summaryrefslogtreecommitdiff
path: root/hosts/vidhar/network/ruleset.nft
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/vidhar/network/ruleset.nft')
-rw-r--r--hosts/vidhar/network/ruleset.nft81
1 files changed, 44 insertions, 37 deletions
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 7897fb3d..44b6b7a9 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -5,15 +5,15 @@ table arp filter {
5 limit lim_arp_local { 5 limit lim_arp_local {
6 rate over 50 mbytes/second burst 50 mbytes 6 rate over 50 mbytes/second burst 50 mbytes
7 } 7 }
8 limit lim_arp_gpon { 8 limit lim_arp_ppp {
9 rate over 7500 kbytes/second burst 7500 kbytes 9 rate over 7500 kbytes/second burst 7500 kbytes
10 } 10 }
11 11
12 counter arp-rx {} 12 counter arp-rx {}
13 counter arp-tx {} 13 counter arp-tx {}
14 14
15 counter arp-ratelimit-gpon-rx {} 15 counter arp-ratelimit-ppp-rx {}
16 counter arp-ratelimit-gpon-tx {} 16 counter arp-ratelimit-ppp-tx {}
17 17
18 counter arp-ratelimit-local-rx {} 18 counter arp-ratelimit-local-rx {}
19 counter arp-ratelimit-local-tx {} 19 counter arp-ratelimit-local-tx {}
@@ -22,8 +22,8 @@ table arp filter {
22 type filter hook input priority filter 22 type filter hook input priority filter
23 policy accept 23 policy accept
24 24
25 iifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-rx drop 25 iifname != @pppInterface@ limit name lim_arp_local counter name arp-ratelimit-local-rx drop
26 iifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-rx drop 26 iifname @pppInterface@ limit name lim_arp_ppp counter name arp-ratelimit-ppp-rx drop
27 27
28 counter name arp-rx 28 counter name arp-rx
29 } 29 }
@@ -32,8 +32,8 @@ table arp filter {
32 type filter hook output priority filter 32 type filter hook output priority filter
33 policy accept 33 policy accept
34 34
35 oifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-tx drop 35 oifname != @pppInterface@ limit name lim_arp_local counter name arp-ratelimit-local-tx drop
36 oifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-tx drop 36 oifname @pppInterface@ limit name lim_arp_ppp counter name arp-ratelimit-ppp-tx drop
37 37
38 counter name arp-tx 38 counter name arp-tx
39 } 39 }
@@ -47,11 +47,11 @@ table inet filter {
47 limit lim_icmp_local { 47 limit lim_icmp_local {
48 rate over 50 mbytes/second burst 50 mbytes 48 rate over 50 mbytes/second burst 50 mbytes
49 } 49 }
50 limit lim_icmp_gpon { 50 limit lim_icmp_ppp {
51 rate over 7500 kbytes/second burst 7500 kbytes 51 rate over 7500 kbytes/second burst 7500 kbytes
52 } 52 }
53 53
54 counter icmp-ratelimit-gpon-fw {} 54 counter icmp-ratelimit-ppp-fw {}
55 counter icmp-ratelimit-local-fw {} 55 counter icmp-ratelimit-local-fw {}
56 56
57 counter icmp-fw {} 57 counter icmp-fw {}
@@ -59,8 +59,9 @@ table inet filter {
59 counter invalid-fw {} 59 counter invalid-fw {}
60 counter fw-lo {} 60 counter fw-lo {}
61 counter fw-lan {} 61 counter fw-lan {}
62 counter fw-gpon {} 62 counter fw-ppp {}
63 counter fw-kimai {} 63 counter fw-kimai {}
64 counter fw-podman {}
64 65
65 counter fw-cups {} 66 counter fw-cups {}
66 67
@@ -75,7 +76,7 @@ table inet filter {
75 counter invalid-local4-rx {} 76 counter invalid-local4-rx {}
76 counter invalid-local6-rx {} 77 counter invalid-local6-rx {}
77 78
78 counter icmp-ratelimit-gpon-rx {} 79 counter icmp-ratelimit-ppp-rx {}
79 counter icmp-ratelimit-local-rx {} 80 counter icmp-ratelimit-local-rx {}
80 counter icmp-rx {} 81 counter icmp-rx {}
81 82
@@ -97,6 +98,7 @@ table inet filter {
97 counter hledger-rx {} 98 counter hledger-rx {}
98 counter audiobookshelf-rx {} 99 counter audiobookshelf-rx {}
99 counter kimai-rx {} 100 counter kimai-rx {}
101 counter changedetection-rx {}
100 102
101 counter established-rx {} 103 counter established-rx {}
102 104
@@ -108,7 +110,7 @@ table inet filter {
108 110
109 counter tx-lo {} 111 counter tx-lo {}
110 112
111 counter icmp-ratelimit-gpon-tx {} 113 counter icmp-ratelimit-ppp-tx {}
112 counter icmp-ratelimit-local-tx {} 114 counter icmp-ratelimit-local-tx {}
113 counter icmp-tx {} 115 counter icmp-tx {}
114 116
@@ -130,15 +132,16 @@ table inet filter {
