vidhar: nftables: named counters

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-01-01 04:04:42 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-01-01 04:04:42 +0100
commit: cb2236575fa1fbda53dea0f22f2245abc25780c4 (patch)
tree: c64864eb34b6b4790f17a1849a7f0a71db6565f3
parent: 9ef71013736632040d20f738dd7e4e213d0588d1 (diff)
download: nixos-cb2236575fa1fbda53dea0f22f2245abc25780c4.tar
nixos-cb2236575fa1fbda53dea0f22f2245abc25780c4.tar.gz
nixos-cb2236575fa1fbda53dea0f22f2245abc25780c4.tar.bz2
nixos-cb2236575fa1fbda53dea0f22f2245abc25780c4.tar.xz
nixos-cb2236575fa1fbda53dea0f22f2245abc25780c4.zip
1 files changed, 149 insertions, 57 deletions
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 9fb1d14d..bdd847db 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -8,24 +8,33 @@ table arp filter {
    rate over 1400 kbytes/second burst 1400 kbytes
  }
+  counter arp-rx {}
+  counter arp-tx {}
+  counter arp-ratelimit-dsl-rx {}
+  counter arp-ratelimit-dsl-tx {}
+  counter arp-ratelimit-local-rx {}
+  counter arp-ratelimit-local-tx {}
  chain input {
    type filter hook input priority filter
    policy accept
-    iifname != dsl limit name lim_arp_local counter drop
+    iifname != dsl limit name lim_arp_local counter name arp-ratelimit-local-rx drop
-    iifname dsl limit name lim_arp_dsl counter drop
+    iifname dsl limit name lim_arp_dsl counter name arp-ratelimit-dsl-rx drop
-    counter
+    counter name arp-rx
  }
  chain output {
    type filter hook output priority filter
    policy accept
-    oifname != dsl limit name lim_arp_local counter drop
+    oifname != dsl limit name lim_arp_local counter name arp-ratelimit-local-tx drop
-    oifname dsl limit name lim_arp_dsl counter drop
+    oifname dsl limit name lim_arp_dsl counter name arp-ratelimit-dsl-tx drop
-    counter
+    counter name arp-tx
  }
 }
@@ -41,38 +50,98 @@ table inet filter {
    rate over 1400 kbytes/second burst 1400 kbytes
  }
+  counter icmp-ratelimit-dsl-fw {}
+  counter icmp-ratelimit-local-fw {}
+  counter icmp-fw {}
+  counter invalid-fw {}
+  counter fw-lo {}
+  counter fw-lan {}
+  counter fw-dsl {}
+  counter reject-ratelimit-fw {}
+  counter reject-fw {}
+  counter reject-tcp-fw {}
+  counter reject-icmp-fw {}
+  counter invalid-rx {}
+  counter rx-lo {}
+  counter invalid-local4-rx {}
+  counter invalid-local6-rx {}
+  counter icmp-ratelimit-dsl-rx {}
+  counter icmp-ratelimit-local-rx {}
+  counter icmp-rx {}
+  counter ssh-rx {}
+  counter mosh-rx {}
+  counter dns-rx {}
+  counter wg-rx {}
+  counter yggdrasil-gre-rx {}
+  counter ipv6-pd-rx {}
+  counter ntp-rx {}
+  counter dhcp-rx {}
+  counter samba-rx {}
+  counter http-rx {}
+  counter established-rx {}
+  counter reject-ratelimit-rx {}
+  counter reject-rx {}
+  counter reject-tcp-rx {}
+  counter reject-icmp-rx {}
+  counter tx-lo {}
+  counter icmp-ratelimit-dsl-tx {}
+  counter icmp-ratelimit-local-tx {}
+  counter icmp-tx {}
+  counter ssh-tx {}
+  counter mosh-tx {}
+  counter dns-tx {}
+  counter wg-tx {}
+  counter yggdrasil-gre-tx {}
+  counter ipv6-pd-tx {}
+  counter ntp-tx {}
+  counter dhcp-tx {}
+  counter samba-tx {}
+  counter http-tx {}
+  counter tx {}
  chain forward_icmp_accept {
-    oifname dsl limit name lim_icmp_dsl counter drop
+    oifname dsl limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop
-    iifname dsl limit name lim_icmp_dsl counter drop
+    iifname dsl limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop
-    oifname != dsl limit name lim_icmp_local counter drop
+    oifname != dsl limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
-    iifname != dsl limit name lim_icmp_local counter drop
+    iifname != dsl limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
-    counter accept
+    counter name icmp-fw accept
  }
  chain forward {
    type filter hook forward priority filter
    policy drop
-    ct state invalid log prefix "drop invalid forward: " counter drop
+    ct state invalid log prefix "drop invalid forward: " counter name invalid-fw drop
-    iifname lo counter accept
+    iifname lo counter name fw-lo accept
    oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept
-    iifname lan oifname dsl counter accept
+    iifname lan oifname dsl counter name fw-lan accept
-    iifname dsl oifname lan ct state {established, related} counter accept
+    iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept
-    limit name lim_reject log prefix "drop forward: " counter drop
-    log prefix "reject forward: " counter
-    meta l4proto tcp ct state new counter reject with tcp reset
-    ct state new counter reject
+    limit name lim_reject log prefix "drop forward: " counter name reject-ratelimit-fw drop
-    counter
+    log prefix "reject forward: " counter name reject-fw
+    meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
+    ct state new counter name reject-icmp-fw reject
  }
  chain input {
@@ -80,48 +149,45 @@ table inet filter {
    policy drop
-    ct state invalid log prefix "drop invalid input: " counter drop
+    ct state invalid log prefix "drop invalid input: " counter name invalid-rx drop
    
-    iifname lo counter accept
+    iifname lo counter name rx-lo accept
-    iif != lo ip daddr 127.0.0.1/8 counter reject
+    iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
-    iif != lo ip6 daddr ::1/128 counter reject
+    iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
-    iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
-    iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
-    meta l4proto $icmp_protos counter accept
-    tcp dport 22 counter accept
+    iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-rx drop
-    udp dport 60001-61000 counter accept
+    iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
+    meta l4proto $icmp_protos counter name icmp-rx accept
-    iifname lan tcp dport 53 counter accept
+    tcp dport 22 counter name ssh-rx accept
-    iifname lan udp dport 53 counter accept
+    udp dport 60001-61000 counter name mosh-rx accept
-    meta protocol ip udp dport 51820 counter accept
+    iifname lan tcp dport 53 counter name dns-rx accept
-    meta protocol ip6 udp dport 51821 counter accept
+    iifname lan udp dport 53 counter name dns-rx accept
-    iifname "yggdrasil-wg-*" meta l4proto gre counter accept
-    iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept
+    meta protocol ip udp dport 51820 counter name wg-rx accept
+    meta protocol ip6 udp dport 51821 counter name wg-rx accept
+    iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
-    iifname mgmt udp dport 123 counter accept
+    iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
-    iifname {lan, mgmt} udp dport 67 counter accept
+    iifname mgmt udp dport 123 counter name ntp-rx accept
-    iifname lan udp dport { 137, 138, 3702 } counter accept
+    iifname {lan, mgmt} udp dport 67 counter name dhcp-rx accept
-    iifname lan tcp dport { 445, 139, 5357 } counter accept
-    iifname yggdrasil tcp dport 80 counter accept
+    iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept
+    iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept
-    ct state {established, related} counter accept
+    iifname yggdrasil tcp dport 80 counter name http-rx accept
+    ct state {established, related} counter name established-rx accept
-    limit name lim_reject log prefix "drop input: " counter drop
-    log prefix "reject input: " counter
-    meta l4proto tcp ct state new counter reject with tcp reset
-    ct state new counter reject
+    limit name lim_reject log prefix "drop input: " counter name reject-ratelimit-rx drop
-    counter
+    log prefix "reject input: " counter name reject-rx
+    meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
+    ct state new counter name reject-icmp-rx reject
  }
  chain output {
@@ -129,33 +195,59 @@ table inet filter {
    policy accept
-    oifname lo counter accept
+    oifname lo counter name tx-lo accept
+    oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-tx drop
+    oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
+    meta l4proto $icmp_protos counter name icmp-tx accept
+    tcp sport 22 counter name ssh-tx
