diff options
author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2017-06-05 12:57:10 +0300 |
---|---|---|
committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2017-06-05 12:57:10 +0300 |
commit | 1d22026cccbc4824511b9131dd0861f5392cfb90 (patch) | |
tree | 81c70dd50accc32239a2514a4a29f20c05581cb9 /test | |
parent | 7bb0674c79d1d62533b3d917933a7ce3ff06ce35 (diff) | |
download | awall-1d22026cccbc4824511b9131dd0861f5392cfb90.tar.bz2 awall-1d22026cccbc4824511b9131dd0861f5392cfb90.tar.xz |
test: zone
Diffstat (limited to 'test')
-rw-r--r-- | test/mandatory/zone.json | 34 | ||||
-rw-r--r-- | test/output/dump | 285 | ||||
-rw-r--r-- | test/output/rules-save | 78 | ||||
-rw-r--r-- | test/output/rules6-save | 43 |
4 files changed, 440 insertions, 0 deletions
diff --git a/test/mandatory/zone.json b/test/mandatory/zone.json new file mode 100644 index 0000000..bbb9251 --- /dev/null +++ b/test/mandatory/zone.json @@ -0,0 +1,34 @@ +{ + "zone": { + "A": { "iface": "eth0" }, + "B": { "iface": "eth1", "addr": [ "10.0.0.0/12", "fc00::/7" ] }, + "C": { "iface": [ "eth2", "eth3" ], "addr": "10.1.0.0/12" }, + "D": { "iface": [ "eth4", "eth5" ], "route-back": true }, + "E": { "ipsec": true } + }, + "dnat": [ + { "in": [ "_fw", "A" ] }, + { "in": "B" } + ], + "filter": [ + { "in": [ "_fw", "A" ] }, + { "in": "B", "out": "C" }, + { "out": [ "_fw", "B" ] }, + + { + "in": [ "A", "B", "C", "D", "E" ], + "out": [ "A", "B", "C", "D", "E" ] + } + ], + "mark": [ + { "in": [ "_fw", "A" ], "mark": 0 }, + { "in": "B", "out": "C", "mark": 1 }, + { "out": [ "_fw", "B" ], "mark": 2 } + ], + "no-track": [ + { "in": [ "_fw", "A" ] }, + { "in": "B" }, + { "out": "_fw" } + ], + "snat": [ { "out": [ "_fw", "B" ] } ] +} diff --git a/test/output/dump b/test/output/dump index e22e249..21529fd 100644 --- a/test/output/dump +++ b/test/output/dump @@ -1,3 +1,13 @@ +Dnat 1 {"in":["_fw","A"]} +(zone) + inet/nat/OUTPUT -j REDIRECT + inet/nat/PREROUTING -i eth0 -j REDIRECT + +Dnat 2 {"in":"B"} +(zone) + inet/nat/PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT + + Filter 1 {} (filter) inet/filter/FORWARD -j ACCEPT @@ -1184,6 +1194,100 @@ Filter 78 {"action":"pass","log":"none"} inet/filter/OUTPUT inet6/filter/OUTPUT +Filter 79 {"in":["_fw","A"]} +(zone) + inet/filter/OUTPUT -j ACCEPT + inet6/filter/OUTPUT -j ACCEPT + inet/filter/FORWARD -i eth0 -j ACCEPT + inet6/filter/FORWARD -i eth0 -j ACCEPT + inet/filter/INPUT -i eth0 -j ACCEPT + inet6/filter/INPUT -i eth0 -j ACCEPT + +Filter 80 {"in":"B","out":"C"} +(zone) + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + +Filter 81 {"out":["_fw","B"]} +(zone) + inet/filter/INPUT -j ACCEPT + inet6/filter/INPUT -j ACCEPT + inet/filter/FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet6/filter/FORWARD -o eth1 -d fc00::/7 -j ACCEPT + inet6/filter/OUTPUT -o eth1 -d fc00::/7 -j ACCEPT + +Filter 82 {"in":["A","B","C","D","E"],"out":["A","B","C","D","E"]} +(zone) + inet/filter/FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth0 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth0 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth0 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth0 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth4 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth4 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth4 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth4 -j ACCEPT + inet/filter/FORWARD -i eth5 -o eth5 -j ACCEPT + inet6/filter/FORWARD -i eth5 -o eth5 -j ACCEPT + inet/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT + inet/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT + inet6/filter/FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT + Ipset awall-masquerade {"family":"inet","type":"hash:net"} (masquerade) @@ -1196,6 +1300,44 @@ Log none {"mode":"none"} (log) +Mark 1 {"in":["_fw","A"],"mark":0} +(zone) + inet/mangle/OUTPUT -j MARK --set-mark 0 + inet6/mangle/OUTPUT -j MARK --set-mark 0 + inet/mangle/PREROUTING -i eth0 -j MARK --set-mark 0 + inet6/mangle/PREROUTING -i eth0 -j MARK --set-mark 0 + +Mark 2 {"in":"B","mark":1,"out":"C"} +(zone) + inet/mangle/FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j MARK --set-mark 1 + inet/mangle/FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j MARK --set-mark 1 + +Mark 3 {"mark":2,"out":["_fw","B"]} +(zone) + inet/mangle/INPUT -j MARK --set-mark 2 + inet6/mangle/INPUT -j MARK --set-mark 2 + inet/mangle/POSTROUTING -o eth1 -d 10.0.0.0/12 -j MARK --set-mark 2 + inet6/mangle/POSTROUTING -o eth1 -d fc00::/7 -j MARK --set-mark 2 + + +No-track 1 {"in":["_fw","A"]} +(zone) + inet/raw/OUTPUT -j CT --notrack + inet6/raw/OUTPUT -j CT --notrack + inet/raw/PREROUTING -i eth0 -j CT --notrack + inet6/raw/PREROUTING -i eth0 -j CT --notrack + +No-track 2 {"in":"B"} +(zone) + inet/raw/PREROUTING -i eth1 -s 10.0.0.0/12 -j CT --notrack + inet6/raw/PREROUTING -i eth1 -s fc00::/7 -j CT --notrack + +No-track 3 {"out":"_fw"} +(zone) + inet/raw/PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack + inet6/raw/PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack + + Service babel {"port":6697,"proto":"tcp"} (services) @@ -1374,10 +1516,32 @@ Service vnc {"port":5900,"proto":"tcp"} (services) +Snat 1 {"out":["_fw","B"]} +(zone) + inet/nat/INPUT -j MASQUERADE + inet/nat/POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE + + Variable awall_tproxy_mark 1 (defaults) +Zone A {"iface":"eth0"} +(zone) + +Zone B {"addr":["10.0.0.0\/12","fc00::\/7"],"iface":"eth1"} +(zone) + +Zone C {"addr":"10.1.0.0\/12","iface":["eth2","eth3"]} +(zone) + +Zone D {"iface":["eth4","eth5"],"route-back":true} +(zone) + +Zone E {"ipsec":true} +(zone) + + # ipset awall-masquerade hash:net family inet @@ -1574,6 +1738,55 @@ hash:net family inet -A FORWARD -j ACCEPT -A FORWARD -j DROP -A FORWARD +-A FORWARD -i eth0 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth0 -o eth4 -j ACCEPT +-A FORWARD -i eth0 -o eth5 -j ACCEPT +-A FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth4 -o eth0 -j ACCEPT +-A FORWARD -i eth5 -o eth0 -j ACCEPT +-A FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth4 -o eth4 -j ACCEPT +-A FORWARD -i eth4 -o eth5 -j ACCEPT +-A FORWARD -i eth5 -o eth4 -j ACCEPT +-A FORWARD -i eth5 -o eth5 -j ACCEPT +-A FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -p icmp -j icmp-routing -A INPUT -j limit-59 -A INPUT -j limit-58 @@ -1673,6 +1886,8 @@ hash:net family inet -A INPUT -j ACCEPT -A INPUT -j DROP -A INPUT +-A INPUT -i eth0 -j ACCEPT +-A INPUT -j ACCEPT -A INPUT -p icmp -j icmp-routing -A OUTPUT -j limit-59 -A OUTPUT -j limit-58 @@ -1772,6 +1987,8 @@ hash:net family inet -A OUTPUT -j ACCEPT -A OUTPUT -j DROP -A OUTPUT +-A OUTPUT -j ACCEPT +-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT -A OUTPUT -p icmp -j icmp-routing -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT @@ -1965,17 +2182,42 @@ hash:net family inet -A tarpit -p tcp -j TARPIT -A tarpit -j DROP COMMIT +*mangle +:FORWARD ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:PREROUTING ACCEPT [0:0] +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j MARK --set-mark 1 +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j MARK --set-mark 1 +-A INPUT -j MARK --set-mark 2 +-A OUTPUT -j MARK --set-mark 0 +-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j MARK --set-mark 2 +-A PREROUTING -i eth0 -j MARK --set-mark 0 +COMMIT *nat +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] +:PREROUTING ACCEPT [0:0] :awall-masquerade - [0:0] +-A INPUT -j MASQUERADE +-A OUTPUT -j REDIRECT +-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE -A POSTROUTING -m set --match-set awall-masquerade src -j awall-masquerade +-A PREROUTING -i eth0 -j REDIRECT +-A PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT -A awall-masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE COMMIT *raw :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] -A OUTPUT -j CT --notrack +-A OUTPUT -j CT --notrack -A PREROUTING -j CT --notrack +-A PREROUTING -i eth0 -j CT --notrack +-A PREROUTING -i eth1 -s 10.0.0.0/12 -j CT --notrack +-A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack COMMIT # rules6-save generated by awall @@ -2170,6 +2412,31 @@ COMMIT -A FORWARD -j ACCEPT -A FORWARD -j DROP -A FORWARD +-A FORWARD -i eth0 -j ACCEPT +-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT +-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT +-A FORWARD -i eth0 -o eth4 -j ACCEPT +-A FORWARD -i eth0 -o eth5 -j ACCEPT +-A FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT +-A FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT +-A FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT +-A FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth4 -o eth0 -j ACCEPT +-A FORWARD -i eth5 -o eth0 -j ACCEPT +-A FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT +-A FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT +-A FORWARD -i eth4 -o eth4 -j ACCEPT +-A FORWARD -i eth4 -o eth5 -j ACCEPT +-A FORWARD -i eth5 -o eth4 -j ACCEPT +-A FORWARD -i eth5 -o eth5 -j ACCEPT +-A FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -p icmpv6 -j icmp-routing -A INPUT -j limit-59 -A INPUT -j limit-58 @@ -2269,6 +2536,8 @@ COMMIT -A INPUT -j ACCEPT -A INPUT -j DROP -A INPUT +-A INPUT -i eth0 -j ACCEPT +-A INPUT -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT -A OUTPUT -j limit-59 -A OUTPUT -j limit-58 @@ -2368,6 +2637,8 @@ COMMIT -A OUTPUT -j ACCEPT -A OUTPUT -j DROP -A OUTPUT +-A OUTPUT -j ACCEPT +-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A OUTPUT -p icmpv6 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT @@ -2562,10 +2833,24 @@ COMMIT -A tarpit -p tcp -j TARPIT -A tarpit -j DROP COMMIT +*mangle +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:PREROUTING ACCEPT [0:0] +-A INPUT -j MARK --set-mark 2 +-A OUTPUT -j MARK --set-mark 0 +-A POSTROUTING -o eth1 -d fc00::/7 -j MARK --set-mark 2 +-A PREROUTING -i eth0 -j MARK --set-mark 0 +COMMIT *raw :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] -A OUTPUT -j CT --notrack +-A OUTPUT -j CT --notrack -A PREROUTING -j CT --notrack +-A PREROUTING -i eth0 -j CT --notrack +-A PREROUTING -i eth1 -s fc00::/7 -j CT --notrack +-A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack COMMIT diff --git a/test/output/rules-save b/test/output/rules-save index 88099de..e05d6b6 100644 --- a/test/output/rules-save +++ b/test/output/rules-save @@ -190,6 +190,55 @@ -A FORWARD -j ACCEPT -A FORWARD -j DROP -A FORWARD +-A FORWARD -i eth0 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth0 -o eth4 -j ACCEPT +-A FORWARD -i eth0 -o eth5 -j ACCEPT +-A FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT +-A FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT +-A FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth4 -o eth0 -j ACCEPT +-A FORWARD -i eth5 -o eth0 -j ACCEPT +-A FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -i eth4 -o eth4 -j ACCEPT +-A FORWARD -i eth4 -o eth5 -j ACCEPT +-A FORWARD -i eth5 -o eth4 -j ACCEPT +-A FORWARD -i eth5 -o eth5 -j ACCEPT +-A FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -p icmp -j icmp-routing -A INPUT -j limit-59 -A INPUT -j limit-58 @@ -289,6 +338,8 @@ -A INPUT -j ACCEPT -A INPUT -j DROP -A INPUT +-A INPUT -i eth0 -j ACCEPT +-A INPUT -j ACCEPT -A INPUT -p icmp -j icmp-routing -A OUTPUT -j limit-59 -A OUTPUT -j limit-58 @@ -388,6 +439,8 @@ -A OUTPUT -j ACCEPT -A OUTPUT -j DROP -A OUTPUT +-A OUTPUT -j ACCEPT +-A OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT -A OUTPUT -p icmp -j icmp-routing -A icmp-routing -p icmp --icmp-type 3 -j ACCEPT -A icmp-routing -p icmp --icmp-type 11 -j ACCEPT @@ -581,15 +634,40 @@ -A tarpit -p tcp -j TARPIT -A tarpit -j DROP COMMIT +*mangle +:FORWARD ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:PREROUTING ACCEPT [0:0] +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j MARK --set-mark 1 +-A FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j MARK --set-mark 1 +-A INPUT -j MARK --set-mark 2 +-A OUTPUT -j MARK --set-mark 0 +-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j MARK --set-mark 2 +-A PREROUTING -i eth0 -j MARK --set-mark 0 +COMMIT *nat +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] +:PREROUTING ACCEPT [0:0] :awall-masquerade - [0:0] +-A INPUT -j MASQUERADE +-A OUTPUT -j REDIRECT +-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE -A POSTROUTING -m set --match-set awall-masquerade src -j awall-masquerade +-A PREROUTING -i eth0 -j REDIRECT +-A PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT -A awall-masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE COMMIT *raw :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] -A OUTPUT -j CT --notrack +-A OUTPUT -j CT --notrack -A PREROUTING -j CT --notrack +-A PREROUTING -i eth0 -j CT --notrack +-A PREROUTING -i eth1 -s 10.0.0.0/12 -j CT --notrack +-A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack COMMIT diff --git a/test/output/rules6-save b/test/output/rules6-save index 7234014..53ba76d 100644 --- a/test/output/rules6-save +++ b/test/output/rules6-save @@ -190,6 +190,31 @@ -A FORWARD -j ACCEPT -A FORWARD -j DROP -A FORWARD +-A FORWARD -i eth0 -j ACCEPT +-A FORWARD -o eth1 -d fc00::/7 -j ACCEPT +-A FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT +-A FORWARD -i eth0 -o eth4 -j ACCEPT +-A FORWARD -i eth0 -o eth5 -j ACCEPT +-A FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT +-A FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT +-A FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT +-A FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth4 -o eth0 -j ACCEPT +-A FORWARD -i eth5 -o eth0 -j ACCEPT +-A FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT +-A FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT +-A FORWARD -i eth4 -o eth4 -j ACCEPT +-A FORWARD -i eth4 -o eth5 -j ACCEPT +-A FORWARD -i eth5 -o eth4 -j ACCEPT +-A FORWARD -i eth5 -o eth5 -j ACCEPT +-A FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT +-A FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT -A FORWARD -p icmpv6 -j icmp-routing -A INPUT -j limit-59 -A INPUT -j limit-58 @@ -289,6 +314,8 @@ -A INPUT -j ACCEPT -A INPUT -j DROP -A INPUT +-A INPUT -i eth0 -j ACCEPT +-A INPUT -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT -A OUTPUT -j limit-59 -A OUTPUT -j limit-58 @@ -388,6 +415,8 @@ -A OUTPUT -j ACCEPT -A OUTPUT -j DROP -A OUTPUT +-A OUTPUT -j ACCEPT +-A OUTPUT -o eth1 -d fc00::/7 -j ACCEPT -A OUTPUT -p icmpv6 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT -A icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT @@ -582,9 +611,23 @@ -A tarpit -p tcp -j TARPIT -A tarpit -j DROP COMMIT +*mangle +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:PREROUTING ACCEPT [0:0] +-A INPUT -j MARK --set-mark 2 +-A OUTPUT -j MARK --set-mark 0 +-A POSTROUTING -o eth1 -d fc00::/7 -j MARK --set-mark 2 +-A PREROUTING -i eth0 -j MARK --set-mark 0 +COMMIT *raw :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] -A OUTPUT -j CT --notrack +-A OUTPUT -j CT --notrack -A PREROUTING -j CT --notrack +-A PREROUTING -i eth0 -j CT --notrack +-A PREROUTING -i eth1 -s fc00::/7 -j CT --notrack +-A PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack COMMIT |