test: no-track

author: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> 2017-06-05 13:11:56 +0300
committer: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> 2017-06-05 13:12:09 +0300
commit: 8341a2f6a2353cf0cdf5e5561e83a04bfa57f801 (patch)
tree: c1d0f41bd9f6e931209b521fceabc633e497a1bd
parent: 1d22026cccbc4824511b9131dd0861f5392cfb90 (diff)
download: awall-8341a2f6a2353cf0cdf5e5561e83a04bfa57f801.tar.bz2
awall-8341a2f6a2353cf0cdf5e5561e83a04bfa57f801.tar.xz
4 files changed, 195 insertions, 4 deletions
diff --git a/test/mandatory/no-track.json b/test/mandatory/no-track.json
new file mode 100644
index 0000000..4c0cd2e
--- /dev/null
+++ b/test/mandatory/no-track.json
@@ -0,0 +1,17 @@
+{
+    "filter": [
+	{ "in": "_fw", "service": "http", "no-track": true },
+	{
+	    "src": "172.16.0.0/16",
+	    "dest": "172.17.0.0/16",
+	    "service": "radius",
+	    "no-track": true
+	},
+	{
+	    "dest": "172.18.0.0/16",
+	    "service": "ssh",
+	    "no-track": true
+	},
+	{ "out": "_fw", "service": "ipsec", "no-track": true }
+    ]
+}
diff --git a/test/output/dump b/test/output/dump
index 21529fd..231d67f 100644
--- a/test/output/dump
+++ b/test/output/dump
@@ -1194,7 +1194,73 @@ Filter 78                         {"action":"pass","log":"none"}
   inet/filter/OUTPUT              
   inet6/filter/OUTPUT             
 
-Filter 79                         {"in":["_fw","A"]}
+Filter 79                         {"in":"_fw","no-track":true,"service":"http"}
+(no-track)                        
+  inet/filter/OUTPUT              -p tcp --dport 80 -j ACCEPT
+  inet6/filter/OUTPUT             -p tcp --dport 80 -j ACCEPT
+  inet/raw/OUTPUT                 -p tcp --dport 80 -j CT --notrack
+  inet6/raw/OUTPUT                -p tcp --dport 80 -j CT --notrack
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -p tcp --sport 80 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -p tcp --sport 80 -j CT --notrack
+  inet/filter/INPUT               -p tcp --sport 80 -j ACCEPT
+  inet6/filter/INPUT              -p tcp --sport 80 -j ACCEPT
+
+Filter 80                         {"dest":"172.17.0.0\/16","no-track":true,"service":"radius","src":"172.16.0.0\/16"}
+(no-track)                        
+  inet/filter/FORWARD             -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+  inet/filter/INPUT               -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+  inet/filter/FORWARD             -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+  inet/filter/INPUT               -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+  inet/filter/OUTPUT              -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+  inet/filter/OUTPUT              -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+  inet/raw/PREROUTING             -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
+  inet/raw/PREROUTING             -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
+  inet/raw/OUTPUT                 -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
+  inet/raw/OUTPUT                 -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
+  inet/raw/PREROUTING             -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
+  inet/raw/PREROUTING             -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
+  inet/raw/OUTPUT                 -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
+  inet/raw/OUTPUT                 -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
+  inet/filter/FORWARD             -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+  inet/filter/INPUT               -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+  inet/filter/FORWARD             -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+  inet/filter/INPUT               -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+  inet/filter/OUTPUT              -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+  inet/filter/OUTPUT              -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+
+Filter 81                         {"dest":"172.18.0.0\/16","no-track":true,"service":"ssh"}
+(no-track)                        
+  inet/filter/FORWARD             -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT
+  inet/filter/INPUT               -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT
+  inet/filter/OUTPUT              -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT
+  inet/raw/PREROUTING             -p tcp --dport 22 -d 172.18.0.0/16 -j CT --notrack
+  inet/raw/OUTPUT                 -p tcp --dport 22 -d 172.18.0.0/16 -j CT --notrack
