Merge commit 'bc90ef66' into flakes

author: Gregor Kleen <gkleen@yggdrasil.li> 2024-08-08 14:36:50 +0200
committer: Gregor Kleen <gkleen@yggdrasil.li> 2024-08-08 14:36:50 +0200
commit: be06f04babc12fb60366c24a22561c1d46895c80 (patch)
tree: 8df057a3605a7272cb048043be7593b5c944a67c /hosts/vidhar/network/ruleset.nft
parent: a6754d729f2d16cfdcb3570891c038a14718de1f (diff)
parent: bc90ef66903e78713db1fd3a700785572b794cde (diff)
download: nixos-be06f04babc12fb60366c24a22561c1d46895c80.tar
nixos-be06f04babc12fb60366c24a22561c1d46895c80.tar.gz
nixos-be06f04babc12fb60366c24a22561c1d46895c80.tar.bz2
nixos-be06f04babc12fb60366c24a22561c1d46895c80.tar.xz
nixos-be06f04babc12fb60366c24a22561c1d46895c80.zip
1 files changed, 36 insertions, 36 deletions
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 6eb97f85..9f519302 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -4,15 +4,15 @@ table arp filter {
  limit lim_arp_local {
    rate over 50 mbytes/second burst 50 mbytes
  }
-  limit lim_arp_dsl {
+  limit lim_arp_gpon {
-    rate over 1400 kbytes/second burst 1400 kbytes
+    rate over 7500 kbytes/second burst 7500 kbytes
  }
  counter arp-rx {}
  counter arp-tx {}
-  counter arp-ratelimit-dsl-rx {}
+  counter arp-ratelimit-gpon-rx {}
-  counter arp-ratelimit-dsl-tx {}
+  counter arp-ratelimit-gpon-tx {}
  counter arp-ratelimit-local-rx {}
  counter arp-ratelimit-local-tx {}
@@ -21,8 +21,8 @@ table arp filter {
    type filter hook input priority filter
    policy accept
-    iifname != dsl limit name lim_arp_local counter name arp-ratelimit-local-rx drop
+    iifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-rx drop
-    iifname dsl limit name lim_arp_dsl counter name arp-ratelimit-dsl-rx drop
+    iifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-rx drop
    counter name arp-rx
  }
@@ -31,8 +31,8 @@ table arp filter {
    type filter hook output priority filter
    policy accept
-    oifname != dsl limit name lim_arp_local counter name arp-ratelimit-local-tx drop
+    oifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-tx drop
-    oifname dsl limit name lim_arp_dsl counter name arp-ratelimit-dsl-tx drop
+    oifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-tx drop
    counter name arp-tx
  }
@@ -46,11 +46,11 @@ table inet filter {
  limit lim_icmp_local {
    rate over 50 mbytes/second burst 50 mbytes
  }
-  limit lim_icmp_dsl {
+  limit lim_icmp_gpon {
-    rate over 1400 kbytes/second burst 1400 kbytes
+    rate over 7500 kbytes/second burst 7500 kbytes
  }
-  counter icmp-ratelimit-dsl-fw {}
+  counter icmp-ratelimit-gpon-fw {}
  counter icmp-ratelimit-local-fw {}
  counter icmp-fw {}
@@ -58,7 +58,7 @@ table inet filter {
  counter invalid-fw {}
  counter fw-lo {}
  counter fw-lan {}
-  counter fw-dsl {}
+  counter fw-gpon {}
  counter fw-cups {}
@@ -73,7 +73,7 @@ table inet filter {
  counter invalid-local4-rx {}
  counter invalid-local6-rx {}
-  counter icmp-ratelimit-dsl-rx {}
+  counter icmp-ratelimit-gpon-rx {}
  counter icmp-ratelimit-local-rx {}
  counter icmp-rx {}
@@ -101,7 +101,7 @@ table inet filter {
  counter tx-lo {}
-  counter icmp-ratelimit-dsl-tx {}
+  counter icmp-ratelimit-gpon-tx {}
  counter icmp-ratelimit-local-tx {}
  counter icmp-tx {}
@@ -123,10 +123,10 @@ table inet filter {
  chain forward_icmp_accept {
-    oifname { dsl, bifrost } limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop
+    oifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop
-    iifname { dsl, bifrost } limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop
+    iifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop
-    oifname != { dsl, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
+    oifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
-    iifname != { dsl, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
+    iifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
    counter name icmp-fw accept
  }
  chain forward {
@@ -139,10 +139,10 @@ table inet filter {
    iifname lo counter name fw-lo accept
-    oifname { lan, dsl, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
+    oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
-    iifname lan oifname { dsl, bifrost } counter name fw-lan accept
+    iifname lan oifname { gpon, bifrost } counter name fw-lan accept
