From c2a1e00b26b7e65305a36aa817a311ecbd2d831c Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 11 Jun 2024 10:05:16 +0200
Subject: email nologin by as-set

---
 hosts/surtr/ruleset.nft | 31 ++++++++++++++++++++++++-------
 1 file changed, 24 insertions(+), 7 deletions(-)

(limited to 'hosts/surtr/ruleset.nft')

diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index 14fc9b79..5c2bba7c 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -86,6 +86,7 @@ table inet filter {
 
   counter established-rx {}
 
+  counter reject-mail-nologin {}
   counter reject-ratelimit-rx {}
   counter reject-rx {}
   counter reject-tcp-rx {}
@@ -114,6 +115,17 @@ table inet filter {
 
   counter tx {}
 
+  set mail_nologin4 {
+    type ipv4_addr
+    flags interval
+    auto-merge
+  }
+  set mail_nologin6 {
+    type ipv6_addr
+    flags interval
+    auto-merge
+  }
+
   chain forward {
     type filter hook forward priority filter
     policy drop
@@ -145,6 +157,14 @@ table inet filter {
     counter name drop-fw
   }
 
+  chain reject_input {
+    limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
+    log level debug prefix "reject input: " counter name reject-rx
+    meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
+    ct state new counter name reject-icmp-rx reject
+
+    counter name drop-rx
+  }
   chain input {
     type filter hook input priority filter
     policy drop
@@ -177,6 +197,9 @@ table inet filter {
     udp dport {3478, 5349} counter name stun-rx accept
     udp dport 49000-50000 counter name turn-rx accept
 
+    tcp dport {465,466,993,4190} ip saddr @mail_nologin4 log prefix "mail nologin: " counter name reject-mail-nologin jump reject_input
+    tcp dport {465,466,993,4190} ip6 saddr @mail_nologin6 log prefix "mail nologin: " counter name reject-mail-nologin jump reject_input
+
     tcp dport 25 counter name smtp-rx accept
     tcp dport {465, 466} counter name submissions-rx accept
     tcp dport 993 counter name imaps-rx accept
@@ -186,13 +209,7 @@ table inet filter {
     ct state {established, related} counter name established-rx accept
 
 
-    limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
-    log level debug prefix "reject input: " counter name reject-rx
-    meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
-    ct state new counter name reject-icmp-rx reject
-
-
-    counter name drop-rx
+    jump reject_input
   }
 
   chain output {
-- 
cgit v1.2.3