test: zone

author: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> 2017-06-05 12:57:10 +0300
committer: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> 2017-06-05 12:57:10 +0300
commit: 1d22026cccbc4824511b9131dd0861f5392cfb90 (patch)
tree: 81c70dd50accc32239a2514a4a29f20c05581cb9 /test
parent: 7bb0674c79d1d62533b3d917933a7ce3ff06ce35 (diff)
download: awall-1d22026cccbc4824511b9131dd0861f5392cfb90.tar.bz2
awall-1d22026cccbc4824511b9131dd0861f5392cfb90.tar.xz
4 files changed, 440 insertions, 0 deletions
diff --git a/test/mandatory/zone.json b/test/mandatory/zone.json
new file mode 100644
index 0000000..bbb9251
--- /dev/null
+++ b/test/mandatory/zone.json
@@ -0,0 +1,34 @@
+{
+    "zone": {
+	"A": { "iface": "eth0" },
+	"B": { "iface": "eth1", "addr": [ "10.0.0.0/12", "fc00::/7" ] },
+	"C": { "iface": [ "eth2", "eth3" ], "addr": "10.1.0.0/12" },
+	"D": { "iface": [ "eth4", "eth5" ], "route-back": true },
+	"E": { "ipsec": true }
+    },
+    "dnat": [
+	{ "in": [ "_fw", "A" ] },
+	{ "in": "B" }
+    ],
+    "filter": [
+	{ "in": [ "_fw", "A" ] },
+	{ "in": "B", "out": "C" },
+	{ "out": [ "_fw", "B" ] },
+	
+	{
+	    "in": [ "A", "B", "C", "D", "E" ],
+	    "out": [ "A", "B", "C", "D", "E" ]
+	}
+    ],
+    "mark": [
+	{ "in": [ "_fw", "A" ], "mark": 0 },
+	{ "in": "B", "out": "C", "mark": 1 },
+	{ "out": [ "_fw", "B" ], "mark": 2 }
+    ],
+    "no-track": [
+	{ "in": [ "_fw", "A" ] },
+	{ "in": "B" },
+	{ "out": "_fw" }
+    ],
+    "snat": [ { "out": [ "_fw", "B" ] } ]
+}
diff --git a/test/output/dump b/test/output/dump
index e22e249..21529fd 100644
--- a/test/output/dump
+++ b/test/output/dump
@@ -1,3 +1,13 @@
+Dnat 1                 {"in":["_fw","A"]}
+(zone)                 
+  inet/nat/OUTPUT      -j REDIRECT
+  inet/nat/PREROUTING  -i eth0 -j REDIRECT
+
+Dnat 2                 {"in":"B"}
+(zone)                 
+  inet/nat/PREROUTING  -i eth1 -s 10.0.0.0/12 -j REDIRECT
+
+
 Filter 1                          {}
 (filter)                          
   inet/filter/FORWARD             -j ACCEPT
@@ -1184,6 +1194,100 @@ Filter 78                         {"action":"pass","log":"none"}
   inet/filter/OUTPUT              
   inet6/filter/OUTPUT             
 
+Filter 79                         {"in":["_fw","A"]}
+(zone)                            
+  inet/filter/OUTPUT              -j ACCEPT
+  inet6/filter/OUTPUT             -j ACCEPT
+  inet/filter/FORWARD             -i eth0 -j ACCEPT
+  inet6/filter/FORWARD            -i eth0 -j ACCEPT
+  inet/filter/INPUT               -i eth0 -j ACCEPT
+  inet6/filter/INPUT              -i eth0 -j ACCEPT
+
+Filter 80                         {"in":"B","out":"C"}
+(zone)                            
+  inet/filter/FORWARD             -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+  inet/filter/FORWARD             -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+
+Filter 81                         {"out":["_fw","B"]}
+(zone)                            
+  inet/filter/INPUT               -j ACCEPT
+  inet6/filter/INPUT              -j ACCEPT
+  inet/filter/FORWARD             -o eth1 -d 10.0.0.0/12 -j ACCEPT
+  inet/filter/OUTPUT              -o eth1 -d 10.0.0.0/12 -j ACCEPT
+  inet6/filter/FORWARD            -o eth1 -d fc00::/7 -j ACCEPT
+  inet6/filter/OUTPUT             -o eth1 -d fc00::/7 -j ACCEPT
+
+Filter 82                         {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]}
+(zone)                            
+  inet/filter/FORWARD             -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+  inet6/filter/FORWARD            -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