-    iifname dsl oifname lan ct state { established, related } counter name fw-dsl accept
+    iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept
    limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -163,22 +163,22 @@ table inet filter {
    iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
    iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
-    iifname { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-rx drop
+    iifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-rx drop
-    iifname != { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
+    iifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
    meta l4proto $icmp_protos counter name icmp-rx accept
-    iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
+    iifname { lan, mgmt, gpon, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
-    iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
+    iifname { lan, mgmt, gpon, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
    iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
    iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept
-    iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept
+    iifname { lan, mgmt, gpon } meta protocol ip udp dport 51820 counter name wg-rx accept
-    iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept
+    iifname { lan, mgmt, gpon } meta protocol ip6 udp dport 51821 counter name wg-rx accept
    iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
-    iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
+    iifname gpon meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
    iifname mgmt udp dport 123 counter name ntp-rx accept
@@ -209,8 +209,8 @@ table inet filter {
    oifname lo counter name tx-lo accept
-    oifname { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-tx drop
+    oifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-tx drop
-    oifname != { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
+    oifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
    meta l4proto $icmp_protos counter name icmp-tx accept
@@ -246,7 +246,7 @@ table inet filter {
 }
 table inet nat {
-  counter dsl-nat {}
+  counter gpon-nat {}
  # counter container-nat {}
  chain postrouting {
@@ -254,20 +254,20 @@ table inet nat {
    policy accept
-    meta nfproto ipv4 oifname dsl counter name dsl-nat masquerade
+    meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade
-    # iifname ve-* oifname dsl counter name container-nat masquerade
+    # iifname ve-* oifname gpon counter name container-nat masquerade
  }
 }
 table inet mss_clamp {
-  counter dsl-mss-clamp {}
+  counter gpon-mss-clamp {}
  chain postrouting {
    type filter hook postrouting priority mangle
    policy accept
-    oifname dsl tcp flags & (syn|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu
+    oifname gpon tcp flags & (syn|rst) == syn counter name gpon-mss-clamp tcp option maxseg size set rt mtu
  }
 }
@@ -402,7 +402,7 @@ table inet dscpclassify {
    chain postrouting {
        type filter hook postrouting priority filter + 1; policy accept
-        oifname != dsl return
+        oifname != gpon return
        ip dscp cs0 goto ct_set_cs0
        ip dscp lephb goto ct_set_lephb
author	Gregor Kleen <gkleen@yggdrasil.li>	2024-08-08 14:36:50 +0200
committer	Gregor Kleen <gkleen@yggdrasil.li>	2024-08-08 14:36:50 +0200
commit	be06f04babc12fb60366c24a22561c1d46895c80 (patch)
tree	8df057a3605a7272cb048043be7593b5c944a67c /hosts/vidhar/network/ruleset.nft
parent	a6754d729f2d16cfdcb3570891c038a14718de1f (diff)
parent	bc90ef66903e78713db1fd3a700785572b794cde (diff)
download	nixos-be06f04babc12fb60366c24a22561c1d46895c80.tar nixos-be06f04babc12fb60366c24a22561c1d46895c80.tar.gz nixos-be06f04babc12fb60366c24a22561c1d46895c80.tar.bz2 nixos-be06f04babc12fb60366c24a22561c1d46895c80.tar.xz nixos-be06f04babc12fb60366c24a22561c1d46895c80.zip

diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 6eb97f85..9f519302 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft
@@ -4,15 +4,15 @@ table arp filter {
4	limit lim_arp_local {	4	limit lim_arp_local {
5	rate over 50 mbytes/second burst 50 mbytes	5	rate over 50 mbytes/second burst 50 mbytes
6	}	6	}
7	limit lim_arp_dsl {	7	limit lim_arp_gpon {
8	rate over 1400 kbytes/second burst 1400 kbytes	8	rate over 7500 kbytes/second burst 7500 kbytes
