add more ruleset examples

2026-05-04 01:44:19 -07:00
parent 25f95996fb
commit 9390647f7a
6 changed files with 1979 additions and 0 deletions
--- a/examples/simple-router.nft
+++ b/examples/simple-router.nft
@@ -0,0 +1,98 @@
+table inet fwl {
+
+    # ── let rfc1918 ──────────────────────────────────────────────────────────
+    set rfc1918 {
+        type ipv4_addr
+        flags interval
+        elements = {
+            10.0.0.0/8,
+            172.16.0.0/12,
+            192.168.0.0/16
+        }
+    }
+
+    # ── let open_ports : Set<Port> ───────────────────────────────────────────
+    set open_ports {
+        type inet_service
+        elements = { 22 }
+    }
+
+    # ── let forwards_v6 : Set<(Protocol, IP, Port)> ──────────────────────────
+    set forwards_v6 {
+        type inet_proto . ipv6_addr . inet_service
+        elements = {
+            tcp . 2001:db8::1 . 22000
+        }
+    }
+
+    # ── let forwards : Map<(Protocol, Port), (IP, Port)> ────────────────────
+    map forwards {
+        type inet_proto . inet_service : ipv4_addr . inet_service
+        elements = {
+            tcp . 8080 : 10.0.0.10 . 80
+        }
+    }
+
+    # ── zone lan_zone = { lan } ──────────────────────────────────────────────
+    # Zones compile to anonymous sets wherever referenced in iifname/oifname.
+    # With a single member the set degenerates to a plain string match,
+    # but we keep the set form so the compiler output is uniform regardless
+    # of zone size.
+    set lan_zone {
+        type ifname
+        elements = { "lan" }
+    }
+
+    # ── policy input ─────────────────────────────────────────────────────────
+    chain input {
+        type filter hook input priority filter; policy drop;
+
+        ct state { established, related } accept
+        iifname "lo" accept
+        meta nfproto ipv6 ip6 nexthdr ipv6-icmp ip6 saddr fe80::/10 accept
+        meta nfproto ipv4 meta l4proto tcp tcp dport @open_ports accept
+        meta nfproto ipv4 meta l4proto udp udp dport 51944 accept
+    }
+
+    # ── policy forward ───────────────────────────────────────────────────────
+    chain forward {
+        type filter hook forward priority filter; policy drop;
+
+        ct state { established, related } accept
+        ct status dnat accept
+
+        # | Frame(iif in lan_zone -> wan, _) -> Allow
+        meta iifname @lan_zone meta oifname "wan" accept
+
+        # | Frame(wan -> iif in lan_zone, IPv4 TCP|UDP) if (proto,dport) in forwards
+        meta iifname "wan" meta oifname @lan_zone \
+            meta nfproto ipv4 meta l4proto { tcp, udp } \
+            meta l4proto . th dport @forwards accept
+
+        # | Frame(wan -> iif in lan_zone, IPv6 TCP|UDP) if (proto,dst,dport) in forwards_v6
+        meta iifname "wan" meta oifname @lan_zone \
+            meta nfproto ipv6 meta l4proto { tcp, udp } \
+            meta l4proto . ip6 daddr . th dport @forwards_v6 accept
+    }
+
+    # ── policy output ────────────────────────────────────────────────────────
+    chain output {
+        type filter hook output priority filter; policy accept;
+    }
+
+    # ── policy nat_prerouting ────────────────────────────────────────────────
+    chain nat_prerouting {
+        type nat hook prerouting priority dstnat; policy accept;
+
+        meta nfproto ipv4 meta l4proto { tcp, udp } \
+            fib daddr type local \
+            dnat ip to meta l4proto . th dport map @forwards
+    }
+
+    # ── policy nat_postrouting ───────────────────────────────────────────────
+    chain nat_postrouting {
+        type nat hook postrouting priority srcnat; policy accept;
+
+        meta oifname "wan" meta nfproto ipv4 ip saddr @rfc1918 masquerade
+    }
+}