summaryrefslogtreecommitdiff
path: root/hosts/vidhar/network/ruleset.nft
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/vidhar/network/ruleset.nft')
-rw-r--r--hosts/vidhar/network/ruleset.nft91
1 files changed, 55 insertions, 36 deletions
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 1edae167..44b6b7a9 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -5,15 +5,15 @@ table arp filter {
5 limit lim_arp_local { 5 limit lim_arp_local {
6 rate over 50 mbytes/second burst 50 mbytes 6 rate over 50 mbytes/second burst 50 mbytes
7 } 7 }
8 limit lim_arp_gpon { 8 limit lim_arp_ppp {
9 rate over 7500 kbytes/second burst 7500 kbytes 9 rate over 7500 kbytes/second burst 7500 kbytes
10 } 10 }
11 11
12 counter arp-rx {} 12 counter arp-rx {}
13 counter arp-tx {} 13 counter arp-tx {}
14 14
15 counter arp-ratelimit-gpon-rx {} 15 counter arp-ratelimit-ppp-rx {}
16 counter arp-ratelimit-gpon-tx {} 16 counter arp-ratelimit-ppp-tx {}
17 17
18 counter arp-ratelimit-local-rx {} 18 counter arp-ratelimit-local-rx {}
19 counter arp-ratelimit-local-tx {} 19 counter arp-ratelimit-local-tx {}
@@ -22,8 +22,8 @@ table arp filter {
22 type filter hook input priority filter 22 type filter hook input priority filter
23 policy accept 23 policy accept
24 24
25 iifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-rx drop 25 iifname != @pppInterface@ limit name lim_arp_local counter name arp-ratelimit-local-rx drop
26 iifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-rx drop 26 iifname @pppInterface@ limit name lim_arp_ppp counter name arp-ratelimit-ppp-rx drop
27 27
28 counter name arp-rx 28 counter name arp-rx
29 } 29 }
@@ -32,8 +32,8 @@ table arp filter {
32 type filter hook output priority filter 32 type filter hook output priority filter
33 policy accept 33 policy accept
34 34
35 oifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-tx drop 35 oifname != @pppInterface@ limit name lim_arp_local counter name arp-ratelimit-local-tx drop
36 oifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-tx drop 36 oifname @pppInterface@ limit name lim_arp_ppp counter name arp-ratelimit-ppp-tx drop
37 37
38 counter name arp-tx 38 counter name arp-tx
39 } 39 }
@@ -47,11 +47,11 @@ table inet filter {
47 limit lim_icmp_local { 47 limit lim_icmp_local {
48 rate over 50 mbytes/second burst 50 mbytes 48 rate over 50 mbytes/second burst 50 mbytes
49 } 49 }
50 limit lim_icmp_gpon { 50 limit lim_icmp_ppp {
51 rate over 7500 kbytes/second burst 7500 kbytes 51 rate over 7500 kbytes/second burst 7500 kbytes
52 } 52 }
53 53
54 counter icmp-ratelimit-gpon-fw {} 54 counter icmp-ratelimit-ppp-fw {}
55 counter icmp-ratelimit-local-fw {} 55 counter icmp-ratelimit-local-fw {}
56 56
57 counter icmp-fw {} 57 counter icmp-fw {}
@@ -59,7 +59,9 @@ table inet filter {
59 counter invalid-fw {} 59 counter invalid-fw {}
60 counter fw-lo {} 60 counter fw-lo {}
61 counter fw-lan {} 61 counter fw-lan {}
62 counter fw-gpon {} 62 counter fw-ppp {}
63 counter fw-kimai {}
64 counter fw-podman {}
63 65
64 counter fw-cups {} 66 counter fw-cups {}
65 67
@@ -74,7 +76,7 @@ table inet filter {
74 counter invalid-local4-rx {} 76 counter invalid-local4-rx {}
75 counter invalid-local6-rx {} 77 counter invalid-local6-rx {}
76 78
77 counter icmp-ratelimit-gpon-rx {} 79 counter icmp-ratelimit-ppp-rx {}
78 counter icmp-ratelimit-local-rx {} 80 counter icmp-ratelimit-local-rx {}
79 counter icmp-rx {} 81 counter icmp-rx {}
80 82
@@ -94,6 +96,9 @@ table inet filter {
94 counter immich-rx {} 96 counter immich-rx {}
95 counter paperless-rx {} 97 counter paperless-rx {}
96 counter hledger-rx {} 98 counter hledger-rx {}
99 counter audiobookshelf-rx {}
100 counter kimai-rx {}
101 counter changedetection-rx {}
97 102
98 counter established-rx {} 103 counter established-rx {}
99 104
@@ -105,7 +110,7 @@ table inet filter {
105 110
106 counter tx-lo {} 111 counter tx-lo {}
107 112
108 counter icmp-ratelimit-gpon-tx {} 113 counter icmp-ratelimit-ppp-tx {}
109 counter icmp-ratelimit-local-tx {} 114 counter icmp-ratelimit-local-tx {}
110 counter icmp-tx {} 115 counter icmp-tx {}
111 116
@@ -125,15 +130,18 @@ table inet filter {