130 counter hledger-tx {} 132 counter hledger-tx {}
131 counter audiobookshelf-tx {} 133 counter audiobookshelf-tx {}
132 counter kimai-tx {} 134 counter kimai-tx {}
135 counter changedetection-tx {}
133 136
134 counter tx {} 137 counter tx {}
135 138
136 139
137 chain forward_icmp_accept { 140 chain forward_icmp_accept {
138 oifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop 141 oifname { @pppInterface@, bifrost } limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-fw drop
139 iifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop 142 iifname { @pppInterface@, bifrost } limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-fw drop
140 oifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop 143 oifname != { @pppInterface@, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
141 iifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop 144 iifname != { @pppInterface@, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
142 counter name icmp-fw accept 145 counter name icmp-fw accept
143 } 146 }
144 chain forward { 147 chain forward {
@@ -151,12 +154,14 @@ table inet filter {
151 154
152 iifname lo counter name fw-lo accept 155 iifname lo counter name fw-lo accept
153 156
154 oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept 157 oifname { lan, @pppInterface@, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
155 iifname lan oifname { gpon, bifrost } counter name fw-lan accept 158 iifname lan oifname { @pppInterface@, bifrost } counter name fw-lan accept
156 iifname ve-kimai oifname gpon counter name fw-kimai accept 159 iifname ve-kimai oifname @pppInterface@ counter name fw-kimai accept
160 iifname podman0 ip saddr 10.88.0.5 oifname @pppInterface@ counter name fw-podman accept
157 161
158 iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept 162 iifname @pppInterface@ oifname lan ct state { established, related } counter name fw-ppp accept
159 iifname gpon oifname ve-kimai ct state { established, related } counter name fw-kimai accept 163 iifname @pppInterface@ oifname ve-kimai ct state { established, related } counter name fw-kimai accept
164 iifname @pppInterface@ oifname podman0 ip daddr 10.88.0.5 ct state { established, related } counter name fw-podman accept
160 165
161 iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept 166 iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept
162 iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept 167 iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept
@@ -180,22 +185,22 @@ table inet filter {
180 iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject 185 iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
181 iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject 186 iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
182 187
183 iifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-rx drop 188 iifname { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-rx drop
184 iifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop 189 iifname != { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
185 meta l4proto $icmp_protos counter name icmp-rx accept 190 meta l4proto $icmp_protos counter name icmp-rx accept
186 191
187 iifname { lan, mgmt, gpon, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept 192 iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
188 iifname { lan, mgmt, gpon, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept 193 iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
189 194
190 iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept 195 iifname { lan, mgmt, wifibh, yggdrasil, podman0 } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
191 196
192 iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept 197 iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept
193 198
194 iifname { lan, mgmt, gpon } meta protocol ip udp dport 51820 counter name wg-rx accept 199 iifname { lan, mgmt, @pppInterface@ } meta protocol ip udp dport 51820 counter name wg-rx accept
195 iifname { lan, mgmt, gpon } meta protocol ip6 udp dport 51821 counter name wg-rx accept 200 iifname { lan, mgmt, @pppInterface@ } meta protocol ip6 udp dport 51821 counter name wg-rx accept
