From cb2236575fa1fbda53dea0f22f2245abc25780c4 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 1 Jan 2022 04:04:42 +0100 Subject: vidhar: nftables: named counters --- hosts/vidhar/network/ruleset.nft | 206 ++++++++++++++++++++++++++++----------- 1 file changed, 149 insertions(+), 57 deletions(-) (limited to 'hosts/vidhar/network') diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 9fb1d14d..bdd847db 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft @@ -8,24 +8,33 @@ table arp filter { rate over 1400 kbytes/second burst 1400 kbytes } + counter arp-rx {} + counter arp-tx {} + + counter arp-ratelimit-dsl-rx {} + counter arp-ratelimit-dsl-tx {} + + counter arp-ratelimit-local-rx {} + counter arp-ratelimit-local-tx {} + chain input { type filter hook input priority filter policy accept - iifname != dsl limit name lim_arp_local counter drop - iifname dsl limit name lim_arp_dsl counter drop + iifname != dsl limit name lim_arp_local counter name arp-ratelimit-local-rx drop + iifname dsl limit name lim_arp_dsl counter name arp-ratelimit-dsl-rx drop - counter + counter name arp-rx } chain output { type filter hook output priority filter policy accept - oifname != dsl limit name lim_arp_local counter drop - oifname dsl limit name lim_arp_dsl counter drop + oifname != dsl limit name lim_arp_local counter name arp-ratelimit-local-tx drop + oifname dsl limit name lim_arp_dsl counter name arp-ratelimit-dsl-tx drop - counter + counter name arp-tx } } @@ -41,38 +50,98 @@ table inet filter { rate over 1400 kbytes/second burst 1400 kbytes } + counter icmp-ratelimit-dsl-fw {} + counter icmp-ratelimit-local-fw {} + + counter icmp-fw {} + + counter invalid-fw {} + counter fw-lo {} + counter fw-lan {} + counter fw-dsl {} + + counter reject-ratelimit-fw {} + counter reject-fw {} + counter reject-tcp-fw {} + counter reject-icmp-fw {} + + + counter invalid-rx {} + counter rx-lo {} + counter invalid-local4-rx {} + counter invalid-local6-rx {} + + counter icmp-ratelimit-dsl-rx {} + counter icmp-ratelimit-local-rx {} + counter icmp-rx {} + + counter ssh-rx {} + counter mosh-rx {} + counter dns-rx {} + counter wg-rx {} + counter yggdrasil-gre-rx {} + counter ipv6-pd-rx {} + counter ntp-rx {} + counter dhcp-rx {} + counter samba-rx {} + counter http-rx {} + + counter established-rx {} + + counter reject-ratelimit-rx {} + counter reject-rx {} + counter reject-tcp-rx {} + counter reject-icmp-rx {} + + + counter tx-lo {} + + counter icmp-ratelimit-dsl-tx {} + counter icmp-ratelimit-local-tx {} + counter icmp-tx {} + + counter ssh-tx {} + counter mosh-tx {} + counter dns-tx {} + counter wg-tx {} + counter yggdrasil-gre-tx {} + counter ipv6-pd-tx {} + counter ntp-tx {} + counter dhcp-tx {} + counter samba-tx {} + counter http-tx {} + + counter tx {} + chain forward_icmp_accept { - oifname dsl limit name lim_icmp_dsl counter drop - iifname dsl limit name lim_icmp_dsl counter drop - oifname != dsl limit name lim_icmp_local counter drop - iifname != dsl limit name lim_icmp_local counter drop - counter accept + oifname dsl limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop + iifname dsl limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-fw drop + oifname != dsl limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop + iifname != dsl limit name lim_icmp_local counter name icmp-ratelimit-local-fw drop + counter name icmp-fw accept } chain forward { type filter hook forward priority filter policy drop - ct state invalid log prefix "drop invalid forward: " counter drop + ct state invalid log prefix "drop invalid forward: " counter name invalid-fw drop - iifname lo counter accept + iifname lo counter name fw-lo accept oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept - iifname lan oifname dsl counter accept - iifname dsl oifname lan ct state {established, related} counter accept - + iifname lan oifname dsl counter name fw-lan accept + iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept - limit name lim_reject log prefix "drop forward: " counter drop - log prefix "reject forward: " counter - meta l4proto tcp ct state new counter reject with tcp reset - ct state new counter reject - - counter + limit name lim_reject log prefix "drop forward: " counter name reject-ratelimit-fw drop + log prefix "reject forward: " counter name reject-fw + meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset + ct state new counter name reject-icmp-fw reject } chain input { @@ -80,48 +149,45 @@ table inet filter { policy drop - ct state