diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2025-10-14 12:54:39 +0200 | 
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2025-10-14 12:54:39 +0200 | 
| commit | 41efa2ab074e43021fea33ce03c36f60b24cffa9 (patch) | |
| tree | d038c11644d59fba2263498de482b391d51fbc83 /hosts | |
| parent | b8d12e353470c927053991cad3e306c65efa52c3 (diff) | |
| download | nixos-41efa2ab074e43021fea33ce03c36f60b24cffa9.tar nixos-41efa2ab074e43021fea33ce03c36f60b24cffa9.tar.gz nixos-41efa2ab074e43021fea33ce03c36f60b24cffa9.tar.bz2 nixos-41efa2ab074e43021fea33ce03c36f60b24cffa9.tar.xz nixos-41efa2ab074e43021fea33ce03c36f60b24cffa9.zip | |
...
Diffstat (limited to 'hosts')
| -rw-r--r-- | hosts/surtr/http/default.nix | 2 | ||||
| -rw-r--r-- | hosts/vidhar/network/default.nix | 6 | ||||
| -rw-r--r-- | hosts/vidhar/network/pap-secrets | 26 | ||||
| -rw-r--r-- | hosts/vidhar/network/pppoe.nix (renamed from hosts/vidhar/network/gpon.nix) | 16 | ||||
| -rw-r--r-- | hosts/vidhar/network/ruleset.nft | 72 | 
5 files changed, 45 insertions, 77 deletions
| diff --git a/hosts/surtr/http/default.nix b/hosts/surtr/http/default.nix index f3a7154e..ea527cb5 100644 --- a/hosts/surtr/http/default.nix +++ b/hosts/surtr/http/default.nix | |||
| @@ -13,8 +13,6 @@ | |||
| 13 | recommendedTlsSettings = true; | 13 | recommendedTlsSettings = true; | 
| 14 | sslDhparam = config.security.dhparams.params.nginx.path; | 14 | sslDhparam = config.security.dhparams.params.nginx.path; | 
| 15 | commonHttpConfig = '' | 15 | commonHttpConfig = '' | 
| 16 | ssl_ecdh_curve X448:X25519:prime256v1:secp521r1:secp384r1; | ||
| 17 | |||
| 18 | log_format main | 16 | log_format main | 
| 19 | '$remote_addr "$remote_user" ' | 17 | '$remote_addr "$remote_user" ' | 
| 20 | '"$host" "$request" $status $bytes_sent ' | 18 | '"$host" "$request" $status $bytes_sent ' | 
| diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index 92d755f3..5245972d 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix | |||
| @@ -3,7 +3,7 @@ | |||
| 3 | with lib; | 3 | with lib; | 
| 4 | 4 | ||
| 5 | { | 5 | { | 
| 6 | imports = [ ./gpon.nix ./bifrost ./dhcp ]; | 6 | imports = [ ./pppoe.nix ./bifrost ./dhcp ]; | 
| 7 | 7 | ||
| 8 | config = { | 8 | config = { | 
| 9 | networking = { | 9 | networking = { | 
| @@ -61,7 +61,9 @@ with lib; | |||
| 61 | firewall.enable = false; | 61 | firewall.enable = false; | 
| 62 | nftables = { | 62 | nftables = { | 
| 63 | enable = true; | 63 | enable = true; | 
| 64 | rulesetFile = ./ruleset.nft; | 64 | rulesetFile = pkgs.replaceVars ./ruleset.nft { | 
| 65 | inherit (config.networking) pppInterface; | ||
| 66 | }; | ||
| 65 | }; | 67 | }; | 
| 66 | 68 | ||
| 67 | resolvconf = { | 69 | resolvconf = { | 
| diff --git a/hosts/vidhar/network/pap-secrets b/hosts/vidhar/network/pap-secrets deleted file mode 100644 index 3516de6c..00000000 --- a/hosts/vidhar/network/pap-secrets +++ /dev/null | |||
| @@ -1,26 +0,0 @@ | |||
| 1 | { | ||
| 2 | "data": "ENC[AES256_GCM,data:BOyWdys7Oja54Ijv5j+kqufdokQe0onnqw/gVxpNOMf+YI/LlzJscaEtGqPh3ehVtYoSWGumCBPrjdq/zhYq4VV/PCtdeu3MnX1CH2B5bH0mFs0eXcqeGK6NErz/b5nEglv4Z19ig2CUDlbvi8h1zZAEjxTNKhT16ItCtJnBCsIoiMl2QcTTWMyh4a02v3wA1UrOQZvFuCgCHmRoBE6vpREyB23gQdrdKLk7D1LLw5C1aZnzQOhFsgs7bVjOcBnmwTao8ntXxw==,iv:X5FgYkl3DGA/lkRsoc+5XrK3Nlp/ldnFigpXpYNfSJE=,tag:qUH7m9NzuVNnOfr3rRgaOg==,type:str]", | ||
