tests/03_rules/04_icmp +++ b/tests/03_rules/04_icmp @@ -77,13 +77,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" } chain output { @@ -91,7 +91,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" meta l4proto { "icmp", "ipv6-icmp" } counter comment "!fw4: ICMP rule #1" meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #2" meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #3" diff --git a/tests/03_rules/05_mangle b/tests/03_rules/05_mangle index 5ad1d2e..6dab58e 100644 --- a/tests/03_rules/05_mangle +++ b/tests/03_rules/05_mangle @@ -178,7 +178,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname { "eth0", "eth1" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname { "eth2", "eth3" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" } @@ -186,7 +186,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname { "eth0", "eth1" } jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" iifname { "eth2", "eth3" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" } @@ -196,7 +196,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname { "eth0", "eth1" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname { "eth2", "eth3" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" } diff --git a/tests/03_rules/06_subnet_mask_matches b/tests/03_rules/06_subnet_mask_matches index 19b2eea..57bcb2a 100644 --- a/tests/03_rules/06_subnet_mask_matches +++ b/tests/03_rules/06_subnet_mask_matches @@ -133,7 +133,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "br-guest" jump input_guest comment "!fw4: Handle guest IPv4/IPv6 input traffic" @@ -142,7 +142,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" iifname "br-guest" jump forward_guest comment "!fw4: Handle guest IPv4/IPv6 forward traffic" @@ -153,7 +153,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" ip6 saddr & ::ffff == ::1 ip6 daddr & ::ffff != ::2 counter comment "!fw4: Mask rule #1" ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::9 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::10 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect index 2ead3d0..ad8555a 100644 --- a/tests/03_rules/07_redirect +++ b/tests/03_rules/07_redirect @@ -165,7 +165,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "wwan0" jump input_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 input traffic" @@ -174,7 +174,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" iifname "wwan0" jump forward_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 forward traffic" @@ -185,7 +185,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname "wwan0" jump output_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 output traffic" diff --git a/tests/03_rules/08_family_inheritance b/tests/03_rules/08_family_inheritance index edace6d..08135ba 100644 --- a/tests/03_rules/08_family_inheritance +++ b/tests/03_rules/08_family_inheritance @@ -202,14 +202,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" meta nfproto ipv4 ip saddr 192.168.1.0/24 jump input_ipv4only comment "!fw4: Handle ipv4only IPv4 input traffic" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" meta nfproto ipv4 ip saddr 192.168.1.0/24 jump forward_ipv4only comment "!fw4: Handle ipv4only IPv4 forward traffic" } @@ -218,7 +218,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" meta nfproto ipv4 ip daddr 192.168.1.0/24 jump output_ipv4only comment "!fw4: Handle ipv4only IPv4 output traffic" } diff --git a/tests/03_rules/09_time b/tests/03_rules/09_time index 6df46dc..774ff67 100644 --- a/tests/03_rules/09_time +++ b/tests/03_rules/09_time @@ -139,13 +139,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" } chain output { @@ -153,7 +153,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" meta time >= "2022-05-30 21:51:23" counter accept comment "!fw4: Time rule #1" meta time >= "2022-05-30 21:51:00" counter accept comment "!fw4: Time rule #2" meta time >= "2022-05-30 21:00:00" counter accept comment "!fw4: Time rule #3" diff --git a/tests/03_rules/10_notrack b/tests/03_rules/10_notrack index 5f9bc0b..9239b6b 100644 --- a/tests/03_rules/10_notrack +++ b/tests/03_rules/10_notrack @@ -103,7 +103,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "eth0" jump input_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 input traffic" iifname "lo" jump input_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 input traffic" meta nfproto ipv4 ip saddr 127.0.0.0/8 jump input_zone3 comment "!fw4: Handle