1 files changed, 22 insertions, 2 deletions

diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 10fd4c51..7897fb3d 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -60,6 +60,7 @@ table inet filter {
   counter fw-lo {}
   counter fw-lan {}
   counter fw-gpon {}
+  counter fw-kimai {}
 
   counter fw-cups {}
 
@@ -92,6 +93,10 @@ table inet filter {
   counter tftp-rx {}
   counter pgbackrest-rx {}
   counter immich-rx {}
+  counter paperless-rx {}
+  counter hledger-rx {}
+  counter audiobookshelf-rx {}
+  counter kimai-rx {}
 
   counter established-rx {}
 
@@ -121,6 +126,10 @@ table inet filter {
   counter tftp-tx {}
   counter pgbackrest-tx {}
   counter immich-tx {}
+  counter paperless-tx {}
+  counter hledger-tx {}
+  counter audiobookshelf-tx {}
+  counter kimai-tx {}
 
   counter tx {}
 
@@ -144,8 +153,13 @@ table inet filter {
 
     oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
     iifname lan oifname { gpon, bifrost } counter name fw-lan accept
+    iifname ve-kimai oifname gpon counter name fw-kimai accept
 
     iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept
+    iifname gpon oifname ve-kimai ct state { established, related } counter name fw-kimai accept
+
+    iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept
+    iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept
 
 
     limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -197,6 +211,9 @@ table inet filter {
     tcp dport 8432 counter name pgbackrest-rx accept
 
     iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept
+    iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept
+    iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept
+    iifname bifrost tcp dport 28982 ip6 saddr $bifrost_surtr counter name audiobookshelf-rx accept
 
     ct state { established, related } counter name established-rx accept
 
@@ -246,6 +263,9 @@ table inet filter {
     tcp sport 8432 counter name pgbackrest-tx accept
 
     iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept
+    iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept
+    iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept
+    iifname bifrost tcp sport 28982 ip6 daddr $bifrost_surtr counter name audiobookshelf-tx accept
 
 
     counter name tx
@@ -254,7 +274,7 @@ table inet filter {
 
 table inet nat {
   counter gpon-nat {}
-  # counter container-nat {}
+  counter kimai-nat {}
 
   chain postrouting {
     type nat hook postrouting priority srcnat
@@ -262,7 +282,7 @@ table inet nat {
 
 
     meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade
-    # iifname ve-* oifname gpon counter name container-nat masquerade
+    iifname ve-kimai oifname gpon counter name kimai-nat masquerade
   }
 }