+    udp sport 60001-61000 counter name mosh-tx
-    oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
+    tcp sport 53 counter name dns-tx
-    oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
+    udp sport 53 counter name dns-tx
-    meta l4proto $icmp_protos counter accept
+    meta protocol ip udp sport 51820 counter name wg-tx
+    meta protocol ip6 udp sport 51821 counter name wg-tx
+    iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
-    counter
+    meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx
+    udp sport 123 counter name ntp-tx accept
+    udp sport 67 counter name dhcp-tx accept
+    udp sport { 137, 138, 3702 } counter name samba-tx accept
+    tcp sport { 445, 139, 5357 } counter name samba-tx accept
+    tcp sport 80 counter name http-tx accept
+    counter name tx
  }
 }
 table ip nat {
+  counter dsl-nat {}
  chain postrouting {
    type nat hook postrouting priority srcnat
    policy accept
-    oifname dsl counter masquerade
+    oifname dsl counter name dsl-nat masquerade
  }
 }
 table ip mss_clamp {
+  counter dsl-mss-clamp {}
  chain postrouting {
    type filter hook postrouting priority mangle
    policy accept
-    oifname dsl tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu
+    oifname dsl tcp flags & (syn|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu
  }
 }
 \ No newline at end of file
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-01-01 04:04:42 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-01-01 04:04:42 +0100
commit	cb2236575fa1fbda53dea0f22f2245abc25780c4 (patch)
tree	c64864eb34b6b4790f17a1849a7f0a71db6565f3
parent	9ef71013736632040d20f738dd7e4e213d0588d1 (diff)
download	nixos-cb2236575fa1fbda53dea0f22f2245abc25780c4.tar nixos-cb2236575fa1fbda53dea0f22f2245abc25780c4.tar.gz nixos-cb2236575fa1fbda53dea0f22f2245abc25780c4.tar.bz2 nixos-cb2236575fa1fbda53dea0f22f2245abc25780c4.tar.xz nixos-cb2236575fa1fbda53dea0f22f2245abc25780c4.zip

diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 9fb1d14d..bdd847db 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft
@@ -8,24 +8,33 @@ table arp filter {
8	rate over 1400 kbytes/second burst 1400 kbytes	8	rate over 1400 kbytes/second burst 1400 kbytes
9	}	9	}
10		10
		11	counter arp-rx {}
		12	counter arp-tx {}
		13
		14	counter arp-ratelimit-dsl-rx {}
		15	counter arp-ratelimit-dsl-tx {}
		16
		17	counter arp-ratelimit-local-rx {}
		18	counter arp-ratelimit-local-tx {}
		19
11	chain input {	20	chain input {
12	type filter hook input priority filter	21	type filter hook input priority filter
13	policy accept	22	policy accept
14		23
15	iifname != dsl limit name lim_arp_local counter drop	24	iifname != dsl limit name lim_arp_local counter name arp-ratelimit-local-rx drop
16	iifname dsl limit name lim_arp_dsl counter drop	25	iifname dsl limit name lim_arp_dsl counter name arp-ratelimit-dsl-rx drop
17		26
18	counter	27	counter name arp-rx
19	}	28	}
20		29
21	chain output {	30	chain output {
22	type filter hook output priority filter	31	type filter hook output priority filter
23	policy accept	32	policy accept
24		33
25	oifname != dsl limit name lim_arp_local counter drop	34	oifname != dsl limit name lim_arp_local counter name arp-ratelimit-local-tx drop
26	oifname dsl limit name lim_arp_dsl counter drop	35	oifname dsl limit name lim_arp_dsl counter name arp-ratelimit-dsl-tx drop
27		36
28	counter	37	counter name arp-tx
29	}	38	}
30	}	39	}
31		40
@@ -41,38 +50,98 @@ table inet filter {
41	rate over 1400 kbytes/second burst 1400 kbytes	50	rate over 1400 kbytes/second burst 1400 kbytes
42	}	51	}
43		52
		53	counter icmp-ratelimit-dsl-fw {}
		54	counter icmp-ratelimit-local-fw {}
		55
		56	counter icmp-fw {}
		57
		58	counter invalid-fw {}
		59	counter fw-lo {}
		60	counter fw-lan {}
		61	counter fw-dsl {}
		62
		63	counter reject-ratelimit-fw {}
		64	counter reject-fw {}
		65	counter reject-tcp-fw {}
		66	counter reject-icmp-fw {}
		67
		68
		69	counter invalid-rx {}
		70	counter rx-lo {}
		71	counter invalid-local4-rx {}
		72	counter invalid-local6-rx {}
		73
		74	counter icmp-ratelimit-dsl-rx {}
		75	counter icmp-ratelimit-local-rx {}
