bifrost: ...

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-06 18:20:18 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-02-06 18:20:18 +0100
commit: abd86d7bd35ae30e9eeffc33a798faca9e2b0486 (patch)
tree: c861a2fec32b927c8edb749b28c21f5eb74e6c9c /hosts/vidhar/network
parent: 33988e75d8c35dd26de46645971ac1d6fb6eb3e6 (diff)
download: nixos-abd86d7bd35ae30e9eeffc33a798faca9e2b0486.tar
nixos-abd86d7bd35ae30e9eeffc33a798faca9e2b0486.tar.gz
nixos-abd86d7bd35ae30e9eeffc33a798faca9e2b0486.tar.bz2
nixos-abd86d7bd35ae30e9eeffc33a798faca9e2b0486.tar.xz
nixos-abd86d7bd35ae30e9eeffc33a798faca9e2b0486.zip
1 files changed, 9 insertions, 9 deletions
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 7b2160d1..f2b1eda0 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -117,10 +117,10 @@ table inet filter {
  chain forward_icmp_accept {
-    oifname dsl limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop
+    oifname { dsl, bifrost } limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop
-    iifname dsl limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop
+    iifname { dsl, bifrost } limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop
-    oifname != dsl limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
+    oifname != { dsl, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
-    iifname != dsl limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
+    iifname != { dsl, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
    counter name icmp-fw accept
  }
  chain forward {
@@ -133,7 +133,7 @@ table inet filter {
    iifname lo counter name fw-lo accept
-    oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept
+    oifname { lan, dsl, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
    iifname lan oifname { dsl, bifrost } counter name fw-lan accept
    iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept
@@ -158,8 +158,8 @@ table inet filter {
    iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
    iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
-    iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-rx drop
+    iifname { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-rx drop
-    iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
+    iifname != { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
    meta l4proto $icmp_protos counter name icmp-rx accept
    iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
@@ -201,8 +201,8 @@ table inet filter {
    oifname lo counter name tx-lo accept
-    oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-tx drop
+    oifname { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-tx drop
-    oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
+    oifname != { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
    meta l4proto $icmp_protos counter name icmp-tx accept
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-06 18:20:18 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-02-06 18:20:18 +0100
commit	abd86d7bd35ae30e9eeffc33a798faca9e2b0486 (patch)
tree	c861a2fec32b927c8edb749b28c21f5eb74e6c9c /hosts/vidhar/network
parent	33988e75d8c35dd26de46645971ac1d6fb6eb3e6 (diff)
download	nixos-abd86d7bd35ae30e9eeffc33a798faca9e2b0486.tar nixos-abd86d7bd35ae30e9eeffc33a798faca9e2b0486.tar.gz nixos-abd86d7bd35ae30e9eeffc33a798faca9e2b0486.tar.bz2 nixos-abd86d7bd35ae30e9eeffc33a798faca9e2b0486.tar.xz nixos-abd86d7bd35ae30e9eeffc33a798faca9e2b0486.zip

diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 7b2160d1..f2b1eda0 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft
@@ -117,10 +117,10 @@ table inet filter {
117		117
118		118
119	chain forward_icmp_accept {	119	chain forward_icmp_accept {
120	oifname dsl limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop	120	oifname { dsl, bifrost } limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop
121	iifname dsl limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop	121	iifname { dsl, bifrost } limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop
122	oifname != dsl limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop	122	oifname != { dsl, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
123	iifname != dsl limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop	123	iifname != { dsl, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
124	counter name icmp-fw accept	124	counter name icmp-fw accept
125	}	125	}
126	chain forward {	126	chain forward {
@@ -133,7 +133,7 @@ table inet filter {
133		133
134	iifname lo counter name fw-lo accept	134	iifname lo counter name fw-lo accept
135		135
136	oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept	136	oifname { lan, dsl, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
137		137
138	iifname lan oifname { dsl, bifrost } counter name fw-lan accept	138	iifname lan oifname { dsl, bifrost } counter name fw-lan accept
139	iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept	139	iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept
@@ -158,8 +158,8 @@ table inet filter {
158	iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject	158	iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
159	iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject	159	iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
160		160
161	iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-rx drop	161	iifname { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-rx drop
162	iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop	162	iifname != { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
163	meta l4proto $icmp_protos counter name icmp-rx accept	163	meta l4proto $icmp_protos counter name icmp-rx accept
164		164
165	iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept	165	iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
@@ -201,8 +201,8 @@ table inet filter {
201		201
202	oifname lo counter name tx-lo accept	202	oifname lo counter name tx-lo accept
203		203
204	oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-tx drop	204	oifname { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-tx drop
205	oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop	205	oifname != { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
206	meta l4proto $icmp_protos counter name icmp-tx accept	206	meta l4proto $icmp_protos counter name icmp-tx accept
207		207
208		208