| 3 | "sops": { | ||
| 4 | "kms": null, | ||
| 5 | "gcp_kms": null, | ||
| 6 | "azure_kv": null, | ||
| 7 | "hc_vault": null, | ||
| 8 | "age": [ | ||
| 9 | { | ||
| 10 | "recipient": "age1qffdqvy9arld9zd5a5cylt0n98xhcns5shxhrhwjq5g4qa844ejselaa4l", | ||
| 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwYTFaTDZRbDd6cFBRSTNN\nVk1kcFJXRG9TT21IMDZsVmtoZjBTNDNjeDFzCkhxNEI2Ujd6SW1STG43eE5EdzZa\nS3phenJZN0RxajBXQ1BnbUhTa3htdFEKLS0tIGVlT3lReHJSQ2UvQ1FST0M0RzVP\nNmxWNzJmNlFPclJTeDUycDJiUzA4Yk0K4JHtkEPY49TGnKPZzEoEZ131RxeQEWkR\nK1ftH2ilr2tUhiErhpqxoTqfAm33xvruqTsePxh1uC7svzKtKBlS2g==\n-----END AGE ENCRYPTED FILE-----\n" | ||
| 12 | } | ||
| 13 | ], | ||
| 14 | "lastmodified": "2021-11-15T08:30:09Z", | ||
| 15 | "mac": "ENC[AES256_GCM,data:TAgZ4ktdN9sZPMo1UtwjKdTM2QBjLorcm84HYXTGYNNEorPoqrXAWOvyWRLjx+zxzpRuDLBPQHCkjwkVO2CctxnTaWPMwITbYtQqj/5ZxACuAeX8MaSximB8s5MJK2faCuVXEnFehbnnPr5Fs8ZsgHwu2iH6DU8ScLEkgckzGV0=,iv:keUbKwWfoIIBsp5Rsm2lEba1ZHAozQY2YpA6p5qDBiU=,tag:1llGytMGvOjSVYKJXGUmXg==,type:str]", | ||
| 16 | "pgp": [ | ||
| 17 | { | ||
| 18 | "created_at": "2023-01-30T10:58:50Z", | ||
| 19 | "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA+cwEt6Gv5oKvym4ceJek+J/5guNpmsLLXWIY5CCCSXUw\npXyQpqxm7LQnasIqYNNsNCVbB1mAu6WU6MKn0BG03YWjr8buLB+7PpwZcxeZzRfD\n0l4BAsl+vKwa2YSMCR+EWYSfeEzEVHqoGBJ60dYXuiFiNZInCik+g69PdhsGygNH\nRtIcRiCB8t94GkvdWySTq5ohi1wKOe224l9evbt4zXntVngCHxixuufLrr3Cj+EE\n=3lw4\n-----END PGP MESSAGE-----\n", | ||
| 20 | "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" | ||
| 21 | } | ||
| 22 | ], | ||
| 23 | "unencrypted_suffix": "_unencrypted", | ||
| 24 | "version": "3.7.1" | ||
| 25 | } | ||
| 26 | } \ No newline at end of file | ||
| diff --git a/hosts/vidhar/network/gpon.nix b/hosts/vidhar/network/pppoe.nix index 1628159c..da64b353 100644 --- a/hosts/vidhar/network/gpon.nix +++ b/hosts/vidhar/network/pppoe.nix | |||
| @@ -8,7 +8,7 @@ in { | |||
| 8 | options = { | 8 | options = { | 
| 9 | networking.pppInterface = mkOption { | 9 | networking.pppInterface = mkOption { | 
| 10 | type = types.str; | 10 | type = types.str; | 
| 11 | default = "gpon"; | 11 | default = "ppp"; | 
| 12 | }; | 12 | }; | 
| 13 | }; | 13 | }; | 
| 14 | 14 | ||
| @@ -32,8 +32,8 @@ in { | |||
| 32 | mtu 1492 | 32 | mtu 1492 | 
| 33 | mru 1492 | 33 | mru 1492 | 
| 34 | plugin pppoe.so | 34 | plugin pppoe.so | 
| 35 | name telekom | 35 | user congstar | 
| 36 | user 002576900250551137425220#0001@t-online.de | 36 | password congstar | 
| 37 | nic-telekom | 37 | nic-telekom | 
| 38 | debug | 38 | debug | 
| 39 | +ipv6 | 39 | +ipv6 | 
| @@ -49,14 +49,8 @@ in { | |||
| 49 | environment.etc."ppp/ip-pre-up".source | 49 | environment.etc."ppp/ip-pre-up".source | 
| 50 | environment.etc."ppp/ip-up".source | 50 | environment.etc."ppp/ip-up".source | 
| 51 | environment.etc."ppp/ip-down".source | 51 | environment.etc."ppp/ip-down".source | 
| 52 | # sops.secrets."pap-secrets".sopsFile | ||
| 53 | ]; | 52 | ]; | 
| 54 | }; | 53 | }; | 
| 55 | sops.secrets."pap-secrets" = { | ||
| 56 | format = "binary"; | ||
| 57 | sopsFile = ./pap-secrets; | ||
