forked from DGNum/liminix
fix nftables syntax
This commit is contained in:
parent
a65bb9d585
commit
d66f5901a2
2 changed files with 37 additions and 31 deletions
|
@ -31,17 +31,20 @@ let
|
||||||
|
|
||||||
indent = text : indentLines 0 (splitString "\n" text);
|
indent = text : indentLines 0 (splitString "\n" text);
|
||||||
|
|
||||||
dochain = { name, type, family, rules, policy ? null, hook ? null } : ''
|
dochain = { name, type, family, rules,
|
||||||
|
policy ? null,
|
||||||
|
priority ? "filter",
|
||||||
|
hook ? null } : ''
|
||||||
chain ${name} {
|
chain ${name} {
|
||||||
${if hook != null
|
${if hook != null
|
||||||
then "type ${type} hook ${hook}; policy ${policy};"
|
then "type ${type} hook ${hook} priority ${priority}; policy ${policy};"
|
||||||
else ""
|
else ""
|
||||||
}
|
}
|
||||||
${concatStringsSep "\n" rules}
|
${concatStringsSep "\n" rules}
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
dotable = family : chains : ''
|
dotable = family : chains : ''
|
||||||
table ${family} ${family} {
|
table ${family} table-${family} {
|
||||||
${concatStringsSep "\n" (map dochain chains)}
|
${concatStringsSep "\n" (map dochain chains)}
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
|
|
|
@ -2,17 +2,17 @@ let
|
||||||
drop = expr : "${expr} drop";
|
drop = expr : "${expr} drop";
|
||||||
accept = expr : "${expr} accept";
|
accept = expr : "${expr} accept";
|
||||||
mcast-scope = 8;
|
mcast-scope = 8;
|
||||||
allow-incoming = true;
|
allow-incoming = false;
|
||||||
bogons-ip6 = {
|
bogons-ip6 = {
|
||||||
type = "filter";
|
type = "filter";
|
||||||
family = "ip6";
|
family = "ip6";
|
||||||
rules = [
|
rules = [
|
||||||
(drop "saddr ff00::/8") # multicast saddr is illegal
|
(drop "ip6 saddr ff00::/8") # multicast saddr is illegal
|
||||||
|
|
||||||
(drop "saddr ::/128") # unspecified address
|
(drop "ip6 saddr ::/128") # unspecified address
|
||||||
(drop "daddr ::/128")
|
(drop "ip6 daddr ::/128")
|
||||||
(drop "saddr 2001:db8::/32") # documentation addresses
|
(drop "ip6 saddr 2001:db8::/32") # documentation addresses
|
||||||
(drop "daddr 2001:db8::/32")
|
(drop "ip6 daddr 2001:db8::/32")
|
||||||
|
|
||||||
# I think this means "check FIB for (saddr, iif) to see if we
|
# I think this means "check FIB for (saddr, iif) to see if we
|
||||||
# could route a packet to that address using that interface",
|
# could route a packet to that address using that interface",
|
||||||
|
@ -39,33 +39,36 @@ let
|
||||||
hook = "forward";
|
hook = "forward";
|
||||||
rules = [
|
rules = [
|
||||||
"jump bogons-ip6"
|
"jump bogons-ip6"
|
||||||
(drop "saddr ::1/128") # loopback address [RFC4291]
|
(drop "ip6 saddr ::1/128") # loopback address [RFC4291]
|
||||||
(drop "daddr ::1/128")
|
(drop "ip6 daddr ::1/128")
|
||||||
(drop "saddr ::FFFF:0:0/96")# IPv4-mapped addresses
|
(drop "ip6 saddr ::FFFF:0:0/96")# IPv4-mapped addresses
|
||||||
(drop "daddr ::FFFF:0:0/96")
|
(drop "ip6 daddr ::FFFF:0:0/96")
|
||||||
(drop "saddr fe80::/10") # link-local unicast
|
(drop "ip6 saddr fe80::/10") # link-local unicast
|
||||||
(drop "daddr fe80::/10")
|
(drop "ip6 daddr fe80::/10")
|
||||||
(drop "saddr fc00::/7") # unique-local addresses
|
(drop "ip6 saddr fc00::/7") # unique-local addresses
|
||||||
(drop "daddr fc00::/7")
|
(drop "ip6 daddr fc00::/7")
|
||||||
(drop "saddr 2001:10::/28") # ORCHID [RFC4843].
|
(drop "ip6 saddr 2001:10::/28") # ORCHID [RFC4843].