zone3 IPv4 input traffic" @@ -113,7 +113,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "eth0" jump forward_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 forward traffic" iifname "lo" jump forward_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 forward traffic" meta nfproto ipv4 ip saddr 127.0.0.0/8 jump forward_zone3 comment "!fw4: Handle zone3 IPv4 forward traffic" @@ -125,7 +125,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "eth0" jump output_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 output traffic" oifname "lo" jump output_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 output traffic" meta nfproto ipv4 ip daddr 127.0.0.0/8 jump output_zone3 comment "!fw4: Handle zone3 IPv4 output traffic" diff --git a/tests/03_rules/11_log b/tests/03_rules/11_log index 2de8f0b..6dfa599 100644 --- a/tests/03_rules/11_log +++ b/tests/03_rules/11_log @@ -114,13 +114,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" } chain output { @@ -128,7 +128,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" counter log prefix "@rule[0]: " comment "!fw4: @rule[0]" counter log prefix "Explicit rule name: " comment "!fw4: Explicit rule name" counter log prefix "Explicit prefix: " comment "!fw4: @rule[2]" diff --git a/tests/03_rules/12_mark b/tests/03_rules/12_mark index 941e3e8..d7888d5 100644 --- a/tests/03_rules/12_mark +++ b/tests/03_rules/12_mark @@ -98,13 +98,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" } chain output { @@ -112,7 +112,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" } chain prerouting { diff --git a/tests/04_forwardings/01_family_selections b/tests/04_forwardings/01_family_selections index bd1f447..46e866d 100644 --- a/tests/04_forwardings/01_family_selections +++ b/tests/04_forwardings/01_family_selections @@ -92,7 +92,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "eth0" jump input_wanA comment "!fw4: Handle wanA IPv4/IPv6 input traffic" iifname "eth1" jump input_wanB comment "!fw4: Handle wanB IPv4/IPv6 input traffic" iifname "eth2" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" @@ -101,7 +101,7 @@ table inet fw4 { chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "eth0" jump forward_wanA comment "!fw4: Handle wanA IPv4/IPv6 forward traffic" iifname "eth1" jump forward_wanB comment "!fw4: Handle wanB IPv4/IPv6 forward traffic" iifname "eth2" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" @@ -112,7 +112,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "eth0" jump output_wanA comment "!fw4: Handle wanA IPv4/IPv6 output traffic" oifname "eth1" jump output_wanB comment "!fw4: Handle wanB IPv4/IPv6 output traffic" oifname "eth2" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" diff --git a/tests/05_ipsets/01_declaration b/tests/05_ipsets/01_declaration index 82b4625..3cf8920 100644 --- a/tests/05_ipsets/01_declaration +++ b/tests/05_ipsets/01_declaration @@ -88,13 +88,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" } chain output { @@ -102,7 +102,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" } chain prerouting { diff --git a/tests/05_ipsets/02_usage b/tests/05_ipsets/02_usage index 2b93737..6ae16b1 100644 --- a/tests/05_ipsets/02_usage +++ b/tests/05_ipsets/02_usage @@ -162,13 +162,13 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" meta nfproto ipv4 meta l4proto tcp ip saddr . tcp dport @test-set-1 counter comment "!fw4: Rule using test set #1" meta nfproto ipv4 meta l4proto tcp ip saddr . tcp sport @test-set-2 counter comment "!fw4: Rule using test set #2, match direction should default to 'source'" meta nfproto ipv4 meta l4proto tcp ip daddr . tcp sport @test-set-1 counter comment "!fw4: Rule using test set #1, overriding match direction" @@ -182,7 +182,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" } chain prerouting { diff --git a/tests/06_includes/01_nft_includes b/tests/06_includes/01_nft_includes index 9bb4729..06418f0 100644 --- a/tests/06_includes/01_nft_includes +++ b/tests/06_includes/01_nft_includes @@ -156,7 +156,7 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" } @@ -164,7 +164,7 @@ table inet fw4 { type filter hook forward priority filter; policy drop; include "/usr/share/nftables.d/include-chain-start-forward.nft" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic" include "/usr/share/nftables.d/include-chain-end-forward.nft" } @@ -174,7 +174,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" } diff --git