sif: network for libvirtd

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-06-22 10:50:52 +0200
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-06-22 10:50:52 +0200
commit: 9342cee52c63d50234db346ca0909caba0f94475 (patch)
tree: 52f86459557914b1bdd4ca52285d7fd8cd6ef554 /hosts/sif/ruleset.nft
parent: 5d640c6dbb9708296b761c8de89565043962c0a7 (diff)
download: nixos-9342cee52c63d50234db346ca0909caba0f94475.tar
nixos-9342cee52c63d50234db346ca0909caba0f94475.tar.gz
nixos-9342cee52c63d50234db346ca0909caba0f94475.tar.bz2
nixos-9342cee52c63d50234db346ca0909caba0f94475.tar.xz
nixos-9342cee52c63d50234db346ca0909caba0f94475.zip
1 files changed, 50 insertions, 0 deletions
diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft
index 363ffbdc..2a1467b8 100644
--- a/hosts/sif/ruleset.nft
+++ b/hosts/sif/ruleset.nft
@@ -84,6 +84,10 @@ table inet filter {
  counter tx {}
+  counter fw-libvirt {}
+  counter libvirt-dhcp {}
+  counter libvirt-dns {}
  chain forward {
    type filter hook forward priority filter
@@ -95,6 +99,9 @@ table inet filter {
    iifname lo counter name fw-lo accept
+    iifname virbr0 oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4} counter name fw-libvirt accept
+    oifname virbr0 ct state {established, related} counter name fw-libvirt accept
    limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
    log level debug prefix "reject forward: " counter name reject-fw
@@ -125,6 +132,11 @@ table inet filter {
    udp dport 51820-51822 counter name wg-rx accept
    iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
+    iifname virbr0 udp dport 67 counter name libvirt-dhcp accept
+    iifname virbr0 udp dport 547 counter name libvirt-dhcp accept
+    iifname virbr0 udp dport 53 counter name libvirt-dns accept
+    iifname virbr0 tcp dport 53 counter name libvirt-dns accept
    ct state {established, related} counter name established-rx accept
@@ -153,7 +165,45 @@ table inet filter {
    tcp sport 8000 counter name quickserve-tx accept
+    oifname virbr0 udp sport 67 counter name libvirt-dhcp accept
+    oifname virbr0 udp sport 547 counter name libvirt-dhcp accept
+    oifname virbr0 udp sport 53 counter name libvirt-dns accept
+    oifname virbr0 tcp sport 53 counter name libvirt-dns accept
    counter name tx
  }
 }
+table ip nat {
+  counter libvirt-nat {}
+  chain postrouting {
+    type nat hook postrouting priority srcnat
+    policy accept
+    iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade
+  }
+}
+table ip6 nat {
+  counter libvirt-nat {}
+  chain postrouting {
+    type nat hook postrouting priority srcnat
+    policy accept
+    iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade
+  }
+}
+table ip mss_clamp {
+  counter libvirt-mss-clamp {}
+  chain postrouting {
+    type filter hook postrouting priority mangle
+    policy accept
+    iifname virbr0 oifname != virbr0 tcp flags & (syn|rst) == syn counter name libvirt-mss-clamp tcp option maxseg size set rt mtu
+  }
+}
+\ No newline at end of file
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-06-22 10:50:52 +0200
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-06-22 10:50:52 +0200
commit	9342cee52c63d50234db346ca0909caba0f94475 (patch)
tree	52f86459557914b1bdd4ca52285d7fd8cd6ef554 /hosts/sif/ruleset.nft
parent	5d640c6dbb9708296b761c8de89565043962c0a7 (diff)
download	nixos-9342cee52c63d50234db346ca0909caba0f94475.tar nixos-9342cee52c63d50234db346ca0909caba0f94475.tar.gz nixos-9342cee52c63d50234db346ca0909caba0f94475.tar.bz2 nixos-9342cee52c63d50234db346ca0909caba0f94475.tar.xz nixos-9342cee52c63d50234db346ca0909caba0f94475.zip

diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft index 363ffbdc..2a1467b8 100644 --- a/hosts/sif/ruleset.nft +++ b/hosts/sif/ruleset.nft
@@ -84,6 +84,10 @@ table inet filter {
84		84
85	counter tx {}	85	counter tx {}
86		86
		87	counter fw-libvirt {}
		88	counter libvirt-dhcp {}
		89	counter libvirt-dns {}
		90
87		91
88	chain forward {	92	chain forward {
89	type filter hook forward priority filter	93	type filter hook forward priority filter
@@ -95,6 +99,9 @@ table inet filter {
95		99
96	iifname lo counter name fw-lo accept	100	iifname lo counter name fw-lo accept
97		101
		102	iifname virbr0 oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4} counter name fw-libvirt accept
		103	oifname virbr0 ct state {established, related} counter name fw-libvirt accept
		104
98		105
99	limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop	106	limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
100	log level debug prefix "reject forward: " counter name reject-fw	107	log level debug prefix "reject forward: " counter name reject-fw
@@ -125,6 +132,11 @@ table inet filter {
125	udp dport 51820-51822 counter name wg-rx accept	132	udp dport 51820-51822 counter name wg-rx accept
126	iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept	133	iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
127		134
		135	iifname virbr0 udp dport 67 counter name libvirt-dhcp accept
		136	iifname virbr0 udp dport 547 counter name libvirt-dhcp accept
		137	iifname virbr0 udp dport 53 counter name libvirt-dns accept
		138	iifname virbr0 tcp dport 53 counter name libvirt-dns accept
		139
128	ct state {established, related} counter name established-rx accept	140	ct state {established, related} counter name established-rx accept
129		141
130		142
@@ -153,7 +165,45 @@ table inet filter {
153		165
154	tcp sport 8000 counter name quickserve-tx accept	166	tcp sport 8000 counter name quickserve-tx accept
155		167
		168	oifname virbr0 udp sport 67 counter name libvirt-dhcp accept
		169	oifname virbr0 udp sport 547 counter name libvirt-dhcp accept
		170	oifname virbr0 udp sport 53 counter name libvirt-dns accept
		171	oifname virbr0 tcp sport 53 counter name libvirt-dns accept
		172
156		173
157	counter name tx	174	counter name tx
158	}	175	}
159	}	176	}
		177
		178	table ip nat {
		179	counter libvirt-nat {}
		180
		181	chain postrouting {
		182	type nat hook postrouting priority srcnat
		183	policy accept
		184
		185	iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade
		186	}
		187	}
		188
		189	table ip6 nat {
		190	counter libvirt-nat {}
		191
		192	chain postrouting {
		193	type nat hook postrouting priority srcnat
		194	policy accept
		195
		196	iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade
		197	}
		198	}
		199
		200	table ip mss_clamp {
		201	counter libvirt-mss-clamp {}
		202
		203	chain postrouting {
		204	type filter hook postrouting priority mangle
		205	policy accept
		206
		207	iifname virbr0 oifname != virbr0 tcp flags & (syn\|rst) == syn counter name libvirt-mss-clamp tcp option maxseg size set rt mtu
		208	}
		209	} \ No newline at end of file