		76	counter icmp-rx {}
		77
		78	counter ssh-rx {}
		79	counter mosh-rx {}
		80	counter dns-rx {}
		81	counter wg-rx {}
		82	counter yggdrasil-gre-rx {}
		83	counter ipv6-pd-rx {}
		84	counter ntp-rx {}
		85	counter dhcp-rx {}
		86	counter samba-rx {}
		87	counter http-rx {}
		88
		89	counter established-rx {}
		90
		91	counter reject-ratelimit-rx {}
		92	counter reject-rx {}
		93	counter reject-tcp-rx {}
		94	counter reject-icmp-rx {}
		95
		96
		97	counter tx-lo {}
		98
		99	counter icmp-ratelimit-dsl-tx {}
		100	counter icmp-ratelimit-local-tx {}
		101	counter icmp-tx {}
		102
		103	counter ssh-tx {}
		104	counter mosh-tx {}
		105	counter dns-tx {}
		106	counter wg-tx {}
		107	counter yggdrasil-gre-tx {}
		108	counter ipv6-pd-tx {}
		109	counter ntp-tx {}
		110	counter dhcp-tx {}
		111	counter samba-tx {}
		112	counter http-tx {}
		113
		114	counter tx {}
		115
44		116
45	chain forward_icmp_accept {	117	chain forward_icmp_accept {
46	oifname dsl limit name lim_icmp_dsl counter drop	118	oifname dsl limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop
47	iifname dsl limit name lim_icmp_dsl counter drop	119	iifname dsl limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop
48	oifname != dsl limit name lim_icmp_local counter drop	120	oifname != dsl limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
49	iifname != dsl limit name lim_icmp_local counter drop	121	iifname != dsl limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
50	counter accept	122	counter name icmp-fw accept
51	}	123	}
52	chain forward {	124	chain forward {
53	type filter hook forward priority filter	125	type filter hook forward priority filter
54	policy drop	126	policy drop
55		127
56		128
57	ct state invalid log prefix "drop invalid forward: " counter drop	129	ct state invalid log prefix "drop invalid forward: " counter name invalid-fw drop
58		130
59		131
60	iifname lo counter accept	132	iifname lo counter name fw-lo accept
61		133
62	oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept	134	oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept
63		135
64	iifname lan oifname dsl counter accept	136	iifname lan oifname dsl counter name fw-lan accept
65	iifname dsl oifname lan ct state {established, related} counter accept	137	iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept
66
67		138
68		139
69	limit name lim_reject log prefix "drop forward: " counter drop
70	log prefix "reject forward: " counter
71	meta l4proto tcp ct state new counter reject with tcp reset
72	ct state new counter reject
73		140
74		141	limit name lim_reject log prefix "drop forward: " counter name reject-ratelimit-fw drop
75	counter	142	log prefix "reject forward: " counter name reject-fw
		143	meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
		144	ct state new counter name reject-icmp-fw reject
76	}	145	}
77		146
78	chain input {	147	chain input {
@@ -80,48 +149,45 @@ table inet filter {
80	policy drop	149	policy drop
81		150
82		151
83	ct state invalid log prefix "drop invalid input: " counter drop	152	ct state invalid log prefix "drop invalid input: " counter name invalid-rx drop
84		153
85		154
86	iifname lo counter accept	155	iifname lo counter name rx-lo accept
87	iif != lo ip daddr 127.0.0.1/8 counter reject	156	iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
88	iif != lo ip6 daddr ::1/128 counter reject	157	iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
89
90	iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop
91	iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
92	meta l4proto $icmp_protos counter accept
93		158
94	tcp dport 22 counter accept	159	iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-rx drop
95	udp dport 60001-61000 counter accept	160	iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
		161	meta l4proto $icmp_protos counter name icmp-rx accept
96		162
97	iifname lan tcp dport 53 counter accept	163	tcp dport 22 counter name ssh-rx accept
98	iifname lan udp dport 53 counter accept	164	udp dport 60001-61000 counter name mosh-rx accept
99		165
100	meta protocol ip udp dport 51820 counter accept	166	iifname lan tcp dport 53 counter name dns-rx accept