+  inet/filter/FORWARD             -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+  inet/filter/FORWARD             -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+  inet/filter/FORWARD             -i eth0 -o eth4 -j ACCEPT
+  inet6/filter/FORWARD            -i eth0 -o eth4 -j ACCEPT
+  inet/filter/FORWARD             -i eth0 -o eth5 -j ACCEPT
+  inet6/filter/FORWARD            -i eth0 -o eth5 -j ACCEPT
+  inet/filter/FORWARD             -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+  inet6/filter/FORWARD            -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+  inet/filter/FORWARD             -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
+  inet6/filter/FORWARD            -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
+  inet/filter/FORWARD             -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+  inet/filter/FORWARD             -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+  inet/filter/FORWARD             -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
+  inet/filter/FORWARD             -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
+  inet6/filter/FORWARD            -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
+  inet6/filter/FORWARD            -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
+  inet/filter/FORWARD             -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+  inet6/filter/FORWARD            -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
+  inet/filter/FORWARD             -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+  inet/filter/FORWARD             -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+  inet/filter/FORWARD             -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+  inet/filter/FORWARD             -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+  inet/filter/FORWARD             -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+  inet/filter/FORWARD             -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+  inet/filter/FORWARD             -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+  inet/filter/FORWARD             -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+  inet/filter/FORWARD             -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+  inet/filter/FORWARD             -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+  inet/filter/FORWARD             -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+  inet/filter/FORWARD             -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+  inet/filter/FORWARD             -i eth4 -o eth0 -j ACCEPT
+  inet6/filter/FORWARD            -i eth4 -o eth0 -j ACCEPT
+  inet/filter/FORWARD             -i eth5 -o eth0 -j ACCEPT
+  inet6/filter/FORWARD            -i eth5 -o eth0 -j ACCEPT
+  inet/filter/FORWARD             -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+  inet6/filter/FORWARD            -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
+  inet/filter/FORWARD             -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+  inet6/filter/FORWARD            -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
+  inet/filter/FORWARD             -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+  inet/filter/FORWARD             -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+  inet/filter/FORWARD             -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+  inet/filter/FORWARD             -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+  inet/filter/FORWARD             -i eth4 -o eth4 -j ACCEPT