a/tests/06_includes/02_firewall.user_include b/tests/06_includes/02_firewall.user_include index ddc517c..49275cf 100644 --- a/tests/06_includes/02_firewall.user_include +++ b/tests/06_includes/02_firewall.user_include @@ -93,14 +93,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic" } @@ -109,7 +109,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" } diff --git a/tests/06_includes/04_disabled_include b/tests/06_includes/04_disabled_include index 0172a4c..27eece3 100644 --- a/tests/06_includes/04_disabled_include +++ b/tests/06_includes/04_disabled_include @@ -99,14 +99,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic" } @@ -115,7 +115,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" } diff --git a/tests/06_includes/05_automatic_includes b/tests/06_includes/05_automatic_includes index ee3ea04..f3c9d54 100644 --- a/tests/06_includes/05_automatic_includes +++ b/tests/06_includes/05_automatic_includes @@ -99,14 +99,14 @@ table inet fw4 { iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept inbound flows" + ct state established,related accept comment "!fw4: Accept inbound flows" iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" } chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { established : accept, related : accept } comment "!fw4: Accept forwarded flows" + ct state established,related accept comment "!fw4: Accept forwarded flows" iifname "eth0" jump forward_test comment "!fw4: Handle test IPv4/IPv6 forward traffic" } @@ -115,7 +115,7 @@ table inet fw4 { oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state vmap { established : accept, related : accept } comment "!fw4: Accept outbound flows" + ct state established,related accept comment "!fw4: Accept outbound flows" oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" } From fe27543b55e55b71cbba1502d7f569058111e0f9 Mon Sep 17 00:00:00 2001 From: Andris PE Date: Wed, 24 Jul 2024 00:54:55 +0300 Subject: [PATCH 8/9] Parse states before (quick) loopback accept Suggested at https://forum.openwrt.org/t/first-rule-in-chain-input-output-for-firewall4/204723 Formally speeds up "default" nat function over loopback ipc. --- root/usr/share/firewall4/templates/ruleset.uc | 6 ++---- tests/01_configuration/01_ruleset | 6 ++---- tests/01_configuration/02_rule_order | 6 ++---- tests/02_zones/01_policies | 6 ++---- tests/02_zones/02_masq | 6 ++---- tests/02_zones/03_masq_src_dest_restrictions | 6 ++---- tests/02_zones/04_masq_allow_invalid | 6 ++---- tests/02_zones/04_wildcard_devices | 6 ++---- tests/02_zones/05_subnet_mask_matches | 6 ++---- tests/02_zones/06_family_selections | 6 ++---- tests/02_zones/07_helpers | 6 ++---- tests/02_zones/08_log_limit | 6 ++---- tests/03_rules/01_direction | 6 ++---- tests/03_rules/02_enabled | 6 ++---- tests/03_rules/03_constraints | 6 ++---- tests/03_rules/04_icmp | 6 ++---- tests/03_rules/05_mangle | 6 ++---- tests/03_rules/06_subnet_mask_matches | 6 ++---- tests/03_rules/07_redirect | 6 ++---- tests/03_rules/08_family_inheritance | 6 ++---- tests/03_rules/09_time | 6 ++---- tests/03_rules/10_notrack | 6 ++---- tests/03_rules/11_log | 6 ++---- tests/03_rules/12_mark | 6 ++---- tests/04_forwardings/01_family_selections | 6 ++---- tests/05_ipsets/01_declaration | 6 ++---- tests/05_ipsets/02_usage | 6 ++---- tests/06_includes/01_nft_includes | 6 ++---- tests/06_includes/02_firewall.user_include | 6 ++---- tests/06_includes/04_disabled_include | 6 ++---- tests/06_includes/05_automatic_includes | 6 ++---- 31 files changed, 62 insertions(+), 124 deletions(-) diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc index c278bf7..b9eee06 100644 --- a/root/usr/share/firewall4/templates/ruleset.uc +++ b/root/usr/share/firewall4/templates/ruleset.uc @@ -112,10 +112,9 @@ table inet fw4 { chain input { type filter hook input priority filter; policy {{ fw4.input_policy(true) }}; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - {% fw4.includes('chain-prepend', 'input') %} ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" {% if (fw4.default_option("synflood_protect") && fw4.default_option("synflood_rate")): %} tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets" {% endif %} @@ -155,14 +154,13 @@ table inet fw4 { chain output { type filter hook output priority filter; policy {{ fw4.output_policy(true) }}; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - {% fw4.includes('chain-prepend', 'output') %} {% if (fw4.default_option("drop_invalid")): %} ct