1 files changed, 0 insertions, 191 deletions
diff --git a/hosts/vidhar/printing/ruleset.nft b/hosts/vidhar/printing/ruleset.nft
deleted file mode 100644
index edf8597d..00000000
--- a/hosts/vidhar/printing/ruleset.nft
+++ /dev/null
@@ -1,191 +0,0 @@
-define icmp_protos = {ipv6-icmp, icmp, igmp}
-table arp filter {
-  limit lim_arp {
-    rate over 50 mbytes/second burst 50 mbytes
-  }
-  counter arp-rx {}
-  counter arp-tx {}
-  counter arp-ratelimit-rx {}
-  counter arp-ratelimit-tx {}
-  chain input {
-    type filter hook input priority filter
-    policy accept
-    limit name lim_arp counter name arp-ratelimit-rx drop
-    counter name arp-rx
-  }
-  chain output {
-    type filter hook output priority filter
-    policy accept
-    limit name lim_arp counter name arp-ratelimit-tx drop
-    counter name arp-tx
-  }
-}
-table inet filter {
-  limit lim_reject {
-    rate over 1000/second burst 1000 packets
-  }
-  limit lim_icmp {
-    rate over 50 mbytes/second burst 50 mbytes
-  }
-  counter invalid-fw {}
-  counter fw-lo {}
-  counter fw-printer {}
-  counter fw-host {}
-  counter icmp-fw {}
-  counter icmp-ratelimit-fw {}
-  counter reject-ratelimit-fw {}
-  counter reject-fw {}
-  counter reject-tcp-fw {}
-  counter reject-icmp-fw {}
-  counter drop-fw {}
-  counter invalid-rx {}
-  counter rx-lo {}
-  counter invalid-local4-rx {}
-  counter invalid-local6-rx {}
-  counter icmp-ratelimit-rx {}
-  counter icmp-rx {}
-  counter dhcp-rx {}
-  counter cups-rx {}
-  counter established-rx {}
-  counter reject-ratelimit-rx {}
-  counter reject-rx {}
-  counter reject-tcp-rx {}
-  counter reject-icmp-rx {}
-  counter drop-rx {}
-  counter tx-lo {}
-  counter icmp-ratelimit-tx {}
-  counter icmp-tx {}
-  counter cups-tx {}
-  counter dhcp-tx {}
-  counter tx {}
-  chain forward {
-    type filter hook forward priority filter
-    policy drop
-    ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop
-    iifname lo counter name fw-lo accept
-    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-fw drop
-    meta l4proto $icmp_protos counter name icmp-fw accept
-    iifname printer oifname eth0 ip daddr 10.141.5.0 meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter name fw-printer accept
-    iifname printer oifname eth0 ip6 daddr 2a03:4000:52:ada:5:: meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter name fw-printer accept
-    iifname eth0 oifname printer counter name fw-host accept
-    limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
-    log level debug prefix "reject forward: " counter name reject-fw
-    meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
-    ct state new counter name reject-icmp-fw reject
-    counter name drop-fw
-  }
-  chain input {
-    type filter hook input priority filter
-    policy drop
-    ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
-    iifname lo counter name rx-lo accept
-    iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
-    iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
-    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
-    meta l4proto $icmp_protos counter name icmp-rx accept
-    tcp dport 631 counter name cups-rx accept
-    iifname printer udp dport 67 counter name dhcp-rx accept
-    ct state {established, related} counter name established-rx accept
-    limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
-    log level debug prefix "reject input: " counter name reject-rx
-    meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
-    ct state new counter name reject-icmp-rx reject
-    counter name drop-rx
-  }
-  chain output {
-    type filter hook output priority filter
-    policy accept
-    oifname lo counter name tx-lo accept
-    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
-    meta l4proto $icmp_protos counter name icmp-tx accept
-    tcp sport 631 counter name cups-tx accept
-    udp sport 67 counter name dhcp-tx accept
-    counter name tx
-  }
-}
-table ip nat {
-  counter host-nat {}
-  chain postrouting {
-    type nat hook postrouting priority srcnat
-    policy accept
-    oifname eth0 counter name host-nat masquerade
-  }
-}
-table ip mss_clamp {
-  counter host-mss-clamp {}
-  chain postrouting {
-    type filter hook postrouting priority mangle
-    policy accept
-    oifname eth0 tcp flags & (syn|rst) == syn counter name host-mss-clamp tcp option maxseg size set rt mtu
-  }
-}

