{ "nftables": [ { "metainfo": { "version": "1.1.6", "release_name": "Commodore Bullmoose #7", "json_schema_version": 1 } }, { "table": { "family": "inet", "name": "fwl" } }, { "chain": { "family": "inet", "table": "fwl", "name": "input", "type": "filter", "hook": "input", "prio": 0, "policy": "drop" } }, { "chain": { "family": "inet", "table": "fwl", "name": "forward", "type": "filter", "hook": "forward", "prio": 0, "policy": "drop" } }, { "chain": { "family": "inet", "table": "fwl", "name": "output", "type": "filter", "hook": "output", "prio": 0, "policy": "accept" } }, { "chain": { "family": "inet", "table": "fwl", "name": "nat_prerouting", "type": "nat", "hook": "prerouting", "prio": -100, "policy": "accept" } }, { "chain": { "family": "inet", "table": "fwl", "name": "nat_postrouting", "type": "nat", "hook": "postrouting", "prio": 100, "policy": "accept" } }, { "set": { "family": "inet", "name": "rfc1918", "table": "fwl", "type": "ipv4_addr", "flags": [ "interval" ], "elem": [ { "prefix": { "addr": "10.0.0.0", "len": 8 } }, { "prefix": { "addr": "172.16.0.0", "len": 12 } }, { "prefix": { "addr": "192.168.0.0", "len": 16 } } ] } }, { "set": { "family": "inet", "name": "open_ports", "table": "fwl", "type": "inet_service", "elem": [ 22 ] } }, { "set": { "family": "inet", "name": "forwards_v6", "table": "fwl", "type": [ "inet_proto", "ipv6_addr", "inet_service" ], "elem": [ { "concat": [ "tcp", "2001:db8::1", 22000 ] } ] } }, { "map": { "family": "inet", "name": "forwards", "table": "fwl", "type": [ "inet_proto", "inet_service" ], "map": [ "ipv4_addr", "inet_service" ], "elem": [ [ { "concat": [ "tcp", 8080 ] }, { "concat": [ "10.0.0.10", 80 ] } ] ] } }, { "set": { "family": "inet", "name": "lan_zone", "table": "fwl", "type": "ifname", "elem": [ "lan" ] } }, { "rule": { "family": "inet", "table": "fwl", "chain": "input", "expr": [ { "match": { "op": "==", "left": { "ct": { "key": "state" } }, "right": { "set": [ "established", "related" ] } } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "fwl", "chain": "input", "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "iifname" } }, "right": "lo" } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "fwl", "chain": "input", "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "ip6", "field": "nexthdr" } }, "right": "ipv6-icmp" } }, { "match": { "op": "==", "left": { "payload": { "protocol": "ip6", "field": "saddr" } }, "right": { "prefix": { "addr": "fe80::", "len": 10 } } } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "fwl", "chain": "input", "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "nfproto" } }, "right": "ipv4" } }, { "match": { "op": "==", "left": { "payload": { "protocol": "tcp", "field": "dport" } }, "right": "@open_ports" } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "fwl", "chain": "input", "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "nfproto" } }, "right": "ipv4" } }, { "match": { "op": "==", "left": { "payload": { "protocol": "udp", "field": "dport" } }, "right": 51944 } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "fwl", "chain": "forward", "expr": [ { "match": { "op": "==", "left": { "ct": { "key": "state" } }, "right": { "set": [ "established", "related" ] } } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "fwl", "chain": "forward", "expr": [ { "match": { "op": "in", "left": { "ct": { "key": "status" } }, "right": "dnat" } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "fwl", "chain": "forward", "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "iifname" } }, "right": "@lan_zone" } }, { "match": { "op": "==", "left": { "meta": { "key": "oifname" } }, "right": "wan" } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "fwl", "chain": "forward", "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "iifname" } }, "right": "wan" } }, { "match": { "op": "==", "left": { "meta": { "key": "oifname" } }, "right": "@lan_zone" } }, { "match": { "op": "==", "left": { "meta": { "key": "nfproto" } }, "right": "ipv4" } }, { "match": { "op": "==", "left": { "meta": { "key": "l4proto" } }, "right": { "set": [ "tcp", "udp" ] } } }, { "match": { "op": "==", "left": { "concat": [ { "meta": { "key": "l4proto" } }, { "payload": { "protocol": "th", "field": "dport" } } ] }, "right": "@forwards" } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "fwl", "chain": "forward", "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "iifname" } }, "right": "wan" } }, { "match": { "op": "==", "left": { "meta": { "key": "oifname" } }, "right": "@lan_zone" } }, { "match": { "op": "==", "left": { "meta": { "key": "l4proto" } }, "right": { "set": [ "tcp", "udp" ] } } }, { "match": { "op": "==", "left": { "concat": [ { "meta": { "key": "l4proto" } }, { "payload": { "protocol": "ip6", "field": "daddr" } }, { "payload": { "protocol": "th", "field": "dport" } } ] }, "right": "@forwards_v6" } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "fwl", "chain": "nat_prerouting", "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "nfproto" } }, "right": "ipv4" } }, { "match": { "op": "==", "left": { "meta": { "key": "l4proto" } }, "right": { "set": [ "tcp", "udp" ] } } }, { "match": { "op": "==", "left": { "fib": { "result": "type", "flags": [ "daddr" ] } }, "right": "local" } }, { "dnat": { "family": "ip", "addr": { "map": { "key": { "concat": [ { "meta": { "key": "l4proto" } }, { "payload": { "protocol": "th", "field": "dport" } } ] }, "data": "@forwards" } } } } ] } }, { "rule": { "family": "inet", "table": "fwl", "chain": "nat_postrouting", "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "oifname" } }, "right": "wan" } }, { "match": { "op": "==", "left": { "payload": { "protocol": "ip", "field": "saddr" } }, "right": "@rfc1918" } }, { "masquerade": null } ] } } ] }