+  inet6/filter/FORWARD            -i eth4 -o eth4 -j ACCEPT
+  inet/filter/FORWARD             -i eth4 -o eth5 -j ACCEPT
+  inet6/filter/FORWARD            -i eth4 -o eth5 -j ACCEPT
+  inet/filter/FORWARD             -i eth5 -o eth4 -j ACCEPT
+  inet6/filter/FORWARD            -i eth5 -o eth4 -j ACCEPT
+  inet/filter/FORWARD             -i eth5 -o eth5 -j ACCEPT
+  inet6/filter/FORWARD            -i eth5 -o eth5 -j ACCEPT
+  inet/filter/FORWARD             -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+  inet6/filter/FORWARD            -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+  inet/filter/FORWARD             -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+  inet6/filter/FORWARD            -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+  inet/filter/FORWARD             -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+  inet6/filter/FORWARD            -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+  inet/filter/FORWARD             -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
+  inet6/filter/FORWARD            -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
+  inet/filter/FORWARD             -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
+  inet/filter/FORWARD             -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
+  inet/filter/FORWARD             -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+  inet6/filter/FORWARD            -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+  inet/filter/FORWARD             -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+  inet6/filter/FORWARD            -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+  inet/filter/FORWARD             -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+  inet6/filter/FORWARD            -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
+
 
 Ipset awall-masquerade  {"family":"inet","type":"hash:net"}
 (masquerade)            
@@ -1196,6 +1300,44 @@ Log none      {"mode":"none"}
 (log)         
 
 
+Mark 1                      {"in":["_fw","A"],"mark":0}
+(zone)                      
+  inet/mangle/OUTPUT        -j MARK --set-mark 0
+  inet6/mangle/OUTPUT       -j MARK --set-mark 0
+  inet/mangle/PREROUTING    -i eth0 -j MARK --set-mark 0
+  inet6/mangle/PREROUTING   -i eth0 -j MARK --set-mark 0
+
+Mark 2                      {"in":"B","mark":1,"out":"C"}
+(zone)                      
+  inet/mangle/FORWARD       -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j MARK --set-mark 1
+  inet/mangle/FORWARD       -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j MARK --set-mark 1
+
+Mark 3                      {"mark":2,"out":["_fw","B"]}
+(zone)                      
+  inet/mangle/INPUT         -j MARK --set-mark 2
+  inet6/mangle/INPUT        -j MARK --set-mark 2
+  inet/mangle/POSTROUTING   -o eth1 -d 10.0.0.0/12 -j MARK --set-mark 2
+  inet6/mangle/POSTROUTING  -o eth1 -d fc00::/7 -j MARK --set-mark 2
+
+
+No-track 1              {"in":["_fw","A"]}
+(zone)                  
+  inet/raw/OUTPUT       -j CT --notrack
+  inet6/raw/OUTPUT      -j CT --notrack
+  inet/raw/PREROUTING   -i eth0 -j CT --notrack
+  inet6/raw/PREROUTING  -i eth0 -j CT --notrack
+
+No-track 2              {"in":"B"}
+(zone)                  
+  inet/raw/PREROUTING   -i eth1 -s 10.0.0.0/12 -j CT --notrack
+  inet6/raw/PREROUTING  -i eth1 -s fc00::/7 -j CT --notrack
+
+No-track 3              {"out":"_fw"}
+(zone)                  
+  inet/raw/PREROUTING   -m addrtype --dst-type LOCAL -j CT --notrack