125 counter immich-tx {} 130 counter immich-tx {}
126 counter paperless-tx {} 131 counter paperless-tx {}
127 counter hledger-tx {} 132 counter hledger-tx {}
133 counter audiobookshelf-tx {}
134 counter kimai-tx {}
135 counter changedetection-tx {}
128 136
129 counter tx {} 137 counter tx {}
130 138
131 139
132 chain forward_icmp_accept { 140 chain forward_icmp_accept {
133 oifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop 141 oifname { @pppInterface@, bifrost } limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-fw drop
134 iifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop 142 iifname { @pppInterface@, bifrost } limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-fw drop
135 oifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop 143 oifname != { @pppInterface@, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
136 iifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop 144 iifname != { @pppInterface@, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
137 counter name icmp-fw accept 145 counter name icmp-fw accept
138 } 146 }
139 chain forward { 147 chain forward {
@@ -146,10 +154,17 @@ table inet filter {
146 154
147 iifname lo counter name fw-lo accept 155 iifname lo counter name fw-lo accept
148 156
149 oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept 157 oifname { lan, @pppInterface@, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
150 iifname lan oifname { gpon, bifrost } counter name fw-lan accept 158 iifname lan oifname { @pppInterface@, bifrost } counter name fw-lan accept
159 iifname ve-kimai oifname @pppInterface@ counter name fw-kimai accept
160 iifname podman0 ip saddr 10.88.0.5 oifname @pppInterface@ counter name fw-podman accept
151 161
152 iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept 162 iifname @pppInterface@ oifname lan ct state { established, related } counter name fw-ppp accept
163 iifname @pppInterface@ oifname ve-kimai ct state { established, related } counter name fw-kimai accept
164 iifname @pppInterface@ oifname podman0 ip daddr 10.88.0.5 ct state { established, related } counter name fw-podman accept
165
166 iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept
167 iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept
153 168
154 169
155 limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop 170 limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
@@ -170,22 +185,22 @@ table inet filter {
170 iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject 185 iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
171 iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject 186 iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
172 187
173 iifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-rx drop 188 iifname { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-rx drop
174 iifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop 189 iifname != { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
175 meta l4proto $icmp_protos counter name icmp-rx accept 190 meta l4proto $icmp_protos counter name icmp-rx accept
176 191
177 iifname { lan, mgmt, gpon, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept 192 iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
178 iifname { lan, mgmt, gpon, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept 193 iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
179 194
180 iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept 195 iifname { lan, mgmt, wifibh, yggdrasil, podman0 } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
181 196
182 iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept 197 iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept
183 198
184 iifname { lan, mgmt, gpon } meta protocol ip udp dport 51820 counter name wg-rx accept 199 iifname { lan, mgmt, @pppInterface@ } meta protocol ip udp dport 51820 counter name wg-rx accept
185 iifname { lan, mgmt, gpon } meta protocol ip6 udp dport 51821 counter name wg-rx accept 200 iifname { lan, mgmt, @pppInterface@ } meta protocol ip6 udp dport 51821 counter name wg-rx accept
186 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept 201 iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
