diff options
Diffstat (limited to 'tests/shell/testcases/parsing')
| -rwxr-xr-x | tests/shell/testcases/parsing/describe | 7 | ||||
| -rw-r--r-- | tests/shell/testcases/parsing/dumps/describe.json-nft | 11 | ||||
| -rw-r--r-- | tests/shell/testcases/parsing/dumps/describe.nft | 0 | ||||
| -rw-r--r-- | tests/shell/testcases/parsing/dumps/large_rule_pipe.json-nft | 4079 | ||||
| -rw-r--r-- | tests/shell/testcases/parsing/dumps/large_rule_pipe.nft | 561 | ||||
| -rw-r--r-- | tests/shell/testcases/parsing/dumps/log.json-nft | 11 | ||||
| -rw-r--r-- | tests/shell/testcases/parsing/dumps/log.nft | 0 | ||||
| -rw-r--r-- | tests/shell/testcases/parsing/dumps/octal.json-nft | 11 | ||||
| -rw-r--r-- | tests/shell/testcases/parsing/dumps/octal.nft | 0 | ||||
| -rwxr-xr-x | tests/shell/testcases/parsing/large_rule_pipe | 571 | ||||
| -rwxr-xr-x | tests/shell/testcases/parsing/log | 10 | ||||
| -rwxr-xr-x | tests/shell/testcases/parsing/octal | 13 |
12 files changed, 5274 insertions, 0 deletions
diff --git a/tests/shell/testcases/parsing/describe b/tests/shell/testcases/parsing/describe new file mode 100755 index 00000000..2ee072e8 --- /dev/null +++ b/tests/shell/testcases/parsing/describe @@ -0,0 +1,7 @@ +#!/bin/bash + +errmsg='Error: unknown ip option type/field' + +str=$($NFT describe ip option rr value 2>&1 | head -n 1) + +[ "$str" = "$errmsg" ] && exit 0 diff --git a/tests/shell/testcases/parsing/dumps/describe.json-nft b/tests/shell/testcases/parsing/dumps/describe.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/describe.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/parsing/dumps/describe.nft b/tests/shell/testcases/parsing/dumps/describe.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/describe.nft diff --git a/tests/shell/testcases/parsing/dumps/large_rule_pipe.json-nft b/tests/shell/testcases/parsing/dumps/large_rule_pipe.json-nft new file mode 100644 index 00000000..bf5dc65f --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/large_rule_pipe.json-nft @@ -0,0 +1,4079 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "firewalld", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PREROUTING", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": -90, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PREROUTING_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PREROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POSTROUTING", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 110, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POSTROUTING_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POSTROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_home", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_home", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_PRE_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip", + "table": "firewalld", + "name": "nat_POST_work_allow", + "handle": 0 + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PREROUTING_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PREROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "nat_PRE_home" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "nat_PRE_public" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POSTROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POSTROUTING_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POSTROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POSTROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "nat_POST_home" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "nat_POST_public" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_allow" + } + } + ] + } + }, + { + "table": { + "family": "ip6", + "name": "firewalld", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PREROUTING", + "handle": 0, + "type": "nat", + "hook": "prerouting", + "prio": -90, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PREROUTING_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PREROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POSTROUTING", + "handle": 0, + "type": "nat", + "hook": "postrouting", + "prio": 110, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POSTROUTING_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POSTROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_home", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_home", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_PRE_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "ip6", + "table": "firewalld", + "name": "nat_POST_work_allow", + "handle": 0 + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PREROUTING_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PREROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "nat_PRE_home" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "nat_PRE_public" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POSTROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POSTROUTING_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POSTROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POSTROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "nat_POST_home" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POSTROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "nat_POST_public" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_PRE_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "ip6", + "table": "firewalld", + "chain": "nat_POST_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "nat_POST_work_allow" + } + } + ] + } + }, + { + "table": { + "family": "inet", + "name": "firewalld", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PREROUTING", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -290, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PREROUTING_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PREROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PREROUTING", + "handle": 0, + "type": "filter", + "hook": "prerouting", + "prio": -140, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PREROUTING_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PREROUTING_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_INPUT", + "handle": 0, + "type": "filter", + "hook": "input", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FORWARD", + "handle": 0, + "type": "filter", + "hook": "forward", + "prio": 10, + "policy": "accept" + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_INPUT_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_INPUT_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FORWARD_IN_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FORWARD_IN_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FORWARD_OUT_ZONES_SOURCE", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FORWARD_OUT_ZONES", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_public_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_home", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_home", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_home", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_home", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_home", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_home_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_home_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_home_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "raw_PRE_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_IN_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDI_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "mangle_PRE_work_allow", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work_log", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work_deny", + "handle": 0 + } + }, + { + "chain": { + "family": "inet", + "table": "firewalld", + "name": "filter_FWDO_work_allow", + "handle": 0 + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmpv6", + "field": "type" + } + }, + "right": { + "set": [ + "nd-router-advert", + "nd-neighbor-solicit" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "nfproto" + } + }, + "right": "ipv6" + } + }, + { + "match": { + "op": "==", + "left": { + "fib": { + "result": "oif", + "flags": [ + "saddr", + "iif" + ] + } + }, + "right": false + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PREROUTING_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PREROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "raw_PRE_home" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "raw_PRE_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PREROUTING_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PREROUTING", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PREROUTING_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "mangle_PRE_home" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PREROUTING_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "mangle_PRE_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_INPUT_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_INPUT_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "invalid" + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT", + "handle": 0, + "expr": [ + { + "reject": { + "type": "icmpx", + "expr": "admin-prohibited" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FORWARD_IN_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FORWARD_IN_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FORWARD_OUT_ZONES_SOURCE" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FORWARD_OUT_ZONES" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "invalid" + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD", + "handle": 0, + "expr": [ + { + "reject": { + "type": "icmpx", + "expr": "admin-prohibited" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "filter_IN_home" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_INPUT_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "filter_IN_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_IN_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "filter_FWDI_home" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_IN_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "filter_FWDI_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_OUT_ZONES", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "enp0s25" + } + }, + { + "goto": { + "target": "filter_FWDO_home" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FORWARD_OUT_ZONES", + "handle": 0, + "expr": [ + { + "goto": { + "target": "filter_FWDO_public" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_public_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": { + "prefix": { + "addr": "fe80::", + "len": 64 + } + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 546 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_public", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_public_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_public_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_public", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_public_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 137 + } + }, + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "helper" + } + }, + "right": "netbios-ns" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "daddr" + } + }, + "right": "224.0.0.251" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 5353 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "ff02::fb" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 5353 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": { + "range": [ + 1714, + 1764 + ] + } + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "range": [ + 1714, + 1764 + ] + } + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": { + "prefix": { + "addr": "fe80::", + "len": 64 + } + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 546 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 137 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 138 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 139 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_home_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 445 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_home", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_home_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_home_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_home", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_home_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "raw_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "raw_PRE_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_IN_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_IN_work_allow", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": { + "prefix": { + "addr": "fe80::", + "len": 64 + } + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 546 + } + }, + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "new", + "untracked" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDI_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDI_work", + "handle": 0, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "l4proto" + } + }, + "right": { + "set": [ + "icmp", + "ipv6-icmp" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "mangle_PRE_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "mangle_PRE_work_allow" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_work_log" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_work_deny" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewalld", + "chain": "filter_FWDO_work", + "handle": 0, + "expr": [ + { + "jump": { + "target": "filter_FWDO_work_allow" + } + } + ] + } + } + ] +} diff --git a/tests/shell/testcases/parsing/dumps/large_rule_pipe.nft b/tests/shell/testcases/parsing/dumps/large_rule_pipe.nft new file mode 100644 index 00000000..15832752 --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/large_rule_pipe.nft @@ -0,0 +1,561 @@ +table ip firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority dstnat + 10; policy accept; + jump nat_PREROUTING_ZONES_SOURCE + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES_SOURCE { + } + + chain nat_PREROUTING_ZONES { + iifname "enp0s25" goto nat_PRE_home + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority srcnat + 10; policy accept; + jump nat_POSTROUTING_ZONES_SOURCE + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES_SOURCE { + } + + chain nat_POSTROUTING_ZONES { + oifname "enp0s25" goto nat_POST_home + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_POST_public { + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_PRE_home { + jump nat_PRE_home_log + jump nat_PRE_home_deny + jump nat_PRE_home_allow + } + + chain nat_PRE_home_log { + } + + chain