101	meta protocol ip6 udp dport 51821 counter accept	167	iifname lan udp dport 53 counter name dns-rx accept
102	iifname "yggdrasil-wg-*" meta l4proto gre counter accept
103		168
104	iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept	169	meta protocol ip udp dport 51820 counter name wg-rx accept
		170	meta protocol ip6 udp dport 51821 counter name wg-rx accept
		171	iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
105		172
106	iifname mgmt udp dport 123 counter accept	173	iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
107		174
108	iifname {lan, mgmt} udp dport 67 counter accept	175	iifname mgmt udp dport 123 counter name ntp-rx accept
109		176
110	iifname lan udp dport { 137, 138, 3702 } counter accept	177	iifname {lan, mgmt} udp dport 67 counter name dhcp-rx accept
111	iifname lan tcp dport { 445, 139, 5357 } counter accept
112		178
113	iifname yggdrasil tcp dport 80 counter accept	179	iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept
		180	iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept
114		181
115	ct state {established, related} counter accept	182	iifname yggdrasil tcp dport 80 counter name http-rx accept
116		183
		184	ct state {established, related} counter name established-rx accept
117		185
118	limit name lim_reject log prefix "drop input: " counter drop
119	log prefix "reject input: " counter
120	meta l4proto tcp ct state new counter reject with tcp reset
121	ct state new counter reject
122		186
123		187	limit name lim_reject log prefix "drop input: " counter name reject-ratelimit-rx drop
124	counter	188	log prefix "reject input: " counter name reject-rx
		189	meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
		190	ct state new counter name reject-icmp-rx reject
125	}	191	}
126		192
127	chain output {	193	chain output {
@@ -129,33 +195,59 @@ table inet filter {
129	policy accept	195	policy accept
130		196
131		197
132	oifname lo counter accept	198	oifname lo counter name tx-lo accept
		199
		200	oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-tx drop
		201	oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
		202	meta l4proto $icmp_protos counter name icmp-tx accept
		203
		204
		205	tcp sport 22 counter name ssh-tx
		206	udp sport 60001-61000 counter name mosh-tx
133		207
134	oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop	208	tcp sport 53 counter name dns-tx
135	oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop	209	udp sport 53 counter name dns-tx
136	meta l4proto $icmp_protos counter accept
137		210
		211	meta protocol ip udp sport 51820 counter name wg-tx
		212	meta protocol ip6 udp sport 51821 counter name wg-tx
		213	iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
138		214
139	counter	215	meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx
		216
		217	udp sport 123 counter name ntp-tx accept
		218
		219	udp sport 67 counter name dhcp-tx accept
		220
		221	udp sport { 137, 138, 3702 } counter name samba-tx accept
		222	tcp sport { 445, 139, 5357 } counter name samba-tx accept
		223
		224	tcp sport 80 counter name http-tx accept
		225
		226
		227	counter name tx
140	}	228	}
141	}	229	}
142		230
143	table ip nat {	231	table ip nat {
		232	counter dsl-nat {}
		233
144	chain postrouting {	234	chain postrouting {
145	type nat hook postrouting priority srcnat	235	type nat hook postrouting priority srcnat
146	policy accept	236	policy accept
147		237
148		238
149	oifname dsl counter masquerade	239	oifname dsl counter name dsl-nat masquerade
150	}	240	}
151	}	241	}
152		242
153	table ip mss_clamp {	243	table ip mss_clamp {
		244	counter dsl-mss-clamp {}
		245
154	chain postrouting {	246	chain postrouting {
155	type filter hook postrouting priority mangle	247	type filter hook postrouting priority mangle
156	policy accept	248	policy accept
157		249
158		250
159	oifname dsl tcp flags & (syn\|rst) == syn counter tcp option maxseg size set rt mtu	251	oifname dsl tcp flags & (syn\|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu
160	}	252	}
161	} \ No newline at end of file	253	} \ No newline at end of file