+  inet6/raw/PREROUTING  -m addrtype --dst-type LOCAL -j CT --notrack
+
+
 Service babel         {"port":6697,"proto":"tcp"}
 (services)            
 
@@ -1374,10 +1516,32 @@ Service vnc           {"port":5900,"proto":"tcp"}
 (services)            
 
 
+Snat 1                  {"out":["_fw","B"]}
+(zone)                  
+  inet/nat/INPUT        -j MASQUERADE
+  inet/nat/POSTROUTING  -o eth1 -d 10.0.0.0/12 -j MASQUERADE
+
+
 Variable awall_tproxy_mark  1
 (defaults)                  
 
 
+Zone A  {"iface":"eth0"}
+(zone)  
+
+Zone B  {"addr":["10.0.0.0\/12","fc00::\/7"],"iface":"eth1"}
+(zone)  
+
+Zone C  {"addr":"10.1.0.0\/12","iface":["eth2","eth3"]}
+(zone)  
+
+Zone D  {"iface":["eth4","eth5"],"route-back":true}
+(zone)  
+
+Zone E  {"ipsec":true}
+(zone)  
+
+
 # ipset awall-masquerade
 hash:net family inet
 
@@ -1574,6 +1738,55 @@ hash:net family inet
 -A FORWARD -j ACCEPT
 -A FORWARD -j DROP
 -A FORWARD 
+-A FORWARD -i eth0 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth0 -o eth4 -j ACCEPT
+-A FORWARD -i eth0 -o eth5 -j ACCEPT
+-A FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth4 -o eth0 -j ACCEPT
+-A FORWARD -i eth5 -o eth0 -j ACCEPT
+-A FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth4 -o eth4 -j ACCEPT
+-A FORWARD -i eth4 -o eth5 -j ACCEPT
+-A FORWARD -i eth5 -o eth4 -j ACCEPT
+-A FORWARD -i eth5 -o eth5 -j ACCEPT
+-A FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
 -A FORWARD -p icmp -j icmp-routing
 -A INPUT -j limit-59
 -A INPUT -j limit-58
@@ -1673,6 +1886,8 @@ hash:net family inet
 -A INPUT -j ACCEPT
 -A INPUT -j DROP
 -A INPUT 
+-A INPUT -i eth0 -j ACCEPT
+-A INPUT -j ACCEPT
 -A INPUT -p icmp -j icmp-routing
 -A OUTPUT -j limit-59
 -A OUTPUT -j limit-58
@@ -1772,6 +1987,8 @@ hash:net family inet
 -A OUTPUT -j ACCEPT
 -A OUTPUT -j DROP
 -A OUTPUT 
+-A OUTPUT -j ACCEPT
+-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
 -A OUTPUT -p icmp -j icmp-routing
 -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
 -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
@@ -1965,17 +2182,42 @@ hash:net family inet
 -A tarpit -p tcp -j TARPIT
 -A tarpit -j DROP
 COMMIT
+*mangle
+:FORWARD ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j MARK --set-mark 1
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j MARK --set-mark 1
+-A INPUT -j MARK --set-mark 2
+-A OUTPUT -j MARK --set-mark 0
+-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j MARK --set-mark 2
+-A PREROUTING -i eth0 -j MARK --set-mark 0
+COMMIT
 *nat
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
 :awall-masquerade - [0:0]
+-A INPUT -j MASQUERADE
+-A OUTPUT -j REDIRECT
+-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE
 -A POSTROUTING -m set --match-set awall-masquerade src -j awall-masquerade
+-A PREROUTING -i eth0 -j REDIRECT
+-A PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
 -A awall-masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE
 COMMIT
 *raw
 :OUTPUT ACCEPT [0:0]
 :PREROUTING ACCEPT [0:0]
 -A OUTPUT -j CT --notrack
+-A OUTPUT -j CT --notrack
 -A PREROUTING -j CT --notrack
+-A PREROUTING -i eth0 -j CT --notrack
+-A PREROUTING -i eth1 -s 10.0.0.0/12 -j CT --notrack
+-A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
 COMMIT
 
 # rules6-save generated by awall
@@ -2170,6 +2412,31 @@ COMMIT
 -A FORWARD -j ACCEPT
 -A FORWARD -j DROP
 -A FORWARD 
+-A FORWARD -i eth0 -j ACCEPT
+-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
+-A FORWARD -i eth0 -o eth4 -j ACCEPT
+-A FORWARD -i eth0 -o eth5 -j ACCEPT
+-A FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