nat_PRE_home_deny { + } + + chain nat_PRE_home_allow { + } + + chain nat_POST_home { + jump nat_POST_home_log + jump nat_POST_home_deny + jump nat_POST_home_allow + } + + chain nat_POST_home_log { + } + + chain nat_POST_home_deny { + } + + chain nat_POST_home_allow { + } + + chain nat_PRE_work { + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_POST_work { + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } +} +table ip6 firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority dstnat + 10; policy accept; + jump nat_PREROUTING_ZONES_SOURCE + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES_SOURCE { + } + + chain nat_PREROUTING_ZONES { + iifname "enp0s25" goto nat_PRE_home + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority srcnat + 10; policy accept; + jump nat_POSTROUTING_ZONES_SOURCE + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES_SOURCE { + } + + chain nat_POSTROUTING_ZONES { + oifname "enp0s25" goto nat_POST_home + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_POST_public { + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_PRE_home { + jump nat_PRE_home_log + jump nat_PRE_home_deny + jump nat_PRE_home_allow + } + + chain nat_PRE_home_log { + } + + chain nat_PRE_home_deny { + } + + chain nat_PRE_home_allow { + } + + chain nat_POST_home { + jump nat_POST_home_log + jump nat_POST_home_deny + jump nat_POST_home_allow + } + + chain nat_POST_home_log { + } + + chain nat_POST_home_deny { + } + + chain nat_POST_home_allow { + } + + chain nat_PRE_work { + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_POST_work { + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } +} +table inet firewalld { + chain raw_PREROUTING { + type filter hook prerouting priority raw + 10; policy accept; + icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept + meta nfproto ipv6 fib saddr . iif oif missing drop + jump raw_PREROUTING_ZONES_SOURCE + jump raw_PREROUTING_ZONES + } + + chain raw_PREROUTING_ZONES_SOURCE { + } + + chain raw_PREROUTING_ZONES { + iifname "enp0s25" goto raw_PRE_home + goto raw_PRE_public + } + + chain mangle_PREROUTING { + type filter hook prerouting priority mangle + 10; policy accept; + jump mangle_PREROUTING_ZONES_SOURCE + jump mangle_PREROUTING_ZONES + } + + chain mangle_PREROUTING_ZONES_SOURCE { + } + + chain mangle_PREROUTING_ZONES { + iifname "enp0s25" goto mangle_PRE_home + goto mangle_PRE_public + } + + chain filter_INPUT { + type filter hook input priority filter + 10; policy accept; + ct state established,related accept + iifname "lo" accept + jump filter_INPUT_ZONES_SOURCE + jump filter_INPUT_ZONES + ct state invalid drop + reject with icmpx admin-prohibited + } + + chain filter_FORWARD { + type filter hook forward priority filter + 10; policy accept; + ct state established,related accept + iifname "lo" accept + jump filter_FORWARD_IN_ZONES_SOURCE + jump filter_FORWARD_IN_ZONES + jump filter_FORWARD_OUT_ZONES_SOURCE + jump filter_FORWARD_OUT_ZONES + ct state invalid drop + reject with icmpx admin-prohibited + } + + chain filter_INPUT_ZONES_SOURCE { + } + + chain filter_INPUT_ZONES { + iifname "enp0s25" goto filter_IN_home + goto filter_IN_public + } + + chain filter_FORWARD_IN_ZONES_SOURCE { + } + + chain filter_FORWARD_IN_ZONES { + iifname "enp0s25" goto filter_FWDI_home + goto filter_FWDI_public + } + + chain filter_FORWARD_OUT_ZONES_SOURCE { + } + + chain filter_FORWARD_OUT_ZONES { + oifname "enp0s25" goto filter_FWDO_home + goto filter_FWDO_public + } + + chain raw_PRE_public { + jump raw_PRE_public_log + jump raw_PRE_public_deny + jump raw_PRE_public_allow + } + + chain raw_PRE_public_log { + } + + chain raw_PRE_public_deny { + } + + chain raw_PRE_public_allow { + } + + chain filter_IN_public { + jump filter_IN_public_log + jump filter_IN_public_deny + jump filter_IN_public_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_public_log { + } + + chain filter_IN_public_deny { + } + + chain filter_IN_public_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept + } + + chain filter_FWDI_public { + jump filter_FWDI_public_log + jump filter_FWDI_public_deny + jump filter_FWDI_public_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_public_log { + } + + chain filter_FWDI_public_deny { + } + + chain filter_FWDI_public_allow { + } + + chain mangle_PRE_public { + jump mangle_PRE_public_log + jump mangle_PRE_public_deny + jump mangle_PRE_public_allow + } + + chain mangle_PRE_public_log { + } + + chain mangle_PRE_public_deny { + } + + chain mangle_PRE_public_allow { + } + + chain filter_FWDO_public { + jump filter_FWDO_public_log + jump filter_FWDO_public_deny + jump filter_FWDO_public_allow + } + + chain filter_FWDO_public_log { + } + + chain filter_FWDO_public_deny { + } + + chain filter_FWDO_public_allow { + } + + chain raw_PRE_home { + jump raw_PRE_home_log + jump raw_PRE_home_deny + jump