From 68f7b6dcf0d388ea14b0782fb62f6cb7b7ea941c Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 9 Jul 2024 14:24:14 +0200 Subject: dsl -> gpon --- hosts/vidhar/network/ruleset.nft | 72 ++++++++++++++++++++-------------------- 1 file changed, 36 insertions(+), 36 deletions(-) (limited to 'hosts/vidhar/network/ruleset.nft') diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 6eb97f85..9843b71a 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft @@ -4,15 +4,15 @@ table arp filter { limit lim_arp_local { rate over 50 mbytes/second burst 50 mbytes } - limit lim_arp_dsl { - rate over 1400 kbytes/second burst 1400 kbytes + limit lim_arp_gpon { + rate over 1750 kbytes/second burst 1750 kbytes } counter arp-rx {} counter arp-tx {} - counter arp-ratelimit-dsl-rx {} - counter arp-ratelimit-dsl-tx {} + counter arp-ratelimit-gpon-rx {} + counter arp-ratelimit-gpon-tx {} counter arp-ratelimit-local-rx {} counter arp-ratelimit-local-tx {} @@ -21,8 +21,8 @@ table arp filter { type filter hook input priority filter policy accept - iifname != dsl limit name lim_arp_local counter name arp-ratelimit-local-rx drop - iifname dsl limit name lim_arp_dsl counter name arp-ratelimit-dsl-rx drop + iifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-rx drop + iifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-rx drop counter name arp-rx } @@ -31,8 +31,8 @@ table arp filter { type filter hook output priority filter policy accept - oifname != dsl limit name lim_arp_local counter name arp-ratelimit-local-tx drop - oifname dsl limit name lim_arp_dsl counter name arp-ratelimit-dsl-tx drop + oifname != gpon limit name lim_arp_local counter name arp-ratelimit-local-tx drop + oifname gpon limit name lim_arp_gpon counter name arp-ratelimit-gpon-tx drop counter name arp-tx } @@ -46,11 +46,11 @@ table inet filter { limit lim_icmp_local { rate over 50 mbytes/second burst 50 mbytes } - limit lim_icmp_dsl { - rate over 1400 kbytes/second burst 1400 kbytes + limit lim_icmp_gpon { + rate over 1750 kbytes/second burst 1750 kbytes } - counter icmp-ratelimit-dsl-fw {} + counter icmp-ratelimit-gpon-fw {} counter icmp-ratelimit-local-fw {} counter icmp-fw {} @@ -58,7 +58,7 @@ table inet filter { counter invalid-fw {} counter fw-lo {} counter fw-lan {} - counter fw-dsl {} + counter fw-gpon {} counter fw-cups {} @@ -73,7 +73,7 @@ table inet filter { counter invalid-local4-rx {} counter invalid-local6-rx {} - counter icmp-ratelimit-dsl-rx {} + counter icmp-ratelimit-gpon-rx {} counter icmp-ratelimit-local-rx {} counter icmp-rx {} @@ -101,7 +101,7 @@ table inet filter { counter tx-lo {} - counter icmp-ratelimit-dsl-tx {} + counter icmp-ratelimit-gpon-tx {} counter icmp-ratelimit-local-tx {} counter icmp-tx {} @@ -123,10 +123,10 @@ table inet filter { chain forward_icmp_accept { - oifname { dsl, bifrost } limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop - iifname { dsl, bifrost } limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop - oifname != { dsl, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop - iifname != { dsl, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop + oifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop + iifname { gpon, bifrost } limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-fw drop + oifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop + iifname != { gpon, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop counter name icmp-fw accept } chain forward { @@ -139,10 +139,10 @@ table inet filter { iifname lo counter name fw-lo accept - oifname { lan, dsl, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept - iifname lan oifname { dsl, bifrost } counter name fw-lan accept + oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept + iifname lan oifname { gpon, bifrost } counter name fw-lan accept - iifname dsl oifname lan ct state { established, related } counter name fw-dsl accept + iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop @@ -163,22 +163,22 @@ table inet filter { iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject - iifname { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-rx drop - iifname != { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop + iifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-rx drop + iifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop meta l4proto $icmp_protos counter name icmp-rx accept - iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept - iifname { lan, mgmt, dsl, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept + iifname { lan, mgmt, gpon, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept + iifname { lan, mgmt, gpon, yggdrasil, bifrost } udp dport 60000-61000 counter name mosh-rx accept iifname { lan, mgmt, wifibh, yggdrasil } meta l4proto { tcp, udp } th dport 53 counter name dns-rx accept iifname { lan, yggdrasil } tcp dport 2049 counter name nfs-rx accept - iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept - iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept + iifname { lan, mgmt, gpon } meta protocol ip udp dport 51820 counter name wg-rx accept + iifname { lan, mgmt, gpon } meta protocol ip6 udp dport 51821 counter name wg-rx accept iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept - iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept + iifname gpon meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept iifname mgmt udp dport 123 counter name ntp-rx accept @@ -209,8 +209,8 @@ table inet filter { oifname lo counter name tx-lo accept - oifname { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-tx drop - oifname != { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop + oifname { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_gpon counter name icmp-ratelimit-gpon-tx drop + oifname != { bifrost, gpon } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop meta l4proto $icmp_protos counter name icmp-tx accept @@ -246,7 +246,7 @@ table inet filter { } table inet nat { - counter dsl-nat {} + counter gpon-nat {} # counter container-nat {} chain postrouting { @@ -254,20 +254,20 @@ table inet nat { policy accept - meta nfproto ipv4 oifname dsl counter name dsl-nat masquerade - # iifname ve-* oifname dsl counter name container-nat masquerade + meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade + # iifname ve-* oifname gpon counter name container-nat masquerade } } table inet mss_clamp { - counter dsl-mss-clamp {} + counter gpon-mss-clamp {} chain postrouting { type filter hook postrouting priority mangle policy accept - oifname dsl tcp flags & (syn|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu + oifname gpon tcp flags & (syn|rst) == syn counter name gpon-mss-clamp tcp option maxseg size set rt mtu } } @@ -402,7 +402,7 @@ table inet dscpclassify { chain postrouting { type filter hook postrouting priority filter + 1; policy accept - oifname != dsl return + oifname != gpon return ip dscp cs0 goto ct_set_cs0 ip dscp lephb goto ct_set_lephb -- cgit v1.2.3