From 41efa2ab074e43021fea33ce03c36f60b24cffa9 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 14 Oct 2025 12:54:39 +0200
Subject: ...

---
 hosts/vidhar/network/ruleset.nft | 72 ++++++++++++++++++++--------------------
 1 file changed, 36 insertions(+), 36 deletions(-)

(limited to 'hosts/vidhar/network/ruleset.nft')

diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 7897fb3d..dd750394 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -5,15 +5,15 @@ table arp filter {
   limit lim_arp_local {
     rate over 50 mbytes/second burst 50 mbytes
   }
-  limit lim_arp_gpon {
+  limit lim_arp_ppp {
     rate over 7500 kbytes/second burst 7500 kbytes
   }
 
   counter arp-rx {}
   counter arp-tx {}
 
-  counter arp-ratelimit-gpon-rx {}
-  counter arp-ratelimit-gpon-tx {}
+  counter arp-ratelimit-ppp-rx {}
+  counter arp-ratelimit-ppp-tx {}
 
   counter arp-ratelimit-local-rx {}
   counter arp-ratelimit-local-tx {}
@@ -22,8 +22,8 @@ table arp filter {
     type filter hook input priority filter
     policy accept
 
-    iifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-rx drop
-    iifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-rx drop
+    iifname != @pppInterface@ limit name lim_arp_local counter name arp-ratelimit-local-rx drop
+    iifname @pppInterface@ limit name lim_arp_ppp counter name arp-ratelimit-ppp-rx drop
 
     counter name arp-rx
   }
@@ -32,8 +32,8 @@ table arp filter {
     type filter hook output priority filter
     policy accept
 
-    oifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-tx drop
-    oifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-tx drop
+    oifname != @pppInterface@ limit name lim_arp_local counter name arp-ratelimit-local-tx drop
+    oifname @pppInterface@ limit name lim_arp_ppp counter name arp-ratelimit-ppp-tx drop
 
     counter name arp-tx
   }
@@ -47,11 +47,11 @@ table inet filter {
   limit lim_icmp_local {
     rate over 50 mbytes/second burst 50 mbytes
   }
-  limit lim_icmp_gpon {
+  limit lim_icmp_ppp {
     rate over 7500 kbytes/second burst 7500 kbytes
   }
 
-  counter icmp-ratelimit-gpon-fw {}
+  counter icmp-ratelimit-ppp-fw {}
   counter icmp-ratelimit-local-fw {}
 
   counter icmp-fw {}
@@ -59,7 +59,7 @@ table inet filter {
   counter invalid-fw {}
   counter fw-lo {}
   counter fw-lan {}
-  counter fw-gpon {}
+  counter fw-ppp {}
   counter fw-kimai {}
 
   counter fw-cups {}
@@ -75,7 +75,7 @@ table inet filter {
   counter invalid-local4-rx {}
   counter invalid-local6-rx {}
 
-  counter icmp-ratelimit-gpon-rx {}
+  counter icmp-ratelimit-ppp-rx {}
   counter icmp-ratelimit-local-rx {}
   counter icmp-rx {}
 
@@ -108,7 +108,7 @@ table inet filter {
 
   counter tx-lo {}
 
-  counter icmp-ratelimit-gpon-tx {}
+  counter icmp-ratelimit-ppp-tx {}
   counter icmp-ratelimit-local-tx {}
   counter icmp-tx {}
 
@@ -135,10 +135,10 @@ table inet filter {
 
 
   chain forward_icmp_accept {
-    oifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop
-    iifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop
-    oifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
-    iifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
+    oifname { @pppInterface@, bifrost } limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-fw drop
+    iifname { @pppInterface@, bifrost } limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-fw drop
+    oifname != { @pppInterface@, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
+    iifname != { @pppInterface@, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
     counter name icmp-fw accept
   }
   chain forward {
@@ -151,12 +151,12 @@ table inet filter {
 
     iifname lo counter name fw-lo accept
 
-    oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
-    iifname lan oifname { gpon, bifrost } counter name fw-lan accept
-    iifname ve-kimai oifname gpon counter name fw-kimai accept
+    oifname { lan, @pppInterface@, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
+    iifname lan oifname { @pppInterface@, bifrost } counter name fw-lan accept
+    iifname ve-kimai oifname @pppInterface@ counter name fw-kimai accept
 
-    iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept
-    iifname gpon oifname ve-kimai ct state { established, related } counter name fw-kimai accept
+    iifname @pppInterface@ oifname lan ct state { established, related } counter name fw-ppp accept
+    iifname @pppInterface@ oifname ve-kimai ct state { established, related } counter name fw-kimai accept
 
     iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept
     iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept
@@ -180,22 +180,22 @@ table inet filter {
     iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
     iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
 
-    iifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-rx drop
-    iifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
+    iifname { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-rx drop
+    iifname != { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
     meta l4proto $icmp_protos counter name icmp-rx accept
 
-    iifname { lan, mgmt, gpon, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
-    iifname { lan, mgmt, gpon, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
+    iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
+    iifname { lan, mgmt, @pppInterface@, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept
 
     iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept
 
     iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept
 
-    iifname { lan, mgmt, gpon } meta protocol ip udp dport 51820 counter name wg-rx accept
-    iifname { lan, mgmt, gpon } meta protocol ip6 udp dport 51821 counter name wg-rx accept
+    iifname { lan, mgmt, @pppInterface@ } meta protocol ip udp dport 51820 counter name wg-rx accept
+    iifname { lan, mgmt, @pppInterface@ } meta protocol ip6 udp dport 51821 counter name wg-rx accept
     iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept
 
-    iifname gpon meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
+    iifname @pppInterface@ meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept
 
     iifname mgmt udp dport 123 counter name ntp-rx accept
 
@@ -231,8 +231,8 @@ table inet filter {
 
     oifname lo counter name tx-lo accept
 
-    oifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-tx drop
-    oifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
+    oifname { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_ppp counter name icmp-ratelimit-ppp-tx drop
+    oifname != { bifrost, @pppInterface@ } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
     meta l4proto $icmp_protos counter name icmp-tx accept
 
 
@@ -273,7 +273,7 @@ table inet filter {
 }
 
 table inet nat {
-  counter gpon-nat {}
+  counter ppp-nat {}
   counter kimai-nat {}
 
   chain postrouting {
@@ -281,20 +281,20 @@ table inet nat {
     policy accept
 
 
-    meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade
-    iifname ve-kimai oifname gpon counter name kimai-nat masquerade
+    meta nfproto ipv4 oifname @pppInterface@ counter name ppp-nat masquerade
+    iifname ve-kimai oifname @pppInterface@ counter name kimai-nat masquerade
   }
 }
 
 table inet mss_clamp {
-  counter gpon-mss-clamp {}
+  counter ppp-mss-clamp {}
 
   chain postrouting {
     type filter hook postrouting priority mangle
     policy accept
 
 
-    oifname gpon tcp flags & (syn|rst) == syn counter name gpon-mss-clamp tcp option maxseg size set rt mtu
+    oifname @pppInterface@ tcp flags & (syn|rst) == syn counter name ppp-mss-clamp tcp option maxseg size set rt mtu
   }
 }
 
@@ -429,7 +429,7 @@ table inet dscpclassify {
     chain postrouting {
 	type filter hook postrouting priority filter + 1; policy accept
 
-	oifname != gpon return
+	oifname != @pppInterface@ return
 
 	ip dscp cs0 goto ct_set_cs0
 	ip dscp lephb goto ct_set_lephb
-- 
cgit v1.2.3