raw_PRE_home_allow + } + + chain raw_PRE_home_log { + } + + chain raw_PRE_home_deny { + } + + chain raw_PRE_home_allow { + udp dport 137 ct helper "netbios-ns" + } + + chain filter_IN_home { + jump filter_IN_home_log + jump filter_IN_home_deny + jump filter_IN_home_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_home_log { + } + + chain filter_IN_home_deny { + } + + chain filter_IN_home_allow { + tcp dport 22 ct state new,untracked accept + ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept + ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept + udp dport 1714-1764 ct state new,untracked accept + tcp dport 1714-1764 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept + udp dport 137 ct state new,untracked accept + udp dport 138 ct state new,untracked accept + tcp dport 139 ct state new,untracked accept + tcp dport 445 ct state new,untracked accept + } + + chain filter_FWDI_home { + jump filter_FWDI_home_log + jump filter_FWDI_home_deny + jump filter_FWDI_home_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_home_log { + } + + chain filter_FWDI_home_deny { + } + + chain filter_FWDI_home_allow { + } + + chain mangle_PRE_home { + jump mangle_PRE_home_log + jump mangle_PRE_home_deny + jump mangle_PRE_home_allow + } + + chain mangle_PRE_home_log { + } + + chain mangle_PRE_home_deny { + } + + chain mangle_PRE_home_allow { + } + + chain filter_FWDO_home { + jump filter_FWDO_home_log + jump filter_FWDO_home_deny + jump filter_FWDO_home_allow + } + + chain filter_FWDO_home_log { + } + + chain filter_FWDO_home_deny { + } + + chain filter_FWDO_home_allow { + } + + chain raw_PRE_work { + jump raw_PRE_work_log + jump raw_PRE_work_deny + jump raw_PRE_work_allow + } + + chain raw_PRE_work_log { + } + + chain raw_PRE_work_deny { + } + + chain raw_PRE_work_allow { + } + + chain filter_IN_work { + jump filter_IN_work_log + jump filter_IN_work_deny + jump filter_IN_work_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_work_log { + } + + chain filter_IN_work_deny { + } + + chain filter_IN_work_allow { + tcp dport 22 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept + } + + chain filter_FWDI_work { + jump filter_FWDI_work_log + jump filter_FWDI_work_deny + jump filter_FWDI_work_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_work_log { + } + + chain filter_FWDI_work_deny { + } + + chain filter_FWDI_work_allow { + } + + chain mangle_PRE_work { + jump mangle_PRE_work_log + jump mangle_PRE_work_deny + jump mangle_PRE_work_allow + } + + chain mangle_PRE_work_log { + } + + chain mangle_PRE_work_deny { + } + + chain mangle_PRE_work_allow { + } + + chain filter_FWDO_work { + jump filter_FWDO_work_log + jump filter_FWDO_work_deny + jump filter_FWDO_work_allow + } + + chain filter_FWDO_work_log { + } + + chain filter_FWDO_work_deny { + } + + chain filter_FWDO_work_allow { + } +} diff --git a/tests/shell/testcases/parsing/dumps/log.json-nft b/tests/shell/testcases/parsing/dumps/log.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/log.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/parsing/dumps/log.nft b/tests/shell/testcases/parsing/dumps/log.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/log.nft diff --git a/tests/shell/testcases/parsing/dumps/octal.json-nft b/tests/shell/testcases/parsing/dumps/octal.json-nft new file mode 100644 index 00000000..546cc597 --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/octal.json-nft @@ -0,0 +1,11 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "VERSION", + "release_name": "RELEASE_NAME", + "json_schema_version": 1 + } + } + ] +} diff --git a/tests/shell/testcases/parsing/dumps/octal.nft b/tests/shell/testcases/parsing/dumps/octal.nft new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/tests/shell/testcases/parsing/dumps/octal.nft diff --git a/tests/shell/testcases/parsing/large_rule_pipe b/tests/shell/testcases/parsing/large_rule_pipe new file mode 100755 index 00000000..b6760c01 --- /dev/null +++ b/tests/shell/testcases/parsing/large_rule_pipe @@ -0,0 +1,571 @@ +#!/bin/bash + +set -e + +RULESET="#!/sbin/nft -f +flush ruleset; +table ip firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority -90; policy accept; + jump nat_PREROUTING_ZONES_SOURCE + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES_SOURCE { + } + + chain nat_PREROUTING_ZONES { + iifname "enp0s25" goto nat_PRE_home + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority 110; policy accept; + jump nat_POSTROUTING_ZONES_SOURCE + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES_SOURCE { + } + + chain nat_POSTROUTING_ZONES { + oifname "enp0s25" goto nat_POST_home + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_POST_public { + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_PRE_home { + jump nat_PRE_home_log + jump nat_PRE_home_deny + jump nat_PRE_home_allow + } + + chain nat_PRE_home_log { + } + + chain nat_PRE_home_deny { + } + + chain nat_PRE_home_allow { + } + + chain nat_POST_home { + jump nat_POST_home_log + jump nat_POST_home_deny + jump nat_POST_home_allow + } + + chain nat_POST_home_log { + } + + chain nat_POST_home_deny { + } + + chain nat_POST_home_allow { + } + + chain nat_PRE_work { + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_POST_work { + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } +} +table ip6 firewalld { + chain nat_PREROUTING { + type nat hook prerouting priority -90; policy accept; + jump nat_PREROUTING_ZONES_SOURCE + jump nat_PREROUTING_ZONES + } + + chain nat_PREROUTING_ZONES_SOURCE { + } + + chain nat_PREROUTING_ZONES { + iifname "enp0s25" goto nat_PRE_home + goto nat_PRE_public + } + + chain nat_POSTROUTING { + type nat hook postrouting priority 110; policy accept; + jump nat_POSTROUTING_ZONES_SOURCE + jump nat_POSTROUTING_ZONES + } + + chain nat_POSTROUTING_ZONES_SOURCE { + } + + chain nat_POSTROUTING_ZONES { + oifname "enp0s25" goto nat_POST_home + goto nat_POST_public + } + + chain nat_PRE_public { + jump nat_PRE_public_log + jump nat_PRE_public_deny + jump nat_PRE_public_allow + } + + chain nat_PRE_public_log { + } + + chain nat_PRE_public_deny { + } + + chain nat_PRE_public_allow { + } + + chain nat_POST_public { + jump nat_POST_public_log + jump nat_POST_public_deny + jump nat_POST_public_allow + } + + chain nat_POST_public_log { + } + + chain nat_POST_public_deny { + } + + chain nat_POST_public_allow { + } + + chain nat_PRE_home { + jump nat_PRE_home_log + jump nat_PRE_home_deny + jump nat_PRE_home_allow + } + + chain nat_PRE_home_log { + } + + chain nat_PRE_home_deny { + } + + chain nat_PRE_home_allow { + } + + chain nat_POST_home { + jump nat_POST_home_log + jump nat_POST_home_deny + jump nat_POST_home_allow + } + + chain nat_POST_home_log { + } + + chain nat_POST_home_deny { + } + + chain nat_POST_home_allow { + } + + chain nat_PRE_work { + jump nat_PRE_work_log + jump nat_PRE_work_deny + jump nat_PRE_work_allow + } + + chain nat_PRE_work_log { + } + + chain nat_PRE_work_deny { + } + + chain nat_PRE_work_allow { + } + + chain nat_POST_work { + jump nat_POST_work_log + jump nat_POST_work_deny + jump nat_POST_work_allow + } + + chain nat_POST_work_log { + } + + chain nat_POST_work_deny { + } + + chain nat_POST_work_allow { + } +} +table inet firewalld { + chain raw_PREROUTING { + type filter hook prerouting priority -290; policy accept; + icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept + meta nfproto ipv6 fib saddr . iif oif missing drop + jump raw_PREROUTING_ZONES_SOURCE + jump raw_PREROUTING_ZONES + } + + chain raw_PREROUTING_ZONES_SOURCE { + } + + chain raw_PREROUTING_ZONES { + iifname "enp0s25" goto raw_PRE_home + goto raw_PRE_public + } + + chain mangle_PREROUTING { + type filter hook prerouting priority -140; policy accept; + jump mangle_PREROUTING_ZONES_SOURCE + jump mangle_PREROUTING_ZONES + } + + chain mangle_PREROUTING_ZONES_SOURCE { + } + + chain mangle_PREROUTING_ZONES { + iifname "enp0s25" goto mangle_PRE_home + goto mangle_PRE_public + } + + chain filter_INPUT { + type filter hook input priority 10; policy accept; + ct state established,related accept + iifname "lo" accept + jump filter_INPUT_ZONES_SOURCE + jump filter_INPUT_ZONES + ct state invalid drop + reject with icmpx type admin-prohibited + } + + chain filter_FORWARD { + type filter hook forward priority 10; policy accept; + ct state established,related accept + iifname "lo" accept + jump filter_FORWARD_IN_ZONES_SOURCE + jump filter_FORWARD_IN_ZONES + jump filter_FORWARD_OUT_ZONES_SOURCE + jump filter_FORWARD_OUT_ZONES + ct state invalid drop + reject with icmpx type admin-prohibited + } + + chain filter_INPUT_ZONES_SOURCE { + } + + chain filter_INPUT_ZONES { + iifname "enp0s25" goto filter_IN_home + goto filter_IN_public + } + + chain filter_FORWARD_IN_ZONES_SOURCE { + } + + chain filter_FORWARD_IN_ZONES { + iifname "enp0s25" goto filter_FWDI_home + goto filter_FWDI_public + } + + chain filter_FORWARD_OUT_ZONES_SOURCE { + } + + chain filter_FORWARD_OUT_ZONES { + oifname "enp0s25" goto filter_FWDO_home + goto filter_FWDO_public + } + + chain raw_PRE_public { + jump raw_PRE_public_log + jump raw_PRE_public_deny + jump raw_PRE_public_allow + } + + chain raw_PRE_public_log { + } + + chain raw_PRE_public_deny { + } + + chain raw_PRE_public_allow { + } + + chain filter_IN_public { + jump filter_IN_public_log + jump filter_IN_public_deny + jump filter_IN_public_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_public_log { + } + + chain filter_IN_public_deny { + } + + chain filter_IN_public_allow { + tcp dport ssh ct state new,untracked accept + ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept + } + + chain filter_FWDI_public { + jump filter_FWDI_public_log + jump filter_FWDI_public_deny + jump