vidhar: ...

1 files changed, 25 insertions, 5 deletions

diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index fb04e449..c4c2fbe6 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -80,6 +80,7 @@ table inet filter {
   counter dns-rx {}
   counter wg-rx {}
   counter yggdrasil-gre-rx {}
+  counter wifibh-gre-rx {}
   counter ipv6-pd-rx {}
   counter ntp-rx {}
   counter dhcp-rx {}
@@ -106,6 +107,7 @@ table inet filter {
   counter dns-tx {}
   counter wg-tx {}
   counter yggdrasil-gre-tx {}
+  counter wifibh-gre-tx {}
   counter ipv6-pd-tx {}
   counter ntp-tx {}
   counter dhcp-tx {}
@@ -136,8 +138,7 @@ table inet filter {
     oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept
 
     iifname lan oifname dsl counter name fw-lan accept
-    iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept
-
+    iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept
 
 
     limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -165,18 +166,19 @@ table inet filter {
     iifname { lan, mgmt, dsl, yggdrasil } tcp dport 22 counter name ssh-rx accept
     iifname { lan, mgmt, dsl, yggdrasil } udp dport 60001-61000 counter name mosh-rx accept
 
-    iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept
-    iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept
+    iifname { lan, mgmt } tcp dport 53 counter name dns-rx accept
+    iifname { lan, mgmt } udp dport 53 counter name dns-rx accept
 
     iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept
     iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept
     iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
+    iifname wifibh meta l4proto gre counter name wifibh-gre-rx accept
 
     iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
 
     iifname mgmt udp dport 123 counter name ntp-rx accept
 
-    iifname { lan, mgmt, dmz01 } udp dport 67 counter name dhcp-rx accept
+    iifname { lan, mgmt } udp dport 67 counter name dhcp-rx accept
 
     iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept
     iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept
@@ -215,6 +217,7 @@ table inet filter {
     meta protocol ip udp sport 51820 counter name wg-tx
     meta protocol ip6 udp sport 51821 counter name wg-tx
     iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
+    iifname wifibh meta l4proto gre counter name wifibh-gre-tx
 
     meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx
 
@@ -235,6 +238,23 @@ table inet filter {
   }
 }
 
+table bridge filter {
+  counter br-invalid-fw {}
+  counter br-wifibh-fw {}
+  counter br-lan-fw {}
+
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+
+
+    ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop
+
+    iifname "wifibh01.lan" counter name wifibh-fw accept
+    iifname "eno2.lan" counter name lan-fw accept
+  }
+}
+
 table ip nat {
   counter dsl-nat {}