+  inet/raw/PREROUTING             -p tcp --sport 22 -s 172.18.0.0/16 -j CT --notrack
+  inet/raw/OUTPUT                 -p tcp --sport 22 -s 172.18.0.0/16 -j CT --notrack
+  inet/filter/FORWARD             -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT
+  inet/filter/INPUT               -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT
+  inet/filter/OUTPUT              -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT
+
+Filter 82                         {"no-track":true,"out":"_fw","service":"ipsec"}
+(no-track)                        
+  inet/filter/INPUT               -p esp -j ACCEPT
+  inet6/filter/INPUT              -p esp -j ACCEPT
+  inet/filter/INPUT               -p udp -m multiport --dports 500,4500 -j ACCEPT
+  inet6/filter/INPUT              -p udp -m multiport --dports 500,4500 -j ACCEPT
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -p esp -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -p esp -j CT --notrack
+  inet/raw/PREROUTING             -m addrtype --dst-type LOCAL -p udp -m multiport --dports 500,4500 -j CT --notrack
+  inet6/raw/PREROUTING            -m addrtype --dst-type LOCAL -p udp -m multiport --dports 500,4500 -j CT --notrack
+  inet/raw/OUTPUT                 -p esp -j CT --notrack
+  inet6/raw/OUTPUT                -p esp -j CT --notrack
+  inet/raw/OUTPUT                 -p udp -m multiport --sports 500,4500 -j CT --notrack
+  inet6/raw/OUTPUT                -p udp -m multiport --sports 500,4500 -j CT --notrack
+  inet/filter/OUTPUT              -p esp -j ACCEPT
+  inet6/filter/OUTPUT             -p esp -j ACCEPT
+  inet/filter/OUTPUT              -p udp -m multiport --sports 500,4500 -j ACCEPT
+  inet6/filter/OUTPUT             -p udp -m multiport --sports 500,4500 -j ACCEPT
+
+Filter 83                         {"in":["_fw","A"]}
 (zone)                            
   inet/filter/OUTPUT              -j ACCEPT
   inet6/filter/OUTPUT             -j ACCEPT
@@ -1203,12 +1269,12 @@ Filter 79                         {"in":["_fw","A"]}
   inet/filter/INPUT               -i eth0 -j ACCEPT
   inet6/filter/INPUT              -i eth0 -j ACCEPT
 
-Filter 80                         {"in":"B","out":"C"}
+Filter 84                         {"in":"B","out":"C"}
 (zone)                            
   inet/filter/FORWARD             -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
   inet/filter/FORWARD             -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
 
-Filter 81                         {"out":["_fw","B"]}
+Filter 85                         {"out":["_fw","B"]}
 (zone)                            
   inet/filter/INPUT               -j ACCEPT
   inet6/filter/INPUT              -j ACCEPT
@@ -1217,7 +1283,7 @@ Filter 81                         {"out":["_fw","B"]}
   inet6/filter/FORWARD            -o eth1 -d fc00::/7 -j ACCEPT
   inet6/filter/OUTPUT             -o eth1 -d fc00::/7 -j ACCEPT
 
-Filter 82                         {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
+Filter 86                         {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
 (zone)                            
   inet/filter/FORWARD             -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
   inet6/filter/FORWARD            -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
@@ -1738,6 +1804,12 @@ hash:net family inet
 -A FORWARD -j ACCEPT
 -A FORWARD -j DROP
 -A FORWARD 
+-A FORWARD -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+-A FORWARD -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+-A FORWARD -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+-A FORWARD -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+-A FORWARD -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT
+-A FORWARD -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT
 -A FORWARD -i eth0 -j ACCEPT
 -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
 -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -1886,6 +1958,15 @@ hash:net family inet
 -A INPUT -j ACCEPT
 -A INPUT -j DROP
 -A INPUT 
+-A INPUT -p tcp --sport 80 -j ACCEPT
+-A INPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+-A INPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+-A INPUT -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+-A INPUT -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+-A INPUT -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT
+-A INPUT -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT
+-A INPUT -p esp -j ACCEPT