state vmap { established : accept, related : accept, invalid : drop } comment "!fw4: Handle outbound flows" {% else %} ct state established,related accept comment "!fw4: Accept outbound flows" {% endif %} + oif "lo" accept comment "!fw4: Accept traffic towards loopback" {% for (let rule in fw4.rules("output")): %} {%+ include("rule.uc", { fw4, zone: null, rule }) %} {% endfor %} diff --git a/tests/01_configuration/01_ruleset b/tests/01_configuration/01_ruleset index b52cf25..d5b6874 100644 --- a/tests/01_configuration/01_ruleset +++ b/tests/01_configuration/01_ruleset @@ -110,9 +110,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" @@ -131,9 +130,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy accept; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" meta l4proto tcp counter comment "!fw4: Test-Deprecated-Rule-Option" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" diff --git a/tests/01_configuration/02_rule_order b/tests/01_configuration/02_rule_order index 6ed7f54..378cc82 100644 --- a/tests/01_configuration/02_rule_order +++ b/tests/01_configuration/02_rule_order @@ -91,9 +91,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" } @@ -109,9 +108,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" } diff --git a/tests/02_zones/01_policies b/tests/02_zones/01_policies index 5d693a0..4ef144c 100644 --- a/tests/02_zones/01_policies +++ b/tests/02_zones/01_policies @@ -93,9 +93,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" @@ -113,9 +112,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" diff --git a/tests/02_zones/02_masq b/tests/02_zones/02_masq index 64e0880..cf6689e 100644 --- a/tests/02_zones/02_masq +++ b/tests/02_zones/02_masq @@ -97,9 +97,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" @@ -117,9 +116,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" diff --git a/tests/02_zones/03_masq_src_dest_restrictions b/tests/02_zones/03_masq_src_dest_restrictions index 2bcfc8e..cbabb09 100644 --- a/tests/02_zones/03_masq_src_dest_restrictions +++ b/tests/02_zones/03_masq_src_dest_restrictions @@ -120,9 +120,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" } @@ -138,9 +137,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" } diff --git a/tests/02_zones/04_masq_allow_invalid b/tests/02_zones/04_masq_allow_invalid index 74414b4..38abde9 100644 --- a/tests/02_zones/04_masq_allow_invalid +++ b/tests/02_zones/04_masq_allow_invalid @@ -69,9 +69,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" } @@ -85,9 +84,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" } diff --git a/tests/02_zones/04_wildcard_devices b/tests/02_zones/04_wildcard_devices index f38d365..db58afd 100644 --- a/tests/02_zones/04_wildcard_devices +++ b/tests/02_zones/04_wildcard_devices @@ -120,9 +120,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "/never/" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" iifname "test*" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" @@ -152,9 +151,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "/never/" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" oifname "test*" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" diff --git a/tests/02_zones/05_subnet_mask_matches b/tests/02_zones/05_subnet_mask_matches index a0138fe..803c6d4 100644 --- a/tests/02_zones/05_subnet_mask_matches +++ b/tests/02_zones/05_subnet_mask_matches @@ -79,9 +79,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" meta nfproto ipv6 ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::2 jump input_test1 comment "!fw4: Handle test1 IPv6 input traffic" meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic" meta nfproto ipv6 ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::2 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic" @@ -101,9 +100,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" meta nfproto ipv6 ip6 daddr & ::ffff == ::1 ip6 daddr & ::ffff != ::2 jump output_test1 comment "!fw4: Handle test1 IPv6 output traffic" meta nfproto ipv6 ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff == ::1 ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic" meta nfproto ipv6 ip6 daddr != { ::7, ::8 } ip6 daddr & ::ffff == ::2 ip6 daddr & ::ffff != ::5 ip6 daddr & ::ffff != ::6 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic" diff --git a/tests/02_zones/06_family_selections b/tests/02_zones/06_family_selections index c22e23b..1d8311b 100644 --- a/tests/02_zones/06_family_selections +++ b/tests/02_zones/06_family_selections @@ -134,9 +134,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" meta nfproto ipv4 ip saddr 10.0.0.0/8 jump input_test1 comment "!fw4: Handle test1 IPv4 input traffic" meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test2 comment "!fw4: Handle test2 IPv6 input traffic" meta nfproto ipv6 ip6 saddr 2001:db8:1234::/64 jump input_test3 comment "!fw4: Handle test3 IPv6 input traffic" @@ -160,9 +159,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" meta nfproto ipv4 ip daddr 10.0.0.0/8 jump output_test1 comment "!fw4: Handle test1 IPv4 output traffic" meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test2 comment "!fw4: Handle test2 IPv6 output traffic" meta nfproto ipv6 ip6 daddr 2001:db8:1234::/64 jump output_test3 comment "!fw4: Handle test3 IPv6 output traffic" diff --git a/tests/02_zones/07_helpers b/tests/02_zones/07_helpers index 4e420be..7ce9d23 100644 --- a/tests/02_zones/07_helpers +++ b/tests/02_zones/07_helpers @@ -166,9 +166,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic" iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic" iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic" @@ -188,9 +187,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic" oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic" oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic" diff --git a/tests/02_zones/08_log_limit b/tests/02_zones/08_log_limit index 9793aa2..e4a4985 100644 --- a/tests/02_zones/08_log_limit +++ b/tests/02_zones/08_log_limit @@ -238,9 +238,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" tcp dport 1007 counter log prefix "@rule[6]: " comment "!fw4: @rule[6]" tcp dport 1008 counter comment "!fw4: @rule[7]" tcp dport 1009 limit rate 5/minute log prefix "@rule[12]: " @@ -267,9 +266,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" meta nfproto ipv4 oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4 output traffic" oifname "br-guest" jump output_guest comment "!fw4: Handle guest IPv4/IPv6 output traffic" diff --git a/tests/03_rules/01_direction b/tests/03_rules/01_direction index 789363d..0233d46 100644 --- a/tests/03_rules/01_direction +++ b/tests/03_rules/01_direction @@ -69,9 +69,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" counter comment "!fw4: @rule[1]" } @@ -85,9 +84,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" counter comment "!fw4: @rule[0]" counter comment "!fw4: @rule[2]" } diff --git a/tests/03_rules/02_enabled b/tests/03_rules/02_enabled index 72b8165..f0f2f5a 100644 --- a/tests/03_rules/02_enabled +++ b/tests/03_rules/02_enabled @@ -66,9 +66,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" } chain forward { @@ -80,9 +79,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" counter comment "!fw4: Implicitly enabled" counter comment "!fw4: Explicitly enabled" } diff --git a/tests/03_rules/03_constraints b/tests/03_rules/03_constraints index 43a9c69..682ffee 100644 --- a/tests/03_rules/03_constraints +++ b/tests/03_rules/03_constraints @@ -105,9 +105,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" } chain forward { @@ -119,9 +118,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" meta nfproto ipv4 ip dscp 0x0 counter comment "!fw4: DSCP match rule #1" meta nfproto ipv6 ip6 dscp 0x0 counter comment "!fw4: DSCP match rule #1" } diff --git a/tests/03_rules/04_icmp b/tests/03_rules/04_icmp index b88c6c9..c12c7e8 100644 --- a/tests/03_rules/04_icmp +++ b/tests/03_rules/04_icmp @@ -75,9 +75,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" } chain forward { @@ -89,9 +88,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" meta l4proto { "icmp", "ipv6-icmp" } counter comment "!fw4: ICMP rule #1" meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #2" meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #3" diff --git a/tests/03_rules/05_mangle b/tests/03_rules/05_mangle index 6dab58e..c3d82d1 100644 --- a/tests/03_rules/05_mangle +++ b/tests/03_rules/05_mangle @@ -176,9 +176,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" iifname { "eth0", "eth1" } jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname { "eth2", "eth3" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" } @@ -194,9 +193,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" oifname { "eth0", "eth1" } jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname { "eth2", "eth3" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" } diff --git a/tests/03_rules/06_subnet_mask_matches b/tests/03_rules/06_subnet_mask_matches index 57bcb2a..4369cdc 100644 --- a/tests/03_rules/06_subnet_mask_matches +++ b/tests/03_rules/06_subnet_mask_matches @@ -131,9 +131,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "br-guest" jump input_guest comment "!fw4: Handle guest IPv4/IPv6 input traffic" @@ -151,9 +150,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" ip6 saddr & ::ffff == ::1 ip6 daddr & ::ffff != ::2 counter comment "!fw4: Mask rule #1" ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::9 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff == ::1 ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::10 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2" diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect index ad8555a..ca0a0fc 100644 --- a/tests/03_rules/07_redirect +++ b/tests/03_rules/07_redirect @@ -163,9 +163,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" iifname "wwan0" jump input_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 input traffic" @@ -183,9 +182,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" oifname "wwan0" jump output_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 output traffic" diff --git a/tests/03_rules/08_family_inheritance b/tests/03_rules/08_family_inheritance index 08135ba..db21a10 100644 --- a/tests/03_rules/08_family_inheritance +++ b/tests/03_rules/08_family_inheritance @@ -200,9 +200,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" meta nfproto ipv4 ip saddr 192.168.1.0/24 jump input_ipv4only comment "!fw4: Handle ipv4only IPv4 input traffic" } @@ -216,9 +215,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" meta nfproto ipv4 ip daddr 192.168.1.0/24 jump output_ipv4only comment "!fw4: Handle ipv4only IPv4 output traffic" } diff --git a/tests/03_rules/09_time b/tests/03_rules/09_time index 774ff67..c11fe4d 100644 --- a/tests/03_rules/09_time +++ b/tests/03_rules/09_time @@ -137,9 +137,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" } chain forward { @@ -151,9 +150,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" meta time >= "2022-05-30 21:51:23" counter accept comment "!fw4: Time rule #1" meta time >= "2022-05-30 21:51:00" counter accept comment "!fw4: Time rule #2" meta time >= "2022-05-30 21:00:00" counter accept comment "!fw4: Time rule #3" diff --git a/tests/03_rules/10_notrack b/tests/03_rules/10_notrack index 9239b6b..dc86a96 100644 --- a/tests/03_rules/10_notrack +++ b/tests/03_rules/10_notrack @@ -101,9 +101,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" iifname "eth0" jump input_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 input traffic" iifname "lo" jump input_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 input traffic" meta nfproto ipv4 ip saddr 127.0.0.0/8 jump input_zone3 comment "!fw4: Handle zone3 IPv4 input traffic" @@ -123,9 +122,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" oifname "eth0" jump output_zone1 comment "!fw4: Handle zone1 IPv4/IPv6 output traffic" oifname "lo" jump output_zone2 comment "!fw4: Handle zone2 IPv4/IPv6 output traffic" meta nfproto ipv4 ip daddr 127.0.0.0/8 jump output_zone3 comment "!fw4: Handle zone3 IPv4 output traffic" diff --git a/tests/03_rules/11_log b/tests/03_rules/11_log index 6dfa599..e32f6c5 100644 --- a/tests/03_rules/11_log +++ b/tests/03_rules/11_log @@ -112,9 +112,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" } chain forward { @@ -126,9 +125,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" counter log prefix "@rule[0]: " comment "!fw4: @rule[0]" counter log prefix "Explicit rule name: " comment "!fw4: Explicit rule name" counter log prefix "Explicit prefix: " comment "!fw4: @rule[2]" diff --git a/tests/03_rules/12_mark b/tests/03_rules/12_mark index d7888d5..f18a7c3 100644 --- a/tests/03_rules/12_mark +++ b/tests/03_rules/12_mark @@ -96,9 +96,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" } chain forward { @@ -110,9 +109,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" } chain prerouting { diff --git a/tests/04_forwardings/01_family_selections b/tests/04_forwardings/01_family_selections index 46e866d..21975ae 100644 --- a/tests/04_forwardings/01_family_selections +++ b/tests/04_forwardings/01_family_selections @@ -90,9 +90,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" iifname "eth0" jump input_wanA comment "!fw4: Handle wanA IPv4/IPv6 input