196 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept 201 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
197 202
198 iifname gpon meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept 203 iifname @pppInterface@ meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
199 204
200 iifname mgmt udp dport 123 counter name ntp-rx accept 205 iifname mgmt udp dport 123 counter name ntp-rx accept
201 206
@@ -214,6 +219,7 @@ table inet filter {
214 iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept 219 iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept
215 iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept 220 iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept
216 iifname bifrost tcp dport 28982 ip6 saddr $bifrost_surtr counter name audiobookshelf-rx accept 221 iifname bifrost tcp dport 28982 ip6 saddr $bifrost_surtr counter name audiobookshelf-rx accept
222 iifname bifrost tcp dport 5001 ip6 saddr $bifrost_surtr counter name changedetection-rx accept
217 223
218 ct state { established, related } counter name established-rx accept 224 ct state { established, related } counter name established-rx accept
219 225
@@ -231,8 +237,8 @@ table inet filter {
231 237
232 oifname lo counter name tx-lo accept 238 oifname lo counter name tx-lo accept
233 239
234 oifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-tx drop 240 oifname { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-tx drop
235 oifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop 241 oifname != { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
236 meta l4proto $icmp_protos counter name icmp-tx accept 242 meta l4proto $icmp_protos counter name icmp-tx accept
237 243
238 244
@@ -266,6 +272,7 @@ table inet filter {
266 iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept 272 iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept
267 iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept 273 iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept
268 iifname bifrost tcp sport 28982 ip6 daddr $bifrost_surtr counter name audiobookshelf-tx accept 274 iifname bifrost tcp sport 28982 ip6 daddr $bifrost_surtr counter name audiobookshelf-tx accept
275 iifname bifrost tcp sport 5001 ip6 daddr $bifrost_surtr counter name changedetection-tx accept
269 276
270 277
271 counter name tx 278 counter name tx
@@ -273,7 +280,7 @@ table inet filter {
273} 280}
274 281
275table inet nat { 282table inet nat {
276 counter gpon-nat {} 283 counter ppp-nat {}
277 counter kimai-nat {} 284 counter kimai-nat {}
278 285
279 chain postrouting { 286 chain postrouting {
@@ -281,20 +288,20 @@ table inet nat {
281 policy accept 288 policy accept
282 289
283 290
284 meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade 291 meta nfproto ipv4 oifname @pppInterface@ counter name ppp-nat masquerade
285 iifname ve-kimai oifname gpon counter name kimai-nat masquerade 292 iifname ve-kimai oifname @pppInterface@ counter name kimai-nat masquerade
286 } 293 }
287} 294}
288 295
289table inet mss_clamp { 296table inet mss_clamp {
290 counter gpon-mss-clamp {} 297 counter ppp-mss-clamp {}
291 298
292 chain postrouting { 299 chain postrouting {
293 type filter hook postrouting priority mangle 300 type filter hook postrouting priority mangle
294 policy accept 301 policy accept
295 302
296 303
297 oifname gpon tcp flags & (syn|rst) == syn counter name gpon-mss-clamp tcp option maxseg size set rt mtu 304 oifname @pppInterface@ tcp flags & (syn|rst) == syn counter name ppp-mss-clamp tcp option maxseg size set rt mtu
298 } 305 }
299} 306}
300 307
@@ -429,7 +436,7 @@ table inet dscpclassify {
429 chain postrouting { 436 chain postrouting {
430 type filter hook postrouting priority filter + 1; policy accept 437 type filter hook postrouting priority filter + 1; policy accept
431 438
432 oifname != gpon return 439 oifname != @pppInterface@ return
433 440
434 ip dscp cs0 goto ct_set_cs0 441 ip dscp cs0 goto ct_set_cs0
435 ip dscp lephb goto ct_set_lephb 442 ip dscp lephb goto ct_set_lephb
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-16 07:08:13 +0000