+-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
 -A INPUT -i eth0 -j ACCEPT
 -A INPUT -j ACCEPT
 -A INPUT -p icmp -j icmp-routing
@@ -1987,6 +2068,15 @@ hash:net family inet
 -A OUTPUT -j ACCEPT
 -A OUTPUT -j DROP
 -A OUTPUT 
+-A OUTPUT -p tcp --dport 80 -j ACCEPT
+-A OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+-A OUTPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+-A OUTPUT -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+-A OUTPUT -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+-A OUTPUT -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT
+-A OUTPUT -p esp -j ACCEPT
+-A OUTPUT -p udp -m multiport --sports 500,4500 -j ACCEPT
 -A OUTPUT -j ACCEPT
 -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
 -A OUTPUT -p icmp -j icmp-routing
@@ -2213,8 +2303,26 @@ COMMIT
 :OUTPUT ACCEPT [0:0]
 :PREROUTING ACCEPT [0:0]
 -A OUTPUT -j CT --notrack
+-A OUTPUT -p tcp --dport 80 -j CT --notrack
+-A OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
+-A OUTPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
+-A OUTPUT -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
+-A OUTPUT -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
+-A OUTPUT -p tcp --dport 22 -d 172.18.0.0/16 -j CT --notrack
+-A OUTPUT -p tcp --sport 22 -s 172.18.0.0/16 -j CT --notrack
+-A OUTPUT -p esp -j CT --notrack
+-A OUTPUT -p udp -m multiport --sports 500,4500 -j CT --notrack
 -A OUTPUT -j CT --notrack
 -A PREROUTING -j CT --notrack
+-A PREROUTING -m addrtype --dst-type LOCAL -p tcp --sport 80 -j CT --notrack
+-A PREROUTING -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
+-A PREROUTING -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
+-A PREROUTING -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
+-A PREROUTING -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
+-A PREROUTING -p tcp --dport 22 -d 172.18.0.0/16 -j CT --notrack
+-A PREROUTING -p tcp --sport 22 -s 172.18.0.0/16 -j CT --notrack
+-A PREROUTING -m addrtype --dst-type LOCAL -p esp -j CT --notrack
+-A PREROUTING -m addrtype --dst-type LOCAL -p udp -m multiport --dports 500,4500 -j CT --notrack
 -A PREROUTING -i eth0 -j CT --notrack
 -A PREROUTING -i eth1 -s 10.0.0.0/12 -j CT --notrack
 -A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
@@ -2536,6 +2644,9 @@ COMMIT
 -A INPUT -j ACCEPT
 -A INPUT -j DROP
 -A INPUT 
+-A INPUT -p tcp --sport 80 -j ACCEPT
+-A INPUT -p esp -j ACCEPT
+-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
 -A INPUT -i eth0 -j ACCEPT
 -A INPUT -j ACCEPT
 -A INPUT -p icmpv6 -j ACCEPT
@@ -2637,6 +2748,9 @@ COMMIT
 -A OUTPUT -j ACCEPT
 -A OUTPUT -j DROP
 -A OUTPUT 
+-A OUTPUT -p tcp --dport 80 -j ACCEPT
+-A OUTPUT -p esp -j ACCEPT
+-A OUTPUT -p udp -m multiport --sports 500,4500 -j ACCEPT
 -A OUTPUT -j ACCEPT
 -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
 -A OUTPUT -p icmpv6 -j ACCEPT
@@ -2847,8 +2961,14 @@ COMMIT
 :OUTPUT ACCEPT [0:0]
 :PREROUTING ACCEPT [0:0]
 -A OUTPUT -j CT --notrack
+-A OUTPUT -p tcp --dport 80 -j CT --notrack
+-A OUTPUT -p esp -j CT --notrack
+-A OUTPUT -p udp -m multiport --sports 500,4500 -j CT --notrack
 -A OUTPUT -j CT --notrack
 -A PREROUTING -j CT --notrack
+-A PREROUTING -m addrtype --dst-type LOCAL -p tcp --sport 80 -j CT --notrack
+-A PREROUTING -m addrtype --dst-type LOCAL -p esp -j CT --notrack
+-A PREROUTING -m addrtype --dst-type LOCAL -p udp -m multiport --dports 500,4500 -j CT --notrack
 -A PREROUTING -i eth0 -j CT --notrack
 -A PREROUTING -i eth1 -s fc00::/7 -j CT --notrack
 -A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
diff --git a/test/output/rules-save b/test/output/rules-save
index e05d6b6..2a0d3ea 100644
--- a/test/output/rules-save
+++ b/test/output/rules-save
@@ -190,6 +190,12 @@
 -A FORWARD -j ACCEPT
 -A FORWARD -j DROP
 -A FORWARD 
+-A FORWARD -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+-A FORWARD -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+-A FORWARD -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+-A FORWARD -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+-A FORWARD -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT
+-A FORWARD -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT
 -A FORWARD -i eth0 -j ACCEPT
 -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
 -A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
@@ -338,6 +344,15 @@
 -A INPUT -j ACCEPT
 -A INPUT -j DROP
 -A INPUT 
+-A INPUT -p tcp --sport 80 -j ACCEPT