187 202
188 iifname gpon meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept 203 iifname @pppInterface@ meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
189 204
190 iifname mgmt udp dport 123 counter name ntp-rx accept 205 iifname mgmt udp dport 123 counter name ntp-rx accept
191 206
@@ -203,6 +218,8 @@ table inet filter {
203 iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept 218 iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept
204 iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept 219 iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept
205 iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept 220 iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept
221 iifname bifrost tcp dport 28982 ip6 saddr $bifrost_surtr counter name audiobookshelf-rx accept
222 iifname bifrost tcp dport 5001 ip6 saddr $bifrost_surtr counter name changedetection-rx accept
206 223
207 ct state { established, related } counter name established-rx accept 224 ct state { established, related } counter name established-rx accept
208 225
@@ -220,8 +237,8 @@ table inet filter {
220 237
221 oifname lo counter name tx-lo accept 238 oifname lo counter name tx-lo accept
222 239
223 oifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-tx drop 240 oifname { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-tx drop
224 oifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop 241 oifname != { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
225 meta l4proto $icmp_protos counter name icmp-tx accept 242 meta l4proto $icmp_protos counter name icmp-tx accept
226 243
227 244
@@ -254,6 +271,8 @@ table inet filter {
254 iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept 271 iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept
255 iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept 272 iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept
256 iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept 273 iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept
274 iifname bifrost tcp sport 28982 ip6 daddr $bifrost_surtr counter name audiobookshelf-tx accept
275 iifname bifrost tcp sport 5001 ip6 daddr $bifrost_surtr counter name changedetection-tx accept
257 276
258 277
259 counter name tx 278 counter name tx
@@ -261,28 +280,28 @@ table inet filter {
261} 280}
262 281
263table inet nat { 282table inet nat {
264 counter gpon-nat {} 283 counter ppp-nat {}
265 # counter container-nat {} 284 counter kimai-nat {}
266 285
267 chain postrouting { 286 chain postrouting {
268 type nat hook postrouting priority srcnat 287 type nat hook postrouting priority srcnat
269 policy accept 288 policy accept
270 289
271 290
272 meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade 291 meta nfproto ipv4 oifname @pppInterface@ counter name ppp-nat masquerade
273 # iifname ve-* oifname gpon counter name container-nat masquerade 292 iifname ve-kimai oifname @pppInterface@ counter name kimai-nat masquerade
274 } 293 }
275} 294}
276 295
277table inet mss_clamp { 296table inet mss_clamp {
278 counter gpon-mss-clamp {} 297 counter ppp-mss-clamp {}
279 298
280 chain postrouting { 299 chain postrouting {
281 type filter hook postrouting priority mangle 300 type filter hook postrouting priority mangle
282 policy accept 301 policy accept
283 302
284 303
285 oifname gpon tcp flags & (syn|rst) == syn counter name gpon-mss-clamp tcp option maxseg size set rt mtu 304 oifname @pppInterface@ tcp flags & (syn|rst) == syn counter name ppp-mss-clamp tcp option maxseg size set rt mtu
286 } 305 }
287} 306}
288 307
@@ -417,7 +436,7 @@ table inet dscpclassify {
417 chain postrouting { 436 chain postrouting {
418 type filter hook postrouting priority filter + 1; policy accept 437 type filter hook postrouting priority filter + 1; policy accept
419 438
420 oifname != gpon return 439 oifname != @pppInterface@ return
421 440
422 ip dscp cs0 goto ct_set_cs0 441 ip dscp cs0 goto ct_set_cs0
423 ip dscp lephb goto ct_set_lephb 442 ip dscp lephb goto ct_set_lephb
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-19 18:51:41 +0000