|
||||||
(drop "daddr 2001:10::/28")
|
(drop "ip6 daddr 2001:10::/28")
|
||||||
|
|
||||||
(drop "saddr fc00::/7") # unique local source
|
(drop "ip6 saddr fc00::/7") # unique local source
|
||||||
(drop "daddr fc00::/7") # and/or dst addresses [RFC4193]
|
(drop "ip6 daddr fc00::/7") # and/or dst addresses [RFC4193]
|
||||||
|
|
||||||
# multicast with wrong scopes
|
# multicast with wrong scopes
|
||||||
(drop
|
(drop
|
||||||
# dest addr first byte 0xff, low nibble of second byte <= scope
|
# dest addr first byte 0xff, low nibble of second byte <= scope
|
||||||
# https://www.mankier.com/8/nft#Payload_Expressions-Raw_Payload_Expression
|
# https://www.mankier.com/8/nft#Payload_Expressions-Raw_Payload_Expression
|
||||||
"@nh,192,8 eq 0xff @nh,204,4 le ${toString mcast-scope})")
|
"@nh,192,8 eq 0xff @nh,204,4 le ${toString mcast-scope}")
|
||||||
|
|
||||||
(accept "oifname \"int\" iifname \"ppp0\" meta l4proto udp ct state established,related")
|
(accept "oifname \"int\" iifname \"ppp0\" meta l4proto udp ct state established,related")
|
||||||
(accept "iifname \"int\" oifname \"ppp0\" meta l4proto udp")
|
(accept "iifname \"int\" oifname \"ppp0\" meta l4proto udp")
|
||||||
|
|
||||||
(accept "icmpv6")
|
(accept "meta l4proto icmpv6")
|
||||||
(accept "ah")
|
(accept "meta l4proto ah")
|
||||||
(accept "esp")
|
(accept "meta l4proto esp")
|
||||||
(accept "udp port 500") # IKE Protocol [RFC5996]. haha zyxel
|
|
||||||
|
# does this ever get used or does the preceding general udp accept
|
||||||
|
# already grab anything that might get here?
|
||||||
|
(accept "oifname \"ppp0\" udp dport 500") # IKE Protocol [RFC5996]. haha zyxel
|
||||||
(accept "ip6 nexthdr hip")
|
(accept "ip6 nexthdr hip")
|
||||||
|
|
||||||
## FIXME no support yet for recs 27-30 Mobility Header
|
## FIXME no support yet for recs 27-30 Mobility Header
|
||||||
|
@ -84,11 +87,11 @@ let
|
||||||
# accept inbound from the WAN
|
# accept inbound from the WAN
|
||||||
(if allow-incoming
|
(if allow-incoming
|
||||||
then accept "oifname \"int\" iifname \"ppp0\""
|
then accept "oifname \"int\" iifname \"ppp0\""
|
||||||
else { rule = "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"; }
|
else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"
|
||||||
)
|
)
|
||||||
# allow all outbound and any inbound that's part of a
|
# allow all outbound and any inbound that's part of a
|
||||||
# recognised (outbound-initiated) flow
|
# recognised (outbound-initiated) flow
|
||||||
(accept "oifname \"int\" iifname \"ppp0\" ct state established,related")
|
(accept "oifname \"int\" iifname \"ppp0\" ct state established,related")
|
||||||
(accept "iifname \"int\" oifname \"ppp0\" ")
|
(accept "iifname \"int\" oifname \"ppp0\" ")
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
@ -99,10 +102,10 @@ let
|
||||||
hook = "input";
|
hook = "input";
|
||||||
rules = [
|
rules = [
|
||||||
"jump bogons-ip6"
|
"jump bogons-ip6"
|
||||||
(accept "icmpv6")
|
(accept "meta l4proto icmpv6")
|
||||||
(if allow-incoming
|
(if allow-incoming
|
||||||
then accept "oifname \"int\" iifname \"ppp0\""
|
then accept "oifname \"int\" iifname \"ppp0\""
|
||||||
else { rule = "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"; }
|
else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"
|
||||||
)
|
)
|
||||||
(accept "oifname \"int\" iifname \"ppp0\" ct state established,related")
|
(accept "oifname \"int\" iifname \"ppp0\" ct state established,related")
|
||||||
(accept "iifname \"int\" oifname \"ppp0\" ")
|
(accept "iifname \"int\" oifname \"ppp0\" ")
|
||||||
|
@ -113,7 +116,7 @@ let
|
||||||
type = "filter";
|
type = "filter";
|
||||||
family = "ip6";
|
family = "ip6";
|
||||||
rules = [
|
rules = [
|
||||||
"oifname \"int\" tcp port 22 daddr loaclhost.lan"
|
"oifname \"int\" ip6 daddr 2001:8b0:de3a:40de::e9d tcp dport 22"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
in {
|
in {
|
||||||
|
|
Loading…
Reference in a new issue