filter_FWDI_public_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_public_log { + } + + chain filter_FWDI_public_deny { + } + + chain filter_FWDI_public_allow { + } + + chain mangle_PRE_public { + jump mangle_PRE_public_log + jump mangle_PRE_public_deny + jump mangle_PRE_public_allow + } + + chain mangle_PRE_public_log { + } + + chain mangle_PRE_public_deny { + } + + chain mangle_PRE_public_allow { + } + + chain filter_FWDO_public { + jump filter_FWDO_public_log + jump filter_FWDO_public_deny + jump filter_FWDO_public_allow + } + + chain filter_FWDO_public_log { + } + + chain filter_FWDO_public_deny { + } + + chain filter_FWDO_public_allow { + } + + chain raw_PRE_home { + jump raw_PRE_home_log + jump raw_PRE_home_deny + jump raw_PRE_home_allow + } + + chain raw_PRE_home_log { + } + + chain raw_PRE_home_deny { + } + + chain raw_PRE_home_allow { + udp dport netbios-ns ct helper "netbios-ns" + } + + chain filter_IN_home { + jump filter_IN_home_log + jump filter_IN_home_deny + jump filter_IN_home_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_home_log { + } + + chain filter_IN_home_deny { + } + + chain filter_IN_home_allow { + tcp dport ssh ct state new,untracked accept + ip daddr 224.0.0.251 udp dport mdns ct state new,untracked accept + ip6 daddr ff02::fb udp dport mdns ct state new,untracked accept + udp dport 1714-1764 ct state new,untracked accept + tcp dport 1714-1764 ct state new,untracked accept + ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept + udp dport netbios-ns ct state new,untracked accept + udp dport netbios-dgm ct state new,untracked accept + tcp dport netbios-ssn ct state new,untracked accept + tcp dport microsoft-ds ct state new,untracked accept + } + + chain filter_FWDI_home { + jump filter_FWDI_home_log + jump filter_FWDI_home_deny + jump filter_FWDI_home_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_home_log { + } + + chain filter_FWDI_home_deny { + } + + chain filter_FWDI_home_allow { + } + + chain mangle_PRE_home { + jump mangle_PRE_home_log + jump mangle_PRE_home_deny + jump mangle_PRE_home_allow + } + + chain mangle_PRE_home_log { + } + + chain mangle_PRE_home_deny { + } + + chain mangle_PRE_home_allow { + } + + chain filter_FWDO_home { + jump filter_FWDO_home_log + jump filter_FWDO_home_deny + jump filter_FWDO_home_allow + } + + chain filter_FWDO_home_log { + } + + chain filter_FWDO_home_deny { + } + + chain filter_FWDO_home_allow { + } + + chain raw_PRE_work { + jump raw_PRE_work_log + jump raw_PRE_work_deny + jump raw_PRE_work_allow + } + + chain raw_PRE_work_log { + } + + chain raw_PRE_work_deny { + } + + chain raw_PRE_work_allow { + } + + chain filter_IN_work { + jump filter_IN_work_log + jump filter_IN_work_deny + jump filter_IN_work_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_IN_work_log { + } + + chain filter_IN_work_deny { + } + + chain filter_IN_work_allow { + tcp dport ssh ct state new,untracked accept + ip6 daddr fe80::/64 udp dport dhcpv6-client ct state new,untracked accept + } + + chain filter_FWDI_work { + jump filter_FWDI_work_log + jump filter_FWDI_work_deny + jump filter_FWDI_work_allow + meta l4proto { icmp, ipv6-icmp } accept + } + + chain filter_FWDI_work_log { + } + + chain filter_FWDI_work_deny { + } + + chain filter_FWDI_work_allow { + } + + chain mangle_PRE_work { + jump mangle_PRE_work_log + jump mangle_PRE_work_deny + jump mangle_PRE_work_allow + } + + chain mangle_PRE_work_log { + } + + chain mangle_PRE_work_deny { + } + + chain mangle_PRE_work_allow { + } + + chain filter_FWDO_work { + jump filter_FWDO_work_log + jump filter_FWDO_work_deny + jump filter_FWDO_work_allow + } + + chain filter_FWDO_work_log { + } + + chain filter_FWDO_work_deny { + } + + chain filter_FWDO_work_allow { + } +}" + +( echo "flush ruleset;"; echo "${RULESET}" ) | $NFT -f - + +exit 0 diff --git a/tests/shell/testcases/parsing/log b/tests/shell/testcases/parsing/log new file mode 100755 index 00000000..0b89d589 --- /dev/null +++ b/tests/shell/testcases/parsing/log @@ -0,0 +1,10 @@ +#!/bin/bash + +$NFT add table t || exit 1 +$NFT add chain t c || exit 1 +$NFT add rule t c 'iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all prefix "nft_lo4 " drop' || exit 1 +$NFT add rule t c 'iif != lo ip daddr 127.0.0.1/8 counter limit rate 1/second log flags all level debug drop' || exit 1 +$NFT delete table t || exit 1 + +exit 0 + diff --git a/tests/shell/testcases/parsing/octal b/tests/shell/testcases/parsing/octal new file mode 100755 index 00000000..09ac26e7 --- /dev/null +++ b/tests/shell/testcases/parsing/octal @@ -0,0 +1,13 @@ +#!/bin/bash + +$NFT add table t || exit 1 +$NFT add chain t c || exit 1 +$NFT add rule t c 'ip saddr 01 continue comment "0.0.0.1"' || exit 1 +$NFT add rule t c 'ip saddr 08 continue comment "error"' && { + echo "'"ip saddr 08"'" not rejected 1>&2 + exit 1 +} +$NFT delete table t || exit 1 + +exit 0 + |