9	}	9	}
10		10
11	counter arp-rx {}	11	counter arp-rx {}
12	counter arp-tx {}	12	counter arp-tx {}
13		13
14	counter arp-ratelimit-dsl-rx {}	14	counter arp-ratelimit-gpon-rx {}
15	counter arp-ratelimit-dsl-tx {}	15	counter arp-ratelimit-gpon-tx {}
16		16
17	counter arp-ratelimit-local-rx {}	17	counter arp-ratelimit-local-rx {}
18	counter arp-ratelimit-local-tx {}	18	counter arp-ratelimit-local-tx {}
@@ -21,8 +21,8 @@ table arp filter {
21	type filter hook input priority filter	21	type filter hook input priority filter
22	policy accept	22	policy accept
23		23
24	iifname != dsl limit name lim_arp_local counter name arp-ratelimit-local-rx drop	24	iifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-rx drop
25	iifname dsl limit name lim_arp_dsl counter name arp-ratelimit-dsl-rx drop	25	iifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-rx drop
26		26
27	counter name arp-rx	27	counter name arp-rx
28	}	28	}
@@ -31,8 +31,8 @@ table arp filter {
31	type filter hook output priority filter	31	type filter hook output priority filter
32	policy accept	32	policy accept
33		33
34	oifname != dsl limit name lim_arp_local counter name arp-ratelimit-local-tx drop	34	oifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-tx drop
35	oifname dsl limit name lim_arp_dsl counter name arp-ratelimit-dsl-tx drop	35	oifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-tx drop
36		36
37	counter name arp-tx	37	counter name arp-tx
38	}	38	}
@@ -46,11 +46,11 @@ table inet filter {
46	limit lim_icmp_local {	46	limit lim_icmp_local {
47	rate over 50 mbytes/second burst 50 mbytes	47	rate over 50 mbytes/second burst 50 mbytes
48	}	48	}
49	limit lim_icmp_dsl {	49	limit lim_icmp_gpon {
50	rate over 1400 kbytes/second burst 1400 kbytes	50	rate over 7500 kbytes/second burst 7500 kbytes
51	}	51	}
52		52
53	counter icmp-ratelimit-dsl-fw {}	53	counter icmp-ratelimit-gpon-fw {}
54	counter icmp-ratelimit-local-fw {}	54	counter icmp-ratelimit-local-fw {}
55		55
56	counter icmp-fw {}	56	counter icmp-fw {}
@@ -58,7 +58,7 @@ table inet filter {
58	counter invalid-fw {}	58	counter invalid-fw {}
59	counter fw-lo {}	59	counter fw-lo {}
60	counter fw-lan {}	60	counter fw-lan {}
61	counter fw-dsl {}	61	counter fw-gpon {}
62		62
63	counter fw-cups {}	63	counter fw-cups {}
64		64
@@ -73,7 +73,7 @@ table inet filter {
73	counter invalid-local4-rx {}	73	counter invalid-local4-rx {}
74	counter invalid-local6-rx {}	74	counter invalid-local6-rx {}
75		75
76	counter icmp-ratelimit-dsl-rx {}	76	counter icmp-ratelimit-gpon-rx {}
77	counter icmp-ratelimit-local-rx {}	77	counter icmp-ratelimit-local-rx {}
78	counter icmp-rx {}	78	counter icmp-rx {}
79		79
@@ -101,7 +101,7 @@ table inet filter {
101		101
102	counter tx-lo {}	102	counter tx-lo {}
103		103
104	counter icmp-ratelimit-dsl-tx {}	104	counter icmp-ratelimit-gpon-tx {}
105	counter icmp-ratelimit-local-tx {}	105	counter icmp-ratelimit-local-tx {}
106	counter icmp-tx {}	106	counter icmp-tx {}
107		107
@@ -123,10 +123,10 @@ table inet filter {
123		123
124		124
125	chain forward_icmp_accept {	125	chain forward_icmp_accept {
126	oifname { dsl, bifrost } limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop	126	oifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop
127	iifname { dsl, bifrost } limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop	127	iifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop
128	oifname != { dsl, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop	128	oifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
129	iifname != { dsl, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop	129	iifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
130	counter name icmp-fw accept	130	counter name icmp-fw accept
131	}	131	}
132	chain forward {	132	chain forward {
@@ -139,10 +139,10 @@ table inet filter {
139		139
140	iifname lo counter name fw-lo accept	140	iifname lo counter name fw-lo accept
141		141
142	oifname { lan, dsl, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept	142	oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
143	iifname lan oifname { dsl, bifrost } counter name fw-lan accept	143	iifname lan oifname { gpon, bifrost } counter name fw-lan accept
144		144
145	iifname dsl oifname lan ct state { established, related } counter name fw-dsl accept	145	iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept
146		146
147		147
148	limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop	148	limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -163,22 +163,22 @@ table inet filter {
163	iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject	163	iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
164	iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject	164	iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
165		165
166	iifname { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-rx drop	166	iifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-rx drop
167	iifname != { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop	167	iifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
168	meta l4proto $icmp_protos counter name icmp-rx accept	168	meta l4proto $icmp_protos counter name icmp-rx accept
169		169
170	iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept	170	iifname { lan, mgmt, gpon, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
171	iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept	171	iifname { lan, mgmt, gpon, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
172		172
173	iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept	173	iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
174		174
175	iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept	175	iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept
176		176
177	iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept	177	iifname { lan, mgmt, gpon } meta protocol ip udp dport 51820 counter name wg-rx accept
178	iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept	178	iifname { lan, mgmt, gpon } meta protocol ip6 udp dport 51821 counter name wg-rx accept
179	iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept	179	iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
180		180
181	iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept	181	iifname gpon meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
182		182
183	iifname mgmt udp dport 123 counter name ntp-rx accept	183	iifname mgmt udp dport 123 counter name ntp-rx accept
184		184
@@ -209,8 +209,8 @@ table inet filter {
209		209
210	oifname lo counter name tx-lo accept	210	oifname lo counter name tx-lo accept
211		211
212	oifname { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-tx drop	212	oifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-tx drop
213	oifname != { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop	213	oifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
214	meta l4proto $icmp_protos counter name icmp-tx accept	214	meta l4proto $icmp_protos counter name icmp-tx accept
215		215
216		216
@@ -246,7 +246,7 @@ table inet filter {
246	}	246	}
247		247
248	table inet nat {	248	table inet nat {
249	counter dsl-nat {}	249	counter gpon-nat {}
250	# counter container-nat {}	250	# counter container-nat {}
251		251
252	chain postrouting {	252	chain postrouting {
@@ -254,20 +254,20 @@ table inet nat {
254	policy accept	254	policy accept
255		255
256		256
257	meta nfproto ipv4 oifname dsl counter name dsl-nat masquerade	257	meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade
258	# iifname ve-* oifname dsl counter name container-nat masquerade	258	# iifname ve-* oifname gpon counter name container-nat masquerade
259	}	259	}
260	}	260	}
261		261
262	table inet mss_clamp {	262	table inet mss_clamp {
263	counter dsl-mss-clamp {}	263	counter gpon-mss-clamp {}
264		264
265	chain postrouting {	265	chain postrouting {
266	type filter hook postrouting priority mangle	266	type filter hook postrouting priority mangle
267	policy accept	267	policy accept
268		268
269		269
270	oifname dsl tcp flags & (syn\|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu	270	oifname gpon tcp flags & (syn\|rst) == syn counter name gpon-mss-clamp tcp option maxseg size set rt mtu
271	}	271	}
272	}	272	}
273		273
@@ -402,7 +402,7 @@ table inet dscpclassify {
402	chain postrouting {	402	chain postrouting {
403	type filter hook postrouting priority filter + 1; policy accept	403	type filter hook postrouting priority filter + 1; policy accept
404		404
405	oifname != dsl return	405	oifname != gpon return
406		406
407	ip dscp cs0 goto ct_set_cs0	407	ip dscp cs0 goto ct_set_cs0
408	ip dscp lephb goto ct_set_lephb	408	ip dscp lephb goto ct_set_lephb