+-A FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
+-A FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
+-A FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth4 -o eth0 -j ACCEPT
+-A FORWARD -i eth5 -o eth0 -j ACCEPT
+-A FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
+-A FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
+-A FORWARD -i eth4 -o eth4 -j ACCEPT
+-A FORWARD -i eth4 -o eth5 -j ACCEPT
+-A FORWARD -i eth5 -o eth4 -j ACCEPT
+-A FORWARD -i eth5 -o eth5 -j ACCEPT
+-A FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
 -A FORWARD -p icmpv6 -j icmp-routing
 -A INPUT -j limit-59
 -A INPUT -j limit-58
@@ -2269,6 +2536,8 @@ COMMIT
 -A INPUT -j ACCEPT
 -A INPUT -j DROP
 -A INPUT 
+-A INPUT -i eth0 -j ACCEPT
+-A INPUT -j ACCEPT
 -A INPUT -p icmpv6 -j ACCEPT
 -A OUTPUT -j limit-59
 -A OUTPUT -j limit-58
@@ -2368,6 +2637,8 @@ COMMIT
 -A OUTPUT -j ACCEPT
 -A OUTPUT -j DROP
 -A OUTPUT 
+-A OUTPUT -j ACCEPT
+-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
 -A OUTPUT -p icmpv6 -j ACCEPT
 -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
 -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
@@ -2562,10 +2833,24 @@ COMMIT
 -A tarpit -p tcp -j TARPIT
 -A tarpit -j DROP
 COMMIT
+*mangle
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+-A INPUT -j MARK --set-mark 2
+-A OUTPUT -j MARK --set-mark 0
+-A POSTROUTING -o eth1 -d fc00::/7 -j MARK --set-mark 2
+-A PREROUTING -i eth0 -j MARK --set-mark 0
+COMMIT
 *raw
 :OUTPUT ACCEPT [0:0]
 :PREROUTING ACCEPT [0:0]
 -A OUTPUT -j CT --notrack
+-A OUTPUT -j CT --notrack
 -A PREROUTING -j CT --notrack
+-A PREROUTING -i eth0 -j CT --notrack
+-A PREROUTING -i eth1 -s fc00::/7 -j CT --notrack
+-A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
 COMMIT
 
diff --git a/test/output/rules-save b/test/output/rules-save
index 88099de..e05d6b6 100644
--- a/test/output/rules-save
+++ b/test/output/rules-save
@@ -190,6 +190,55 @@
 -A FORWARD -j ACCEPT
 -A FORWARD -j DROP
 -A FORWARD 
+-A FORWARD -i eth0 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth0 -o eth4 -j ACCEPT
+-A FORWARD -i eth0 -o eth5 -j ACCEPT
+-A FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
+-A FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
+-A FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth4 -o eth0 -j ACCEPT
+-A FORWARD -i eth5 -o eth0 -j ACCEPT
+-A FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -i eth4 -o eth4 -j ACCEPT
+-A FORWARD -i eth4 -o eth5 -j ACCEPT
+-A FORWARD -i eth5 -o eth4 -j ACCEPT
+-A FORWARD -i eth5 -o eth5 -j ACCEPT
+-A FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
 -A FORWARD -p icmp -j icmp-routing
 -A INPUT -j limit-59
 -A INPUT -j limit-58
@@ -289,6 +338,8 @@
 -A INPUT -j ACCEPT
 -A INPUT -j DROP
 -A INPUT 
+-A INPUT -i eth0 -j ACCEPT
+-A INPUT -j ACCEPT
 -A INPUT -p icmp -j icmp-routing
 -A OUTPUT -j limit-59
 -A OUTPUT -j limit-58
@@ -388,6 +439,8 @@
 -A OUTPUT -j ACCEPT
 -A OUTPUT -j DROP
 -A OUTPUT 
+-A OUTPUT -j ACCEPT
+-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
 -A OUTPUT -p icmp -j icmp-routing
 -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT
 -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT
@@ -581,15 +634,40 @@
 -A tarpit -p tcp -j TARPIT
 -A tarpit -j DROP
 COMMIT
+*mangle
+:FORWARD ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j MARK --set-mark 1
+-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j MARK --set-mark 1
+-A INPUT -j MARK --set-mark 2
+-A OUTPUT -j MARK --set-mark 0
+-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j MARK --set-mark 2
