1 files changed, 9 insertions, 5 deletions

diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index 132360b9..9d6fd373 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -1,4 +1,4 @@
-define icmp_protos = { ipv6-icmp, icmp, igmp }
+define icmp_protos = {ipv6-icmp, icmp, igmp}
 
 table arp filter {
   limit lim_arp {
@@ -44,12 +44,16 @@ table inet filter {
 
     iifname lo counter accept
 
-    meta l4proto $icmp_protos iifname yggdrasil oifname ens3 limit name lim_icmp counter drop
-    meta l4proto $icmp_protos iifname yggdrasil oifname ens3 counter accept
+    meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname ens3 limit name lim_icmp counter drop
+    meta l4proto $icmp_protos iifname {yggdrasil, bifrost} oifname ens3 counter accept
     meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop
     meta l4proto $icmp_protos ct state {established, related} counter accept
 
 
+    oifname bifrost counter accept
+    iifname bifrost oifname ens3 counter accept
+
+
     limit name lim_reject log prefix "drop forward: " counter drop
     log prefix "reject forward: " counter
     meta l4proto tcp ct state new counter reject with tcp reset
@@ -78,13 +82,13 @@ table inet filter {
     udp dport 60001-61000 counter accept
 
     meta protocol ip udp dport 51820 counter accept
-    meta protocol ip6 udp dport 51821 counter accept
+    meta protocol ip6 udp dport {51821, 51822} counter accept
     iifname "yggdrasil-wg-*" meta l4proto gre counter accept
 
     tcp dport 53 counter accept
     udp dport 53 counter accept
 
-    tcp dport { 80, 443 } counter accept
+    tcp dport {80, 443} counter accept
 
     ct state {established, related} counter accept