| 58 | path = "/etc/ppp/pap-secrets"; | ||
| 59 | }; | ||
| 60 | 54 | ||
| 61 | environment.etc = { | 55 | environment.etc = { | 
| 62 | "ppp/ip-pre-up".source = let | 56 | "ppp/ip-pre-up".source = let | 
| @@ -76,8 +70,8 @@ in { | |||
| 76 | 70 | ||
| 77 | tc qdisc add dev "${pppInterface}" handle ffff: ingress | 71 | tc qdisc add dev "${pppInterface}" handle ffff: ingress | 
| 78 | tc filter add dev "${pppInterface}" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4${pppInterface}" | 72 | tc filter add dev "${pppInterface}" parent ffff: basic action ctinfo dscp 0x0000003f 0x00000040 action mirred egress redirect dev "ifb4${pppInterface}" | 
| 79 | tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth 285mbit | 73 | tc qdisc replace dev "ifb4${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional diffserv4 bandwidth ${toString (builtins.floor (159 * 0.95))}mbit | 
| 80 | tc qdisc replace dev "${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional nat diffserv4 wash bandwidth 143mbit | 74 | tc qdisc replace dev "${pppInterface}" root cake memlimit 128Mb overhead 35 mpu 74 regional nat diffserv4 wash bandwidth ${toString (builtins.floor (36 * 0.95))}mbit | 
| 81 | ''; | 75 | ''; | 
| 82 | }; | 76 | }; | 
| 83 | in "${app}/bin/${app.meta.mainProgram}"; | 77 | in "${app}/bin/${app.meta.mainProgram}"; | 
| diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 7897fb3d..dd750394 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft | |||
| @@ -5,15 +5,15 @@ table arp filter { | |||
| 5 | limit lim_arp_local { | 5 | limit lim_arp_local { | 
| 6 | rate over 50 mbytes/second burst 50 mbytes | 6 | rate over 50 mbytes/second burst 50 mbytes | 
| 7 | } | 7 | } | 
| 8 | limit lim_arp_gpon { | 8 | limit lim_arp_ppp { | 
| 9 | rate over 7500 kbytes/second burst 7500 kbytes | 9 | rate over 7500 kbytes/second burst 7500 kbytes | 
| 10 | } | 10 | } | 
| 11 | 11 | ||
| 12 | counter arp-rx {} | 12 | counter arp-rx {} | 
| 13 | counter arp-tx {} | 13 | counter arp-tx {} | 
| 14 | 14 | ||
| 15 | counter arp-ratelimit-gpon-rx {} | 15 | counter arp-ratelimit-ppp-rx {} | 
| 16 | counter arp-ratelimit-gpon-tx {} | 16 | counter arp-ratelimit-ppp-tx {} | 
| 17 | 17 | ||
| 18 | counter arp-ratelimit-local-rx {} | 18 | counter arp-ratelimit-local-rx {} | 
| 19 | counter arp-ratelimit-local-tx {} | 19 | counter arp-ratelimit-local-tx {} | 
| @@ -22,8 +22,8 @@ table arp filter { | |||
| 22 | type filter hook input priority filter | 22 | type filter hook input priority filter | 
| 23 | policy accept | 23 | policy accept | 
| 24 | 24 | ||
| 25 | iifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-rx drop | 25 | iifname != @pppInterface@ limit name lim_arp_local counter name arp-ratelimit-local-rx drop | 
| 26 | iifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-rx drop | 26 | iifname @pppInterface@ limit name lim_arp_ppp counter name arp-ratelimit-ppp-rx drop | 
| 27 | 27 | ||
| 28 | counter name arp-rx | 28 | counter name arp-rx | 
| 29 | } | 29 | } | 
| @@ -32,8 +32,8 @@ table arp filter { | |||
| 32 | type filter hook output priority filter | 32 | type filter hook output priority filter | 
| 33 | policy accept | 33 | policy accept | 
| 34 | 34 | ||