invalid log prefix "drop invalid input: " counter drop + ct state invalid log prefix "drop invalid input: " counter name invalid-rx drop - iifname lo counter accept - iif != lo ip daddr 127.0.0.1/8 counter reject - iif != lo ip6 daddr ::1/128 counter reject - - iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop - iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop - meta l4proto $icmp_protos counter accept + iifname lo counter name rx-lo accept + iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject + iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject - tcp dport 22 counter accept - udp dport 60001-61000 counter accept + iifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-rx drop + iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop + meta l4proto $icmp_protos counter name icmp-rx accept - iifname lan tcp dport 53 counter accept - iifname lan udp dport 53 counter accept + tcp dport 22 counter name ssh-rx accept + udp dport 60001-61000 counter name mosh-rx accept - meta protocol ip udp dport 51820 counter accept - meta protocol ip6 udp dport 51821 counter accept - iifname "yggdrasil-wg-*" meta l4proto gre counter accept + iifname lan tcp dport 53 counter name dns-rx accept + iifname lan udp dport 53 counter name dns-rx accept - iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept + meta protocol ip udp dport 51820 counter name wg-rx accept + meta protocol ip6 udp dport 51821 counter name wg-rx accept + iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept - iifname mgmt udp dport 123 counter accept + iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept - iifname {lan, mgmt} udp dport 67 counter accept + iifname mgmt udp dport 123 counter name ntp-rx accept - iifname lan udp dport { 137, 138, 3702 } counter accept - iifname lan tcp dport { 445, 139, 5357 } counter accept + iifname {lan, mgmt} udp dport 67 counter name dhcp-rx accept - iifname yggdrasil tcp dport 80 counter accept + iifname lan udp dport { 137, 138, 3702 } counter name samba-rx accept + iifname lan tcp dport { 445, 139, 5357 } counter name samba-rx accept - ct state {established, related} counter accept + iifname yggdrasil tcp dport 80 counter name http-rx accept + ct state {established, related} counter name established-rx accept - limit name lim_reject log prefix "drop input: " counter drop - log prefix "reject input: " counter - meta l4proto tcp ct state new counter reject with tcp reset - ct state new counter reject - - counter + limit name lim_reject log prefix "drop input: " counter name reject-ratelimit-rx drop + log prefix "reject input: " counter name reject-rx + meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset + ct state new counter name reject-icmp-rx reject } chain output { @@ -129,33 +195,59 @@ table inet filter { policy accept - oifname lo counter accept + oifname lo counter name tx-lo accept + + oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter name icmp-ratelimit-dsl-tx drop + oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-tx drop + meta l4proto $icmp_protos counter name icmp-tx accept + + + tcp sport 22 counter name ssh-tx + udp sport 60001-61000 counter name mosh-tx - oifname dsl meta l4proto $icmp_protos limit name lim_icmp_dsl counter drop - oifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop - meta l4proto $icmp_protos counter accept + tcp sport 53 counter name dns-tx + udp sport 53 counter name dns-tx + meta protocol ip udp sport 51820 counter name wg-tx + meta protocol ip6 udp sport 51821 counter name wg-tx + iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-tx - counter + meta protocol ip6 udp sport 546 udp dport 547 counter name ipv6-pd-tx + + udp sport 123 counter name ntp-tx accept + + udp sport 67 counter name dhcp-tx accept + + udp sport { 137, 138, 3702 } counter name samba-tx accept + tcp sport { 445, 139, 5357 } counter name samba-tx accept + + tcp sport 80 counter name http-tx accept + + + counter name tx } } table ip nat { + counter dsl-nat {} + chain postrouting { type nat hook postrouting priority srcnat policy accept - oifname dsl counter masquerade + oifname dsl counter name dsl-nat masquerade } } table ip mss_clamp { + counter dsl-mss-clamp {} + chain postrouting { type filter hook postrouting priority mangle policy accept - oifname dsl tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu + oifname dsl tcp flags & (syn|rst) == syn counter name dsl-mss-clamp tcp option maxseg size set rt mtu } } \ No newline at end of file -- cgit v1.2.3