diff --git a/hosts/vidhar/printing/ruleset.nft b/hosts/vidhar/printing/ruleset.nft deleted file mode 100644 index edf8597d..00000000 --- a/hosts/vidhar/printing/ruleset.nft +++ /dev/null
@@ -1,191 +0,0 @@
1	define icmp_protos = {ipv6-icmp, icmp, igmp}
2
3	table arp filter {
4	limit lim_arp {
5	rate over 50 mbytes/second burst 50 mbytes
6	}
7
8	counter arp-rx {}
9	counter arp-tx {}
10
11	counter arp-ratelimit-rx {}
12	counter arp-ratelimit-tx {}
13
14	chain input {
15	type filter hook input priority filter
16	policy accept
17
18	limit name lim_arp counter name arp-ratelimit-rx drop
19
20	counter name arp-rx
21	}
22
23	chain output {
24	type filter hook output priority filter
25	policy accept
26
27	limit name lim_arp counter name arp-ratelimit-tx drop
28
29	counter name arp-tx
30	}
31	}
32
33	table inet filter {
34	limit lim_reject {
35	rate over 1000/second burst 1000 packets
36	}
37
38	limit lim_icmp {
39	rate over 50 mbytes/second burst 50 mbytes
40	}
41
42	counter invalid-fw {}
43	counter fw-lo {}
44	counter fw-printer {}
45	counter fw-host {}
46
47	counter icmp-fw {}
48	counter icmp-ratelimit-fw {}
49
50	counter reject-ratelimit-fw {}
51	counter reject-fw {}
52	counter reject-tcp-fw {}
53	counter reject-icmp-fw {}
54
55	counter drop-fw {}
56
57	counter invalid-rx {}
58
59	counter rx-lo {}
60	counter invalid-local4-rx {}
61	counter invalid-local6-rx {}
62
63	counter icmp-ratelimit-rx {}
64	counter icmp-rx {}
65
66	counter dhcp-rx {}
67	counter cups-rx {}
68
69	counter established-rx {}
70
71	counter reject-ratelimit-rx {}
72	counter reject-rx {}
73	counter reject-tcp-rx {}
74	counter reject-icmp-rx {}
75
76	counter drop-rx {}
77
78	counter tx-lo {}
79
80	counter icmp-ratelimit-tx {}
81	counter icmp-tx {}
82
83	counter cups-tx {}
84	counter dhcp-tx {}
85
86	counter tx {}
87
88	chain forward {
89	type filter hook forward priority filter
90	policy drop
91
92
93	ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop
94
95
96	iifname lo counter name fw-lo accept
97
98
99	meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-fw drop
100	meta l4proto $icmp_protos counter name icmp-fw accept
101
102
103	iifname printer oifname eth0 ip daddr 10.141.5.0 meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter name fw-printer accept
104	iifname printer oifname eth0 ip6 daddr 2a03:4000:52:ada:5:: meta l4proto . th dport { tcp . 53, udp . 53, udp . 123 } counter name fw-printer accept
105	iifname eth0 oifname printer counter name fw-host accept
106
107
108	limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
109	log level debug prefix "reject forward: " counter name reject-fw
110	meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
111	ct state new counter name reject-icmp-fw reject
112
113
114	counter name drop-fw
115	}
116
117	chain input {
118	type filter hook input priority filter
119	policy drop
120
121
122	ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
123
124
125	iifname lo counter name rx-lo accept
126	iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
127	iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
128
129	meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
130	meta l4proto $icmp_protos counter name icmp-rx accept
131
132
133	tcp dport 631 counter name cups-rx accept
134
135	iifname printer udp dport 67 counter name dhcp-rx accept
136
137	ct state {established, related} counter name established-rx accept
138
139
140	limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
141	log level debug prefix "reject input: " counter name reject-rx
142	meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
143	ct state new counter name reject-icmp-rx reject
144
145
146	counter name drop-rx
147	}
148
149	chain output {
150	type filter hook output priority filter
151	policy accept
152
153
154	oifname lo counter name tx-lo accept
155
156	meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
157	meta l4proto $icmp_protos counter name icmp-tx accept
158
159
160	tcp sport 631 counter name cups-tx accept
161
162	udp sport 67 counter name dhcp-tx accept
163
164
165	counter name tx
166	}
167	}
168
169	table ip nat {
170	counter host-nat {}
171
172	chain postrouting {
173	type nat hook postrouting priority srcnat
174	policy accept
175
176
177	oifname eth0 counter name host-nat masquerade
178	}
179	}
180
181	table ip mss_clamp {
182	counter host-mss-clamp {}
183
184	chain postrouting {
185	type filter hook postrouting priority mangle
186	policy accept
187
188
189	oifname eth0 tcp flags & (syn\|rst) == syn counter name host-mss-clamp tcp option maxseg size set rt mtu
190	}
191	}