| 35 | oifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-tx drop | 35 | oifname != @pppInterface@ limit name lim_arp_local counter name arp-ratelimit-local-tx drop | 
| 36 | oifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-tx drop | 36 | oifname @pppInterface@ limit name lim_arp_ppp counter name arp-ratelimit-ppp-tx drop | 
| 37 | 37 | ||
| 38 | counter name arp-tx | 38 | counter name arp-tx | 
| 39 | } | 39 | } | 
| @@ -47,11 +47,11 @@ table inet filter { | |||
| 47 | limit lim_icmp_local { | 47 | limit lim_icmp_local { | 
| 48 | rate over 50 mbytes/second burst 50 mbytes | 48 | rate over 50 mbytes/second burst 50 mbytes | 
| 49 | } | 49 | } | 
| 50 | limit lim_icmp_gpon { | 50 | limit lim_icmp_ppp { | 
| 51 | rate over 7500 kbytes/second burst 7500 kbytes | 51 | rate over 7500 kbytes/second burst 7500 kbytes | 
| 52 | } | 52 | } | 
| 53 | 53 | ||
| 54 | counter icmp-ratelimit-gpon-fw {} | 54 | counter icmp-ratelimit-ppp-fw {} | 
| 55 | counter icmp-ratelimit-local-fw {} | 55 | counter icmp-ratelimit-local-fw {} | 
| 56 | 56 | ||
| 57 | counter icmp-fw {} | 57 | counter icmp-fw {} | 
| @@ -59,7 +59,7 @@ table inet filter { | |||
| 59 | counter invalid-fw {} | 59 | counter invalid-fw {} | 
| 60 | counter fw-lo {} | 60 | counter fw-lo {} | 
| 61 | counter fw-lan {} | 61 | counter fw-lan {} | 
| 62 | counter fw-gpon {} | 62 | counter fw-ppp {} | 
| 63 | counter fw-kimai {} | 63 | counter fw-kimai {} | 
| 64 | 64 | ||
| 65 | counter fw-cups {} | 65 | counter fw-cups {} | 
| @@ -75,7 +75,7 @@ table inet filter { | |||
| 75 | counter invalid-local4-rx {} | 75 | counter invalid-local4-rx {} | 
| 76 | counter invalid-local6-rx {} | 76 | counter invalid-local6-rx {} | 
| 77 | 77 | ||
| 78 | counter icmp-ratelimit-gpon-rx {} | 78 | counter icmp-ratelimit-ppp-rx {} | 
| 79 | counter icmp-ratelimit-local-rx {} | 79 | counter icmp-ratelimit-local-rx {} | 
| 80 | counter icmp-rx {} | 80 | counter icmp-rx {} | 
| 81 | 81 | ||
| @@ -108,7 +108,7 @@ table inet filter { | |||
| 108 | 108 | ||
| 109 | counter tx-lo {} | 109 | counter tx-lo {} | 
| 110 | 110 | ||
| 111 | counter icmp-ratelimit-gpon-tx {} | 111 | counter icmp-ratelimit-ppp-tx {} | 
| 112 | counter icmp-ratelimit-local-tx {} | 112 | counter icmp-ratelimit-local-tx {} | 
| 113 | counter icmp-tx {} | 113 | counter icmp-tx {} | 
| 114 | 114 | ||
| @@ -135,10 +135,10 @@ table inet filter { | |||
| 135 | 135 | ||
| 136 | 136 | ||
| 137 | chain forward_icmp_accept { | 137 | chain forward_icmp_accept { | 
| 138 | oifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop | 138 | oifname { @pppInterface@, bifrost } limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-fw drop | 
| 139 | iifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop | 139 | iifname { @pppInterface@, bifrost } limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-fw drop | 
| 140 | oifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop | 140 | oifname != { @pppInterface@, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop | 
| 141 | iifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop | 141 | iifname != { @pppInterface@, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop | 
| 142 | counter name icmp-fw accept | 142 | counter name icmp-fw accept | 