+-A INPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+-A INPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+-A INPUT -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+-A INPUT -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+-A INPUT -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT
+-A INPUT -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT
+-A INPUT -p esp -j ACCEPT
+-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
 -A INPUT -i eth0 -j ACCEPT
 -A INPUT -j ACCEPT
 -A INPUT -p icmp -j icmp-routing
@@ -439,6 +454,15 @@
 -A OUTPUT -j ACCEPT
 -A OUTPUT -j DROP
 -A OUTPUT 
+-A OUTPUT -p tcp --dport 80 -j ACCEPT
+-A OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+-A OUTPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j ACCEPT
+-A OUTPUT -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+-A OUTPUT -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j ACCEPT
+-A OUTPUT -p tcp --dport 22 -d 172.18.0.0/16 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -s 172.18.0.0/16 -j ACCEPT
+-A OUTPUT -p esp -j ACCEPT
+-A OUTPUT -p udp -m multiport --sports 500,4500 -j ACCEPT
 -A OUTPUT -j ACCEPT
 -A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
 -A OUTPUT -p icmp -j icmp-routing
@@ -665,8 +689,26 @@ COMMIT
 :OUTPUT ACCEPT [0:0]
 :PREROUTING ACCEPT [0:0]
 -A OUTPUT -j CT --notrack
+-A OUTPUT -p tcp --dport 80 -j CT --notrack
+-A OUTPUT -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
+-A OUTPUT -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
+-A OUTPUT -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
+-A OUTPUT -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
+-A OUTPUT -p tcp --dport 22 -d 172.18.0.0/16 -j CT --notrack
+-A OUTPUT -p tcp --sport 22 -s 172.18.0.0/16 -j CT --notrack
+-A OUTPUT -p esp -j CT --notrack
+-A OUTPUT -p udp -m multiport --sports 500,4500 -j CT --notrack
 -A OUTPUT -j CT --notrack
 -A PREROUTING -j CT --notrack
+-A PREROUTING -m addrtype --dst-type LOCAL -p tcp --sport 80 -j CT --notrack
+-A PREROUTING -p tcp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
+-A PREROUTING -p udp --dport 1812 -s 172.16.0.0/16 -d 172.17.0.0/16 -j CT --notrack
+-A PREROUTING -p tcp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
+-A PREROUTING -p udp --sport 1812 -d 172.16.0.0/16 -s 172.17.0.0/16 -j CT --notrack
+-A PREROUTING -p tcp --dport 22 -d 172.18.0.0/16 -j CT --notrack
+-A PREROUTING -p tcp --sport 22 -s 172.18.0.0/16 -j CT --notrack
+-A PREROUTING -m addrtype --dst-type LOCAL -p esp -j CT --notrack
+-A PREROUTING -m addrtype --dst-type LOCAL -p udp -m multiport --dports 500,4500 -j CT --notrack
 -A PREROUTING -i eth0 -j CT --notrack
 -A PREROUTING -i eth1 -s 10.0.0.0/12 -j CT --notrack
 -A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
diff --git a/test/output/rules6-save b/test/output/rules6-save
index 53ba76d..d2e327f 100644
--- a/test/output/rules6-save
+++ b/test/output/rules6-save
@@ -314,6 +314,9 @@
 -A INPUT -j ACCEPT
 -A INPUT -j DROP
 -A INPUT 
+-A INPUT -p tcp --sport 80 -j ACCEPT
+-A INPUT -p esp -j ACCEPT
+-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
 -A INPUT -i eth0 -j ACCEPT
 -A INPUT -j ACCEPT
 -A INPUT -p icmpv6 -j ACCEPT
@@ -415,6 +418,9 @@
 -A OUTPUT -j ACCEPT
 -A OUTPUT -j DROP
 -A OUTPUT 
+-A OUTPUT -p tcp --dport 80 -j ACCEPT
+-A OUTPUT -p esp -j ACCEPT
+-A OUTPUT -p udp -m multiport --sports 500,4500 -j ACCEPT
 -A OUTPUT -j ACCEPT
 -A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
 -A OUTPUT -p icmpv6 -j ACCEPT
@@ -625,8 +631,14 @@ COMMIT
 :OUTPUT ACCEPT [0:0]
 :PREROUTING ACCEPT [0:0]
 -A OUTPUT -j CT --notrack
+-A OUTPUT -p tcp --dport 80 -j CT --notrack
+-A OUTPUT -p esp -j CT --notrack
+-A OUTPUT -p udp -m multiport --sports 500,4500 -j CT --notrack
 -A OUTPUT -j CT --notrack
 -A PREROUTING -j CT --notrack
+-A PREROUTING -m addrtype --dst-type LOCAL -p tcp --sport 80 -j CT --notrack
+-A PREROUTING -m addrtype --dst-type LOCAL -p esp -j CT --notrack
+-A PREROUTING -m addrtype --dst-type LOCAL -p udp -m multiport --dports 500,4500 -j CT --notrack
 -A PREROUTING -i eth0 -j CT --notrack
 -A PREROUTING -i eth1 -s fc00::/7 -j CT --notrack
 -A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
author	Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>	2017-06-05 13:11:56 +0300
committer	Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>	2017-06-05 13:12:09 +0300
commit	8341a2f6a2353cf0cdf5e5561e83a04bfa57f801 (patch)
tree	c1d0f41bd9f6e931209b521fceabc633e497a1bd
parent	1d22026cccbc4824511b9131dd0861f5392cfb90 (diff)
download	awall-8341a2f6a2353cf0cdf5e5561e83a04bfa57f801.tar.bz2 awall-8341a2f6a2353cf0cdf5e5561e83a04bfa57f801.tar.xz