From abd86d7bd35ae30e9eeffc33a798faca9e2b0486 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sun, 6 Feb 2022 18:20:18 +0100
Subject: bifrost: ...

---
 hosts/vidhar/network/ruleset.nft | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

(limited to 'hosts/vidhar/network/ruleset.nft')

diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft
index 7b2160d1..f2b1eda0 100644
--- a/hosts/vidhar/network/ruleset.nft
+++ b/hosts/vidhar/network/ruleset.nft
@@ -117,10 +117,10 @@ table inet filter {
 
 
   chain forward_icmp_accept {
-    oifname dsl limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop
-    iifname dsl limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop
-    oifname != dsl limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
-    iifname != dsl limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
+    oifname { dsl, bifrost } limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop
+    iifname { dsl, bifrost } limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop
+    oifname != { dsl, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
+    iifname != { dsl, bifrost } limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop
     counter name icmp-fw accept
   }
   chain forward {
@@ -133,7 +133,7 @@ table inet filter {
 
     iifname lo counter name fw-lo accept
 
-    oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept
+    oifname { lan, dsl, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept
 
     iifname lan oifname { dsl, bifrost } counter name fw-lan accept
     iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept
@@ -158,8 +158,8 @@ table inet filter {
     iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
     iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
 
-    iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-rx drop
-    iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
+    iifname { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-rx drop
+    iifname != { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop
     meta l4proto $icmp_protos counter name icmp-rx accept
 
     iifname { lan, mgmt, dsl, yggdrasil, bifrost } tcp dport 22 counter name ssh-rx accept
@@ -201,8 +201,8 @@ table inet filter {
 
     oifname lo counter name tx-lo accept
 
-    oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-tx drop
-    oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
+    oifname { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-tx drop
+    oifname != { bifrost, dsl } meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop
     meta l4proto $icmp_protos counter name icmp-tx accept
 
 
-- 
cgit v1.2.3