| 143 | } | 143 | } | 
| 144 | chain forward { | 144 | chain forward { | 
| @@ -151,12 +151,12 @@ table inet filter { | |||
| 151 | 151 | ||
| 152 | iifname lo counter name fw-lo accept | 152 | iifname lo counter name fw-lo accept | 
| 153 | 153 | ||
| 154 | oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept | 154 | oifname { lan, @pppInterface@, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept | 
| 155 | iifname lan oifname { gpon, bifrost } counter name fw-lan accept | 155 | iifname lan oifname { @pppInterface@, bifrost } counter name fw-lan accept | 
| 156 | iifname ve-kimai oifname gpon counter name fw-kimai accept | 156 | iifname ve-kimai oifname @pppInterface@ counter name fw-kimai accept | 
| 157 | 157 | ||
| 158 | iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept | 158 | iifname @pppInterface@ oifname lan ct state { established, related } counter name fw-ppp accept | 
| 159 | iifname gpon oifname ve-kimai ct state { established, related } counter name fw-kimai accept | 159 | iifname @pppInterface@ oifname ve-kimai ct state { established, related } counter name fw-kimai accept | 
| 160 | 160 | ||
| 161 | iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept | 161 | iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept | 
| 162 | iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept | 162 | iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept | 
| @@ -180,22 +180,22 @@ table inet filter { | |||
| 180 | iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject | 180 | iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject | 
| 181 | iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject | 181 | iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject | 
| 182 | 182 | ||
| 183 | iifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-rx drop | 183 | iifname { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-rx drop | 
| 184 | iifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop | 184 | iifname != { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop | 
| 185 | meta l4proto $icmp_protos counter name icmp-rx accept | 185 | meta l4proto $icmp_protos counter name icmp-rx accept | 
| 186 | 186 | ||
| 187 | iifname { lan, mgmt, gpon, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept | 187 | iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept | 
| 188 | iifname { lan, mgmt, gpon, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept | 188 | iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept | 
| 189 | 189 | ||
| 190 | iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept | 190 | iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept | 
| 191 | 191 | ||
| 192 | iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept | 192 | iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept | 
| 193 | 193 | ||
| 194 | iifname { lan, mgmt, gpon } meta protocol ip udp dport 51820 counter name wg-rx accept | 194 | iifname { lan, mgmt, @pppInterface@ } meta protocol ip udp dport 51820 counter name wg-rx accept | 
| 195 | iifname { lan, mgmt, gpon } meta protocol ip6 udp dport 51821 counter name wg-rx accept | 195 | iifname { lan, mgmt, @pppInterface@ } meta protocol ip6 udp dport 51821 counter name wg-rx accept | 