+-A PREROUTING -i eth0 -j MARK --set-mark 0
+COMMIT
 *nat
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
 :awall-masquerade - [0:0]
+-A INPUT -j MASQUERADE
+-A OUTPUT -j REDIRECT
+-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE
 -A POSTROUTING -m set --match-set awall-masquerade src -j awall-masquerade
+-A PREROUTING -i eth0 -j REDIRECT
+-A PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
 -A awall-masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE
 COMMIT
 *raw
 :OUTPUT ACCEPT [0:0]
 :PREROUTING ACCEPT [0:0]
 -A OUTPUT -j CT --notrack
+-A OUTPUT -j CT --notrack
 -A PREROUTING -j CT --notrack
+-A PREROUTING -i eth0 -j CT --notrack
+-A PREROUTING -i eth1 -s 10.0.0.0/12 -j CT --notrack
+-A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
 COMMIT
diff --git a/test/output/rules6-save b/test/output/rules6-save
index 7234014..53ba76d 100644
--- a/test/output/rules6-save
+++ b/test/output/rules6-save
@@ -190,6 +190,31 @@
 -A FORWARD -j ACCEPT
 -A FORWARD -j DROP
 -A FORWARD 
+-A FORWARD -i eth0 -j ACCEPT
+-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT
+-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
+-A FORWARD -i eth0 -o eth4 -j ACCEPT
+-A FORWARD -i eth0 -o eth5 -j ACCEPT
+-A FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
+-A FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
+-A FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
+-A FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth4 -o eth0 -j ACCEPT
+-A FORWARD -i eth5 -o eth0 -j ACCEPT
+-A FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
+-A FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
+-A FORWARD -i eth4 -o eth4 -j ACCEPT
+-A FORWARD -i eth4 -o eth5 -j ACCEPT
+-A FORWARD -i eth5 -o eth4 -j ACCEPT
+-A FORWARD -i eth5 -o eth5 -j ACCEPT
+-A FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
+-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
 -A FORWARD -p icmpv6 -j icmp-routing
 -A INPUT -j limit-59
 -A INPUT -j limit-58
@@ -289,6 +314,8 @@
 -A INPUT -j ACCEPT
 -A INPUT -j DROP
 -A INPUT 
+-A INPUT -i eth0 -j ACCEPT
+-A INPUT -j ACCEPT
 -A INPUT -p icmpv6 -j ACCEPT
 -A OUTPUT -j limit-59
 -A OUTPUT -j limit-58
@@ -388,6 +415,8 @@
 -A OUTPUT -j ACCEPT
 -A OUTPUT -j DROP
 -A OUTPUT 
+-A OUTPUT -j ACCEPT
+-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
 -A OUTPUT -p icmpv6 -j ACCEPT
 -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
 -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
@@ -582,9 +611,23 @@
 -A tarpit -p tcp -j TARPIT
 -A tarpit -j DROP
 COMMIT
+*mangle
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:PREROUTING ACCEPT [0:0]
+-A INPUT -j MARK --set-mark 2
+-A OUTPUT -j MARK --set-mark 0
+-A POSTROUTING -o eth1 -d fc00::/7 -j MARK --set-mark 2
+-A PREROUTING -i eth0 -j MARK --set-mark 0
+COMMIT
 *raw
 :OUTPUT ACCEPT [0:0]
 :PREROUTING ACCEPT [0:0]
 -A OUTPUT -j CT --notrack
+-A OUTPUT -j CT --notrack
 -A PREROUTING -j CT --notrack
+-A PREROUTING -i eth0 -j CT --notrack
+-A PREROUTING -i eth1 -s fc00::/7 -j CT --notrack
+-A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
 COMMIT
author	Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>	2017-06-05 12:57:10 +0300
committer	Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>	2017-06-05 12:57:10 +0300
commit	1d22026cccbc4824511b9131dd0861f5392cfb90 (patch)
tree	81c70dd50accc32239a2514a4a29f20c05581cb9 /test
parent	7bb0674c79d1d62533b3d917933a7ce3ff06ce35 (diff)
download	awall-1d22026cccbc4824511b9131dd0861f5392cfb90.tar.bz2 awall-1d22026cccbc4824511b9131dd0861f5392cfb90.tar.xz