From 6bc9ae25153a292b5e34ec0b891d83c98b1d5e8a Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 8 Aug 2023 21:48:11 +0200
Subject: ...

---
 hosts/sif/default.nix |  4 ++--
 hosts/sif/ruleset.nft | 10 ++++++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

(limited to 'hosts')

diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index c55cc7a8..bde5cdf8 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -288,8 +288,8 @@ in {
         bogus-priv = true;
         no-hosts = true;
         listen-address = [ "192.168.122.1" "fd45:febc:b028::" ];
-        interface = "virbr0";
-        except-interface = "lo";
+        # interface = "virbr0";
+        # except-interface = "lo";
         bind-interfaces = true;
         domain = "libvirt,192.168.122.0/24";
         dhcp-range = [ "192.168.122.128,192.168.122.254,1h" "fd45:febc:b028::1,fd45:febc:b028:0:ffff:ffff:ffff:ffff,ra-names,1h" ];
diff --git a/hosts/sif/ruleset.nft b/hosts/sif/ruleset.nft
index e2ac45c6..33c17253 100644
--- a/hosts/sif/ruleset.nft
+++ b/hosts/sif/ruleset.nft
@@ -90,6 +90,7 @@ table inet filter {
   counter libvirt-dns {}
 
 
+  chain forward_tmp {}
   chain forward {
     type filter hook forward priority filter
     policy drop
@@ -100,6 +101,8 @@ table inet filter {
 
     iifname lo counter name fw-lo accept
 
+    jump forward_tmp
+
     iifname virbr0 oifname != {lo, wgrz, yggdrasil-wg-4, yggdrasil-wg-6, yggdrasil, ip6tnl, ip6gre, yggre-surtr-6, yggre-surtr-4, yggre-vidhar-4} counter name fw-libvirt accept
     oifname virbr0 ct state {established, related} counter name fw-libvirt accept
 
@@ -110,6 +113,7 @@ table inet filter {
     ct state new counter name reject-icmp-fw reject
   }
 
+  chain input_tmp {}
   chain input {
     type filter hook input priority filter
     policy drop
@@ -125,6 +129,8 @@ table inet filter {
     meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
     meta l4proto $icmp_protos counter name icmp-rx accept
 
+    jump input_tmp
+
     tcp dport 22 counter name ssh-rx accept
     udp dport 60000-61000 counter name mosh-rx accept
 
@@ -180,11 +186,13 @@ table inet filter {
 table ip nat {
   counter libvirt-nat {}
 
+  chain postrouting_tmp {}
   chain postrouting {
     type nat hook postrouting priority srcnat
     policy accept
 
     iifname virbr0 oifname != virbr0 counter name libvirt-nat masquerade
+    jump postrouting_tmp
   }
 }
 
@@ -202,10 +210,12 @@ table ip6 nat {
 table ip mss_clamp {
   counter libvirt-mss-clamp {}
 
+  chain postrouting_tmp {}
   chain postrouting {
     type filter hook postrouting priority mangle
     policy accept
 
     iifname virbr0 oifname != virbr0 tcp flags & (syn|rst) == syn counter name libvirt-mss-clamp tcp option maxseg size set rt mtu
+    jump postrouting_tmp
   }
 }
-- 
cgit v1.2.3