diff --git a/doc/ref/ruleset.json b/doc/ref/ruleset.json new file mode 100644 index 0000000..bf8941e --- /dev/null +++ b/doc/ref/ruleset.json @@ -0,0 +1,1359 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "1.1.6", + "release_name": "Commodore Bullmoose #7", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "inet", + "name": "firewall", + "handle": 42 + } + }, + { + "chain": { + "family": "inet", + "table": "firewall", + "name": "input", + "handle": 1, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "drop" + } + }, + { + "chain": { + "family": "inet", + "table": "firewall", + "name": "forward", + "handle": 2, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "drop" + } + }, + { + "chain": { + "family": "inet", + "table": "firewall", + "name": "zone_wan_input", + "handle": 3 + } + }, + { + "chain": { + "family": "inet", + "table": "firewall", + "name": "zone_wan_forward", + "handle": 4 + } + }, + { + "chain": { + "family": "inet", + "table": "firewall", + "name": "zone_lan_input", + "handle": 5 + } + }, + { + "chain": { + "family": "inet", + "table": "firewall", + "name": "zone_lan_forward", + "handle": 6 + } + }, + { + "chain": { + "family": "inet", + "table": "firewall", + "name": "output", + "handle": 7, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "set": { + "family": "inet", + "name": "port_forward_v6", + "table": "firewall", + "type": [ + "inet_proto", + "ipv6_addr", + "inet_service" + ], + "handle": 8, + "elem": [ + { + "concat": [ + "tcp", + "2600:1700:115f:300f::11:1", + 22000 + ] + }, + { + "concat": [ + "udp", + "2600:1700:115f:300f::11:1", + 22000 + ] + } + ] + } + }, + { + "set": { + "family": "inet", + "name": "cloudflare_forward_v6", + "table": "firewall", + "type": "ipv6_addr", + "handle": 9, + "elem": [ + "2600:1700:115f:300f::11:1" + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "input", + "handle": 10, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "wan" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "right": "fe80::be24:11ff:fe83:d8de" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "icmpv6", + "field": "type" + } + }, + "right": "nd-router-advert" + } + }, + { + "log": { + "prefix": "self radvt: " + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "input", + "handle": 11, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "input", + "handle": 13, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "nexthdr" + } + }, + "right": "ipv6-icmp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "right": { + "set": [ + { + "prefix": { + "addr": "2600:1700:115f:3000::", + "len": 60 + } + }, + { + "prefix": { + "addr": "fe80::", + "len": 10 + } + } + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "input", + "handle": 14, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "nexthdr" + } + }, + "right": "ipv6-icmp" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": { + "prefix": { + "addr": "fe80::", + "len": 10 + } + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "input", + "handle": 15, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iif" + } + }, + "right": "lo" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "input", + "handle": 18, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": { + "set": [ + { + "prefix": { + "addr": "fe80::", + "len": 10 + } + }, + { + "prefix": { + "addr": "ff02::", + "len": 16 + } + } + ] + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": { + "set": [ + 546, + 547 + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "input", + "handle": 19, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "input", + "handle": 20, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": 51944 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "input", + "handle": 21, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "wan" + } + }, + { + "jump": { + "target": "zone_wan_input" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "input", + "handle": 23, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": { + "set": [ + "wg0", + "lan", + "lan.10", + "lan.20", + "lan.30", + "lan.40", + "lan.50" + ] + } + } + }, + { + "jump": { + "target": "zone_lan_input" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "input", + "handle": 25, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "right": { + "set": [ + { + "prefix": { + "addr": "2600:1700:115f:3000::", + "len": 64 + } + }, + { + "prefix": { + "addr": "2600:1700:115f:300d::", + "len": 64 + } + } + ] + } + } + }, + { + "jump": { + "target": "zone_lan_input" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "forward", + "handle": 26, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related" + ] + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "forward", + "handle": 27, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": "wan" + } + }, + { + "jump": { + "target": "zone_wan_forward" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "forward", + "handle": 29, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "iifname" + } + }, + "right": { + "set": [ + "wg0", + "lan", + "lan.10", + "lan.20", + "lan.30", + "lan.40", + "lan.50" + ] + } + } + }, + { + "jump": { + "target": "zone_lan_forward" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "forward", + "handle": 31, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "right": { + "set": [ + { + "prefix": { + "addr": "2600:1700:115f:3000::", + "len": 64 + } + }, + { + "prefix": { + "addr": "2600:1700:115f:300d::", + "len": 64 + } + } + ] + } + } + }, + { + "jump": { + "target": "zone_lan_forward" + } + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "zone_wan_forward", + "handle": 32, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "status" + } + }, + "right": "dnat" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "zone_wan_forward", + "handle": 33, + "expr": [ + { + "match": { + "op": "==", + "left": { + "concat": [ + { + "meta": { + "key": "l4proto" + } + }, + { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + { + "payload": { + "protocol": "th", + "field": "dport" + } + } + ] + }, + "right": "@port_forward_v6" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "zone_wan_forward", + "handle": 35, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "right": { + "set": [ + { + "prefix": { + "addr": "2400:cb00::", + "len": 32 + } + }, + { + "prefix": { + "addr": "2405:8100::", + "len": 32 + } + }, + { + "prefix": { + "addr": "2405:b500::", + "len": 32 + } + }, + { + "prefix": { + "addr": "2606:4700::", + "len": 32 + } + }, + { + "prefix": { + "addr": "2803:f800::", + "len": 32 + } + }, + { + "prefix": { + "addr": "2a06:98c0::", + "len": 29 + } + }, + { + "prefix": { + "addr": "2c0f:f248::", + "len": 32 + } + } + ] + } + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "daddr" + } + }, + "right": "@cloudflare_forward_v6" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "th", + "field": "dport" + } + }, + "right": 443 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "zone_lan_input", + "handle": 36, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "nexthdr" + } + }, + "right": "ipv6-icmp" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "zone_lan_input", + "handle": 37, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "protocol" + } + }, + "right": "icmp" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "zone_lan_input", + "handle": 39, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": { + "set": [ + 22, + 443 + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "zone_lan_input", + "handle": 41, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "udp", + "field": "dport" + } + }, + "right": { + "set": [ + 53, + 67, + 443, + 547 + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "zone_lan_forward", + "handle": 42, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "wan" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip6", + "field": "saddr" + } + }, + "right": { + "prefix": { + "addr": "fd00::", + "len": 8 + } + } + } + }, + { + "drop": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "zone_lan_forward", + "handle": 43, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "wan" + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "inet", + "table": "firewall", + "chain": "zone_lan_forward", + "handle": 45, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": { + "set": [ + "wg0", + "lan", + "lan.10", + "lan.20", + "lan.30", + "lan.40", + "lan.50" + ] + } + } + }, + { + "accept": null + } + ] + } + }, + { + "table": { + "family": "ip", + "name": "nat4", + "handle": 43 + } + }, + { + "chain": { + "family": "ip", + "table": "nat4", + "name": "prerouting", + "handle": 1, + "type": "nat", + "hook": "prerouting", + "prio": -100, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "nat4", + "name": "postrouting", + "handle": 2, + "type": "nat", + "hook": "postrouting", + "prio": 100, + "policy": "accept" + } + }, + { + "map": { + "family": "ip", + "name": "port_forward", + "table": "nat4", + "type": [ + "inet_proto", + "inet_service" + ], + "handle": 3, + "map": [ + "ipv4_addr", + "inet_service" + ], + "elem": [ + [ + { + "concat": [ + "udp", + 35848 + ] + }, + { + "concat": [ + "10.17.1.250", + 35848 + ] + } + ], + [ + { + "concat": [ + "udp", + 37138 + ] + }, + { + "concat": [ + "10.17.10.31", + 37138 + ] + } + ], + [ + { + "concat": [ + "udp", + 40993 + ] + }, + { + "concat": [ + "10.17.1.250", + 40993 + ] + } + ], + [ + { + "concat": [ + "udp", + 45608 + ] + }, + { + "concat": [ + "10.17.1.250", + 45608 + ] + } + ], + [ + { + "concat": [ + "udp", + 48425 + ] + }, + { + "concat": [ + "10.17.1.250", + 48425 + ] + } + ], + [ + { + "concat": [ + "tcp", + 8006 + ] + }, + { + "concat": [ + "10.17.50.10", + 8006 + ] + } + ], + [ + { + "concat": [ + "tcp", + 38247 + ] + }, + { + "concat": [ + "10.17.10.31", + 22 + ] + } + ], + [ + { + "concat": [ + "udp", + 48512 + ] + }, + { + "concat": [ + "10.17.1.250", + 48512 + ] + } + ], + [ + { + "concat": [ + "udp", + 24454 + ] + }, + { + "concat": [ + "10.17.1.11", + 24454 + ] + } + ], + [ + { + "concat": [ + "udp", + 18596 + ] + }, + { + "concat": [ + "10.17.1.250", + 18596 + ] + } + ], + [ + { + "concat": [ + "tcp", + 25565 + ] + }, + { + "concat": [ + "10.17.1.11", + 25565 + ] + } + ], + [ + { + "concat": [ + "udp", + 25565 + ] + }, + { + "concat": [ + "10.17.1.11", + 25565 + ] + } + ] + ] + } + }, + { + "rule": { + "family": "ip", + "table": "nat4", + "chain": "prerouting", + "handle": 4, + "expr": [ + { + "match": { + "op": "==", + "left": { + "fib": { + "result": "type", + "flags": [ + "daddr" + ] + } + }, + "right": "local" + } + }, + { + "dnat": { + "family": "ip", + "addr": { + "map": { + "key": { + "concat": [ + { + "meta": { + "key": "l4proto" + } + }, + { + "payload": { + "protocol": "th", + "field": "dport" + } + } + ] + }, + "data": "@port_forward" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "nat4", + "chain": "postrouting", + "handle": 6, + "expr": [ + { + "match": { + "op": "==", + "left": { + "meta": { + "key": "oifname" + } + }, + "right": "wan" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "ip", + "field": "saddr" + } + }, + "right": { + "set": [ + { + "prefix": { + "addr": "10.0.0.0", + "len": 8 + } + }, + { + "prefix": { + "addr": "172.0.0.0", + "len": 12 + } + }, + { + "prefix": { + "addr": "192.168.0.0", + "len": 16 + } + } + ] + } + } + }, + { + "masquerade": null + } + ] + } + } + ] +} diff --git a/doc/ref/ruleset.nft b/doc/ref/ruleset.nft new file mode 100644 index 0000000..db66e9c --- /dev/null +++ b/doc/ref/ruleset.nft @@ -0,0 +1,88 @@ +table inet firewall { + set port_forward_v6 { + type inet_proto . ipv6_addr . inet_service + elements = { tcp . 2600:1700:115f:300f::11:1 . 22000, + udp . 2600:1700:115f:300f::11:1 . 22000 } + } + + set cloudflare_forward_v6 { + type ipv6_addr + elements = { 2600:1700:115f:300f::11:1 } + } + + chain input { + type filter hook input priority filter; policy drop; + iifname "wan" ip6 saddr fe80::be24:11ff:fe83:d8de icmpv6 type nd-router-advert log prefix "self radvt: " drop + ct state established,related accept + ip6 nexthdr ipv6-icmp ip6 saddr { 2600:1700:115f:3000::/60, fe80::/10 } accept + ip6 nexthdr ipv6-icmp ip6 daddr fe80::/10 accept + iif "lo" accept + ip6 daddr { fe80::/10, ff02::/16 } th dport { 546, 547 } accept + tcp dport 22 accept + udp dport 51944 accept + iifname "wan" jump zone_wan_input + iifname { "wg0", "lan", "lan.10", "lan.20", "lan.30", "lan.40", "lan.50" } jump zone_lan_input + ip6 saddr { 2600:1700:115f:3000::/64, 2600:1700:115f:300d::/64 } jump zone_lan_input + } + + chain forward { + type filter hook forward priority filter; policy drop; + ct state established,related accept + iifname "wan" jump zone_wan_forward + iifname { "wg0", "lan", "lan.10", "lan.20", "lan.30", "lan.40", "lan.50" } jump zone_lan_forward + ip6 saddr { 2600:1700:115f:3000::/64, 2600:1700:115f:300d::/64 } jump zone_lan_forward + } + + chain zone_wan_input { + } + + chain zone_wan_forward { + ct status dnat accept + meta l4proto . ip6 daddr . th dport @port_forward_v6 accept + ip6 saddr { 2400:cb00::/32, 2405:8100::/32, 2405:b500::/32, 2606:4700::/32, 2803:f800::/32, 2a06:98c0::/29, 2c0f:f248::/32 } ip6 daddr @cloudflare_forward_v6 th dport 443 accept + } + + chain zone_lan_input { + ip6 nexthdr ipv6-icmp accept + ip protocol icmp accept + tcp dport { 22, 443 } accept + udp dport { 53, 67, 443, 547 } accept + } + + chain zone_lan_forward { + oifname "wan" ip6 saddr fd00::/8 drop + oifname "wan" accept + oifname { "wg0", "lan", "lan.10", "lan.20", "lan.30", "lan.40", "lan.50" } accept + } + + chain output { + type filter hook output priority filter; policy accept; + } +} +table ip nat4 { + map port_forward { + type inet_proto . inet_service : ipv4_addr . inet_service + elements = { udp . 35848 : 10.17.1.250 . 35848, + udp . 37138 : 10.17.10.31 . 37138, + udp . 40993 : 10.17.1.250 . 40993, + udp . 45608 : 10.17.1.250 . 45608, + udp . 48425 : 10.17.1.250 . 48425, + tcp . 8006 : 10.17.50.10 . 8006, + tcp . 38247 : 10.17.10.31 . 22, + udp . 48512 : 10.17.1.250 . 48512, + udp . 24454 : 10.17.1.11 . 24454, + udp . 18596 : 10.17.1.250 . 18596, + tcp . 25565 : 10.17.1.11 . 25565, + udp . 25565 : 10.17.1.11 . 25565 } + } + + chain prerouting { + type nat hook prerouting priority dstnat; policy accept; + fib daddr type local dnat ip to meta l4proto . th dport map @port_forward + } + + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + oifname "wan" ip saddr { 10.0.0.0/8, 172.0.0.0/12, 192.168.0.0/16 } masquerade + } +}