{ "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "table": { "family": "inet", "name": "fwl" } }, { "chain": { "family": "inet", "hook": "input", "name": "input", "policy": "drop", "prio": 0, "table": "fwl", "type": "filter" } }, { "chain": { "family": "inet", "hook": "forward", "name": "forward", "policy": "drop", "prio": 0, "table": "fwl", "type": "filter" } }, { "chain": { "family": "inet", "hook": "output", "name": "output", "policy": "accept", "prio": 0, "table": "fwl", "type": "filter" } }, { "chain": { "family": "inet", "hook": "prerouting", "name": "nat_prerouting", "policy": "accept", "prio": -100, "table": "fwl", "type": "nat" } }, { "chain": { "family": "inet", "hook": "postrouting", "name": "nat_postrouting", "policy": "accept", "prio": 100, "table": "fwl", "type": "nat" } }, { "set": { "elem": [ { "prefix": { "addr": "10.0.0.0", "len": 8 } }, { "prefix": { "addr": "172.16.0.0", "len": 12 } }, { "prefix": { "addr": "192.168.0.0", "len": 16 } } ], "family": "inet", "name": "rfc1918", "table": "fwl", "type": "ipv4_addr" } }, { "map": { "elem": [ [ { "concat": [ "tcp", 8080 ] }, { "concat": [ "10.0.0.10", 80 ] } ] ], "family": "inet", "map": [ "ipv4_addr", "inet_service" ], "name": "forwards", "table": "fwl", "type": [ "inet_proto", "inet_service" ] } }, { "set": { "elem": [ 22 ], "family": "inet", "name": "open_ports", "table": "fwl", "type": "inet_service" } }, { "set": { "elem": [ { "concat": [ "tcp", "2001:db8:0:0:0:0:0:1", 22000 ] } ], "family": "inet", "name": "forwards_v6", "table": "fwl", "type": [ "inet_proto", "ipv4_addr", "inet_service" ] } }, { "rule": { "chain": "input", "expr": [ { "match": { "left": { "ct": { "key": "state" } }, "op": "in", "right": [ "established", "related" ] } }, { "accept": null } ], "family": "inet", "table": "fwl" } }, { "rule": { "chain": "input", "expr": [ { "match": { "left": { "meta": { "key": "iifname" } }, "op": "==", "right": "lo" } }, { "accept": null } ], "family": "inet", "table": "fwl" } }, { "rule": { "chain": "input", "expr": [ { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv6" } }, { "match": { "left": { "payload": { "field": "nexthdr", "protocol": "ip6" } }, "op": "==", "right": "ipv6-icmp" } }, { "match": { "left": { "payload": { "field": "saddr", "protocol": "ip6" } }, "op": "==", "right": { "prefix": { "addr": "fe80:0:0:0:0:0:0:0", "len": 10 } } } }, { "accept": null } ], "family": "inet", "table": "fwl" } }, { "rule": { "chain": "input", "expr": [ { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv4" } }, { "match": { "left": { "meta": { "key": "l4proto" } }, "op": "==", "right": "tcp" } }, { "match": { "left": { "payload": { "field": "dport", "protocol": "tcp" } }, "op": "==", "right": "@open_ports" } }, { "accept": null } ], "family": "inet", "table": "fwl" } }, { "rule": { "chain": "input", "expr": [ { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv4" } }, { "match": { "left": { "meta": { "key": "l4proto" } }, "op": "==", "right": "udp" } }, { "match": { "left": { "payload": { "field": "dport", "protocol": "udp" } }, "op": "==", "right": "51944" } }, { "accept": null } ], "family": "inet", "table": "fwl" } }, { "rule": { "chain": "input", "expr": [ { "drop": null } ], "family": "inet", "table": "fwl" } }, { "rule": { "chain": "forward", "expr": [ { "match": { "left": { "ct": { "key": "state" } }, "op": "in", "right": [ "established", "related" ] } }, { "accept": null } ], "family": "inet", "table": "fwl" } }, { "rule": { "chain": "forward", "expr": [ { "match": { "left": { "ct": { "key": "status" } }, "op": "==", "right": "dnat" } }, { "accept": null } ], "family": "inet", "table": "fwl" } }, { "rule": { "chain": "forward", "expr": [ { "match": { "left": { "meta": { "key": "iifname" } }, "op": "in", "right": { "set": [ "lan" ] } } }, { "match": { "left": { "meta": { "key": "oifname" } }, "op": "==", "right": "wan" } }, { "accept": null } ], "family": "inet", "table": "fwl" } }, { "rule": { "chain": "forward", "expr": [ { "match": { "left": { "meta": { "key": "iifname" } }, "op": "==", "right": "wan" } }, { "match": { "left": { "meta": { "key": "oifname" } }, "op": "in", "right": { "set": [ "lan" ] } } }, { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv4" } }, { "match": { "left": { "meta": { "key": "l4proto" } }, "op": "==", "right": "tcp" } }, { "match": { "left": { "concat": [ { "payload": { "field": "protocol", "protocol": "ip" } }, { "payload": { "field": "dport", "protocol": "th" } } ] }, "op": "==", "right": "@forwards" } }, { "accept": null } ], "family": "inet", "table": "fwl" } }, { "rule": { "chain": "forward", "expr": [ { "match": { "left": { "meta": { "key": "iifname" } }, "op": "==", "right": "wan" } }, { "match": { "left": { "meta": { "key": "oifname" } }, "op": "in", "right": { "set": [ "lan" ] } } }, { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv4" } }, { "match": { "left": { "meta": { "key": "l4proto" } }, "op": "==", "right": "udp" } }, { "match": { "left": { "concat": [ { "payload": { "field": "protocol", "protocol": "ip" } }, { "payload": { "field": "dport", "protocol": "th" } } ] }, "op": "==", "right": "@forwards" } }, { "accept": null } ], "family": "inet", "table": "fwl" } }, { "rule": { "chain": "forward", "expr": [ { "match": { "left": { "meta": { "key": "iifname" } }, "op": "==", "right": "wan" } }, { "match": { "left": { "meta": { "key": "oifname" } }, "op": "in", "right": { "set": [ "lan" ] } } }, { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv6" } }, { "match": { "left": { "meta": { "key": "l4proto" } }, "op": "==", "right": "tcp" } }, { "match": { "left": { "concat": [ { "payload": { "field": "protocol", "protocol": "ip6" } }, { "payload": { "field": "daddr", "protocol": "ip6" } }, { "payload": { "field": "dport", "protocol": "th" } } ] }, "op": "==", "right": "@forwards_v6" } }, { "accept": null } ], "family": "inet", "table": "fwl" } }, { "rule": { "chain": "forward", "expr": [ { "match": { "left": { "meta": { "key": "iifname" } }, "op": "==", "right": "wan" } }, { "match": { "left": { "meta": { "key": "oifname" } }, "op": "in", "right": { "set": [ "lan" ] } } }, { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv6" } }, { "match": { "left": { "meta": { "key": "l4proto" } }, "op": "==", "right": "udp" } }, { "match": { "left": { "concat": [ { "payload": { "field": "protocol", "protocol": "ip6" } }, { "payload": { "field": "daddr", "protocol": "ip6" } }, { "payload": { "field": "dport", "protocol": "th" } } ] }, "op": "==", "right": "@forwards_v6" } }, { "accept": null } ], "family": "inet", "table": "fwl" } }, { "rule": { "chain": "forward", "expr": [ { "drop": null } ], "family": "inet", "table": "fwl" } }, { "rule": { "chain": "output", "expr": [ { "accept": null } ], "family": "inet", "table": "fwl" } }, { "rule": { "chain": "nat_prerouting", "expr": [ { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv4" } }, { "match": { "left": { "meta": { "key": "l4proto" } }, "op": "==", "right": "tcp" } }, { "accept": null } ], "family": "inet", "table": "fwl" } }, { "rule": { "chain": "nat_prerouting", "expr": [ { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv4" } }, { "match": { "left": { "meta": { "key": "l4proto" } }, "op": "==", "right": "udp" } }, { "accept": null } ], "family": "inet", "table": "fwl" } }, { "rule": { "chain": "nat_prerouting", "expr": [ { "accept": null } ], "family": "inet", "table": "fwl" } }, { "rule": { "chain": "nat_postrouting", "expr": [ { "match": { "left": { "meta": { "key": "oifname" } }, "op": "==", "right": "wan" } }, { "match": { "left": { "meta": { "key": "nfproto" } }, "op": "==", "right": "ipv4" } }, { "match": { "left": { "payload": { "field": "saddr", "protocol": "ip" } }, "op": "==", "right": "@rfc1918" } }, { "masquerade": null } ], "family": "inet", "table": "fwl" } }, { "rule": { "chain": "nat_postrouting", "expr": [ { "accept": null } ], "family": "inet", "table": "fwl" } } ] }