interface wan : WAN { dynamic; }; interface lan : LAN { cidr4 = { 10.0.0.0/24 }; }; zone lan_zone = { lan }; let rfc1918 : Set = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }; -- Single IPv4 port forward: tcp:8080 -> 10.0.0.10:80 let forwards : Map<(Protocol, Port), (IP, Port)> = { (tcp, :8080) -> (10.0.0.10, :80) }; -- Open inbound ports on the router itself let open_ports : Set = { :22 }; -- IPv6 forwarded destination: tcp . 2001:db8::1 . 22000 let forwards_v6 : Set<(Protocol, IP, Port)> = { (tcp, 2001:db8::1, :22000) }; policy input : Frame on { hook = Input, table = Filter, priority = Filter } = { | _ if ct.state in { Established, Related } -> Allow; | Frame(lo, _) -> Allow; | Frame(_, IPv6(ip6, ICMPv6(_, _))) if ip6.src in fe80::/10 -> Allow; | Frame(_, IPv4(_, TCP(tcp, _))) if tcp.dport in open_ports -> Allow; | Frame(_, IPv4(_, UDP(udp, _))) if udp.dport == :51944 -> Allow; | _ -> Drop; }; policy forward : Frame on { hook = Forward, table = Filter, priority = Filter } = { | _ if ct.state in { Established, Related } -> Allow; | _ if ct.status == DNAT -> Allow; | Frame(iif in lan_zone -> wan, _) -> Allow; | Frame(wan -> iif in lan_zone, IPv4(ip, TCP(th, _) | UDP(th, _))) if (ip.protocol, th.dport) in forwards -> Allow; | Frame(wan -> iif in lan_zone, IPv6(ip6, TCP(th, _) | UDP(th, _))) if (ip6.protocol, ip6.dst, th.dport) in forwards_v6 -> Allow; | _ -> Drop; }; policy output : Frame on { hook = Output, table = Filter, priority = Filter } = { | _ -> Allow; }; policy nat_prerouting : Frame on { hook = Prerouting, table = NAT, priority = DstNat } = { | Frame(_, IPv4(ip, TCP(th, _) | UDP(th, _))) -> if perform FIB.daddrLocal(ip.dst) then DNATMap((ip.protocol, th.dport), forwards) else Allow; | _ -> Allow; }; policy nat_postrouting : Frame on { hook = Postrouting, table = NAT, priority = SrcNat } = { | Frame(_ -> wan, IPv4(ip, _)) if ip.src in rfc1918 -> Masquerade; | _ -> Allow; };