...

2 files changed, 10 insertions, 12 deletions

diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 47a55fcc..deeadeef 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -143,13 +143,14 @@ table inet filter {
     oifname { lan, dsl, bifrost, ve-printing } meta l4proto $icmp_protos jump forward_icmp_accept
     iifname lan oifname { dsl, bifrost } counter name fw-lan accept
 
-
     iifname lan oifname ve-printing ip daddr 10.141.5.1 tcp dport 631 counter name fw-cups accept
     iifname lan oifname ve-printing ip6 daddr 2a03:4000:52:ada:5::1 tcp dport 631 counter name fw-cups accept
 
+    iifname ve-printing oifname dsl meta l4proto . th dport { tcp . 80, tcp . 443 } counter name fw-printing accept
+    iifname dsl oifname { lan, ve-printing } ct state { established, related } counter name fw-dsl accept
 
-    iifname ve-printing oifname lan ct state {established, related} counter name fw-printing accept
-    iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept
+    iifname ve-printing oifname lan ct state { established, related } counter name fw-printing accept
+    iifname dsl oifname lan ct state { established, related } counter name fw-dsl accept
 
 
     limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -191,8 +192,7 @@ table inet filter {
 
     iifname { lan, mgmt, wifibh } udp dport 67 counter name dhcp-rx accept
 
-    iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept
-    iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept
+    iifname lan meta l4proto . th dport { udp . 137, udp . 138, tcp . 139, tcp . 445, udp . 3702, tcp . 5357 } counter name samba-rx accept
 
     iifname yggdrasil tcp dport { 80, 443 } counter name http-rx accept
     iifname lan tcp dport 80 counter name http-rx accept
@@ -201,7 +201,7 @@ table inet filter {
 
     iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept
 
-    ct state {established, related} counter name established-rx accept
+    ct state { established, related } counter name established-rx accept
 
 
     limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
@@ -225,12 +225,12 @@ table inet filter {
     tcp sport 22 counter name ssh-tx
     udp sport 60000-61000 counter name mosh-tx
 
-    meta l4proto {tcp, udp} th sport 53 counter name dns-tx
+    meta l4proto { tcp, udp } th sport 53 counter name dns-tx
 
     tcp sport 2049 counter name nfs-tx
 
     meta protocol ip udp sport 51820 counter name wg-tx
-    meta protocol ip6 udp sport {51821,51822} counter name wg-tx
+    meta protocol ip6 udp sport { 51821, 51822 } counter name wg-tx
     iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx
 
     meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx
@@ -239,8 +239,7 @@ table inet filter {
 
     udp sport 67 counter name dhcp-tx accept
 
-    udp sport { 137, 138, 3702 } counter name samba-tx accept
-    tcp sport { 445, 139, 5357 } counter name samba-tx accept
+    meta l4proto . th sport { udp . 137, udp . 138, tcp . 139, tcp . 445, udp . 3702, tcp . 5357 } counter name samba-tx accept
 
     tcp sport { 80, 443 } counter name http-tx accept
 
diff --git a/hosts/vidhar/printing/ruleset.nft b/hosts/vidhar/printing/ruleset.nft
index f8081431..edf8597d 100644
--- a/hosts/vidhar/printing/ruleset.nft
+++ b/hosts/vidhar/printing/ruleset.nft
@@ -130,8 +130,7 @@ table inet filter {
     meta l4proto $icmp_protos counter name icmp-rx accept
 
 
-    ip6 saddr 2a03:4000:52:ada:5:: tcp dport 631 counter name cups-rx accept
-    ip saddr 10.141.5.0 tcp dport 631 counter name cups-rx accept
+    tcp dport 631 counter name cups-rx accept
 
     iifname printer udp dport 67 counter name dhcp-rx accept