traffic" iifname "eth1" jump input_wanB comment "!fw4: Handle wanB IPv4/IPv6 input traffic" iifname "eth2" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" @@ -110,9 +109,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" oifname "eth0" jump output_wanA comment "!fw4: Handle wanA IPv4/IPv6 output traffic" oifname "eth1" jump output_wanB comment "!fw4: Handle wanB IPv4/IPv6 output traffic" oifname "eth2" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" diff --git a/tests/05_ipsets/01_declaration b/tests/05_ipsets/01_declaration index 3cf8920..2fe7f93 100644 --- a/tests/05_ipsets/01_declaration +++ b/tests/05_ipsets/01_declaration @@ -86,9 +86,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" } chain forward { @@ -100,9 +99,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" } chain prerouting { diff --git a/tests/05_ipsets/02_usage b/tests/05_ipsets/02_usage index 6ae16b1..7486be5 100644 --- a/tests/05_ipsets/02_usage +++ b/tests/05_ipsets/02_usage @@ -160,9 +160,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" } chain forward { @@ -180,9 +179,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" } chain prerouting { diff --git a/tests/06_includes/01_nft_includes b/tests/06_includes/01_nft_includes index 06418f0..1968996 100644 --- a/tests/06_includes/01_nft_includes +++ b/tests/06_includes/01_nft_includes @@ -154,9 +154,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" } @@ -172,9 +171,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" } diff --git a/tests/06_includes/02_firewall.user_include b/tests/06_includes/02_firewall.user_include index 49275cf..ce1609c 100644 --- a/tests/06_includes/02_firewall.user_include +++ b/tests/06_includes/02_firewall.user_include @@ -91,9 +91,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" } @@ -107,9 +106,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" } diff --git a/tests/06_includes/04_disabled_include b/tests/06_includes/04_disabled_include index 27eece3..3e6b120 100644 --- a/tests/06_includes/04_disabled_include +++ b/tests/06_includes/04_disabled_include @@ -97,9 +97,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" } @@ -113,9 +112,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" } diff --git a/tests/06_includes/05_automatic_includes b/tests/06_includes/05_automatic_includes index f3c9d54..5df3775 100644 --- a/tests/06_includes/05_automatic_includes +++ b/tests/06_includes/05_automatic_includes @@ -97,9 +97,8 @@ table inet fw4 { chain input { type filter hook input priority filter; policy drop; - iif "lo" accept comment "!fw4: Accept traffic from loopback" - ct state established,related accept comment "!fw4: Accept inbound flows" + iif "lo" accept comment "!fw4: Accept traffic from loopback" iifname "eth0" jump input_test comment "!fw4: Handle test IPv4/IPv6 input traffic" } @@ -113,9 +112,8 @@ table inet fw4 { chain output { type filter hook output priority filter; policy drop; - oif "lo" accept comment "!fw4: Accept traffic towards loopback" - ct state established,related accept comment "!fw4: Accept outbound flows" + oif "lo" accept comment "!fw4: Accept traffic towards loopback" oifname "eth0" jump output_test comment "!fw4: Handle test IPv4/IPv6 output traffic" } From 40c208999fcabd604f2c9f8cbdb11e4e444f1fde Mon Sep 17 00:00:00 2001 From: Andris PE Date: Sun, 16 Mar 2025 13:40:01 +0000 Subject: [PATCH 9/9] Drop invalid packets at earliest extant hook --- root/usr/share/firewall4/templates/ruleset.uc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc index b9eee06..0939e17 100644 --- a/root/usr/share/firewall4/templates/ruleset.uc +++ b/root/usr/share/firewall4/templates/ruleset.uc @@ -184,9 +184,6 @@ table inet fw4 { chain prerouting { type filter hook prerouting priority filter; policy accept; -{% if (fw4.default_option("drop_invalid")): %} - ct state invalid drop comment "!fw4: Drop packets in invalid flow state" -{% endif %} {% for (let zone in fw4.zones()): %} {% if (zone.dflags.helper): %} {% for (let rule in zone.match_rules): %} @@ -424,6 +421,9 @@ table inet fw4 { chain mangle_prerouting { type filter hook prerouting priority mangle; policy accept; +{% if (fw4.default_option("drop_invalid")): %} + ct state invalid drop comment "!fw4: Drop packets in invalid flow state" +{% endif %} {% fw4.includes('chain-prepend', 'mangle_prerouting') %} {% for (let rule in fw4.rules("mangle_prerouting")): %} {%+ include("rule.uc", { fw4, zone: null, rule }) %}