| 196 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept | 196 | iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept | 
| 197 | 197 | ||
| 198 | iifname gpon meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept | 198 | iifname @pppInterface@ meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept | 
| 199 | 199 | ||
| 200 | iifname mgmt udp dport 123 counter name ntp-rx accept | 200 | iifname mgmt udp dport 123 counter name ntp-rx accept | 
| 201 | 201 | ||
| @@ -231,8 +231,8 @@ table inet filter { | |||
| 231 | 231 | ||
| 232 | oifname lo counter name tx-lo accept | 232 | oifname lo counter name tx-lo accept | 
| 233 | 233 | ||
| 234 | oifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-tx drop | 234 | oifname { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-tx drop | 
| 235 | oifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop | 235 | oifname != { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop | 
| 236 | meta l4proto $icmp_protos counter name icmp-tx accept | 236 | meta l4proto $icmp_protos counter name icmp-tx accept | 
| 237 | 237 | ||
| 238 | 238 | ||
| @@ -273,7 +273,7 @@ table inet filter { | |||
| 273 | } | 273 | } | 
| 274 | 274 | ||
| 275 | table inet nat { | 275 | table inet nat { | 
| 276 | counter gpon-nat {} | 276 | counter ppp-nat {} | 
| 277 | counter kimai-nat {} | 277 | counter kimai-nat {} | 
| 278 | 278 | ||
| 279 | chain postrouting { | 279 | chain postrouting { | 
| @@ -281,20 +281,20 @@ table inet nat { | |||
| 281 | policy accept | 281 | policy accept | 
| 282 | 282 | ||
| 283 | 283 | ||
| 284 | meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade | 284 | meta nfproto ipv4 oifname @pppInterface@ counter name ppp-nat masquerade | 
| 285 | iifname ve-kimai oifname gpon counter name kimai-nat masquerade | 285 | iifname ve-kimai oifname @pppInterface@ counter name kimai-nat masquerade | 
| 286 | } | 286 | } | 
| 287 | } | 287 | } | 
| 288 | 288 | ||
| 289 | table inet mss_clamp { | 289 | table inet mss_clamp { | 
| 290 | counter gpon-mss-clamp {} | 290 | counter ppp-mss-clamp {} | 
| 291 | 291 | ||
| 292 | chain postrouting { | 292 | chain postrouting { | 
| 293 | type filter hook postrouting priority mangle | 293 | type filter hook postrouting priority mangle | 
| 294 | policy accept | 294 | policy accept | 
| 295 | 295 | ||
| 296 | 296 | ||
| 297 | oifname gpon tcp flags & (syn|rst) == syn counter name gpon-mss-clamp tcp option maxseg size set rt mtu | 297 | oifname @pppInterface@ tcp flags & (syn|rst) == syn counter name ppp-mss-clamp tcp option maxseg size set rt mtu | 
| 298 | } | 298 | } | 
| 299 | } | 299 | } | 
| 300 | 300 | ||
| @@ -429,7 +429,7 @@ table inet dscpclassify { | |||
| 429 | chain postrouting { | 429 | chain postrouting { | 
| 430 | type filter hook postrouting priority filter + 1; policy accept | 430 | type filter hook postrouting priority filter + 1; policy accept | 
| 431 | 431 | ||
| 432 | oifname != gpon return | 432 | oifname != @pppInterface@ return | 
| 433 | 433 | ||
| 434 | ip dscp cs0 goto ct_set_cs0 | 434 | ip dscp cs0 goto ct_set_cs0 | 
| 435 | ip dscp lephb goto ct_set_lephb | 435 | ip dscp lephb goto ct_set_lephb | 
