examples: update router.fwl to new grammar (portforward/masquerade, compact hook syntax)
This commit is contained in:
@@ -9,10 +9,7 @@ zone lan_zone = { lan, wg0 };
|
|||||||
|
|
||||||
let rfc1918 : Set<IPv4> = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 };
|
let rfc1918 : Set<IPv4> = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 };
|
||||||
|
|
||||||
let forwards : Map<(Protocol, Port), (IP, Port)> = {
|
let open_ports : Set<Port> = { :22 };
|
||||||
(tcp, :8080) -> (10.17.1.10, :80),
|
|
||||||
(tcp, :2222) -> (10.17.1.11, :22)
|
|
||||||
};
|
|
||||||
|
|
||||||
-- WireGuard handshake detection (compiles to ct mark state machine)
|
-- WireGuard handshake detection (compiles to ct mark state machine)
|
||||||
pattern WGInitiation : (UDPHeader, Bytes) =
|
pattern WGInitiation : (UDPHeader, Bytes) =
|
||||||
@@ -40,56 +37,32 @@ rule blockOutboundWG : Frame -> <FlowMatch, Log> Action =
|
|||||||
| _ -> Continue;
|
| _ -> Continue;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
-- Port-forward map: incoming proto+port -> internal addr+port
|
||||||
|
portforward wan_forwards
|
||||||
|
on wan
|
||||||
|
via Map<(Protocol, Port), (IPv4, Port)> = {
|
||||||
|
(tcp, :8080) -> (10.17.1.10, :80),
|
||||||
|
(tcp, :2222) -> (10.17.1.11, :22)
|
||||||
|
};
|
||||||
|
|
||||||
|
-- Masquerade outbound traffic from RFC1918 sources
|
||||||
|
masquerade wan_snat
|
||||||
|
on wan
|
||||||
|
src rfc1918;
|
||||||
|
|
||||||
-- Inbound to router
|
-- Inbound to router
|
||||||
policy input : Frame
|
policy input : Frame hook Input = {
|
||||||
on { hook = Input, table = Filter, priority = Filter }
|
|
||||||
= {
|
|
||||||
| _ if ct.state in { Established, Related } -> Allow;
|
|
||||||
| Frame(lo, _) -> Allow;
|
|
||||||
| Frame(_, IPv6(ip6, ICMPv6(_, _)))
|
|
||||||
if ip6.src in fe80::/10 -> Allow;
|
|
||||||
| Frame(_, IPv4(_, TCP(tcp, _)))
|
| Frame(_, IPv4(_, TCP(tcp, _)))
|
||||||
if tcp.dport == :22 -> Allow;
|
if tcp.dport in open_ports -> Allow;
|
||||||
| Frame(_, IPv4(_, UDP(udp, _)))
|
| Frame(_, IPv4(_, UDP(udp, _)))
|
||||||
if udp.dport == :51944 -> Allow;
|
if udp.dport == :51944 -> Allow;
|
||||||
| _ -> Drop;
|
| _ -> Drop;
|
||||||
};
|
};
|
||||||
|
|
||||||
-- Forwarded traffic
|
-- Forwarded traffic
|
||||||
policy forward : Frame
|
policy forward : Frame hook Forward = {
|
||||||
on { hook = Forward, table = Filter, priority = Filter }
|
| frame if iif in lan_zone && oif == wan -> blockOutboundWG(frame);
|
||||||
= {
|
| Frame(iif in lan_zone -> wan, _) -> Allow;
|
||||||
| _ if ct.state in { Established, Related } -> Allow;
|
| Frame(iif in lan_zone -> lan_zone, _) -> Allow;
|
||||||
| frame if iif in lan_zone && oif == wan -> blockOutboundWG(frame);
|
| _ -> Drop;
|
||||||
| _ if ct.status == DNAT -> Allow;
|
};
|
||||||
| Frame(iif in lan_zone -> wan, _) -> Allow;
|
|
||||||
| Frame(iif in lan_zone -> lan_zone, _) -> Allow;
|
|
||||||
| Frame(wan -> lan_zone, IPv4(ip, TCP(th, _) | UDP(th, _)))
|
|
||||||
if (ip.protocol, th.dport) in forwards -> Allow;
|
|
||||||
| _ -> Drop;
|
|
||||||
};
|
|
||||||
|
|
||||||
-- Outbound from router
|
|
||||||
policy output : Frame
|
|
||||||
on { hook = Output, table = Filter, priority = Filter }
|
|
||||||
= {
|
|
||||||
| _ -> Allow;
|
|
||||||
};
|
|
||||||
|
|
||||||
-- NAT
|
|
||||||
policy nat_prerouting : Frame
|
|
||||||
on { hook = Prerouting, table = NAT, priority = DstNat }
|
|
||||||
= {
|
|
||||||
| Frame(_, IPv4(ip, TCP(th, _) | UDP(th, _))) ->
|
|
||||||
if perform FIB.daddrLocal(ip.dst)
|
|
||||||
then DNATMap((ip.protocol, th.dport), forwards)
|
|
||||||
else Allow;
|
|
||||||
| _ -> Allow;
|
|
||||||
};
|
|
||||||
|
|
||||||
policy nat_postrouting : Frame
|
|
||||||
on { hook = Postrouting, table = NAT, priority = SrcNat }
|
|
||||||
= {
|
|
||||||
| Frame(_ -> wan, IPv4(ip, _)) if ip.src in rfc1918 -> Masquerade;
|
|
||||||
| _ -> Allow;
|
|
||||||
};
|
|
||||||
|
|||||||
Reference in New Issue
Block a user