CaZzzer/fwl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
134cb069001c1313e8590116527cce293b71cd3f
fwl/doc/ref/ruleset.json
Yuri Tatishchev 0549a54e34 add nft ruleset ref
2026-05-01 13:50:54 -07:00

1360 lines
20 KiB
JSON
Raw Blame History

{
"nftables": [
{
"metainfo": {
"version": "1.1.6",
"release_name": "Commodore Bullmoose #7",
"json_schema_version": 1
}
},
{
"table": {
"family": "inet",
"name": "firewall",
"handle": 42
}
},
{
"chain": {
"family": "inet",
"table": "firewall",
"name": "input",
"handle": 1,
"type": "filter",
"hook": "input",
"prio": 0,
"policy": "drop"
}
},
{
"chain": {
"family": "inet",
"table": "firewall",
"name": "forward",
"handle": 2,
"type": "filter",
"hook": "forward",
"prio": 0,
"policy": "drop"
}
},
{
"chain": {
"family": "inet",
"table": "firewall",
"name": "zone_wan_input",
"handle": 3
}
},
{
"chain": {
"family": "inet",
"table": "firewall",
"name": "zone_wan_forward",
"handle": 4
}
},
{
"chain": {
"family": "inet",
"table": "firewall",
"name": "zone_lan_input",
"handle": 5
}
},
{
"chain": {
"family": "inet",
"table": "firewall",
"name": "zone_lan_forward",
"handle": 6
}
},
{
"chain": {
"family": "inet",
"table": "firewall",
"name": "output",
"handle": 7,
"type": "filter",
"hook": "output",
"prio": 0,
"policy": "accept"
}
},
{
"set": {
"family": "inet",
"name": "port_forward_v6",
"table": "firewall",
"type": [
"inet_proto",
"ipv6_addr",
"inet_service"
],
"handle": 8,
"elem": [
{
"concat": [
"tcp",
"2600:1700:115f:300f::11:1",
22000
]
},
{
"concat": [
"udp",
"2600:1700:115f:300f::11:1",
22000
]
}
]
}
},
{
"set": {
"family": "inet",
"name": "cloudflare_forward_v6",
"table": "firewall",
"type": "ipv6_addr",
"handle": 9,
"elem": [
"2600:1700:115f:300f::11:1"
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "input",
"handle": 10,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "iifname"
}
},
"right": "wan"
}
},
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip6",
"field": "saddr"
}
},
"right": "fe80::be24:11ff:fe83:d8de"
}
},
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "icmpv6",
"field": "type"
}
},
"right": "nd-router-advert"
}
},
{
"log": {
"prefix": "self radvt: "
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "input",
"handle": 11,
"expr": [
{
"match": {
"op": "in",
"left": {
"ct": {
"key": "state"
}
},
"right": [
"established",
"related"
]
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "input",
"handle": 13,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip6",
"field": "nexthdr"
}
},
"right": "ipv6-icmp"
}
},
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip6",
"field": "saddr"
}
},
"right": {
"set": [
{
"prefix": {
"addr": "2600:1700:115f:3000::",
"len": 60
}
},
{
"prefix": {
"addr": "fe80::",
"len": 10
}
}
]
}
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "input",
"handle": 14,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip6",
"field": "nexthdr"
}
},
"right": "ipv6-icmp"
}
},
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip6",
"field": "daddr"
}
},
"right": {
"prefix": {
"addr": "fe80::",
"len": 10
}
}
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "input",
"handle": 15,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "iif"
}
},
"right": "lo"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "input",
"handle": 18,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip6",
"field": "daddr"
}
},
"right": {
"set": [
{
"prefix": {
"addr": "fe80::",
"len": 10
}
},
{
"prefix": {
"addr": "ff02::",
"len": 16
}
}
]
}
}
},
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "th",
"field": "dport"
}
},
"right": {
"set": [
546,
547
]
}
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "input",
"handle": 19,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "tcp",
"field": "dport"
}
},
"right": 22
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "input",
"handle": 20,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "udp",
"field": "dport"
}
},
"right": 51944
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "input",
"handle": 21,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "iifname"
}
},
"right": "wan"
}
},
{
"jump": {
"target": "zone_wan_input"
}
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "input",
"handle": 23,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "iifname"
}
},
"right": {
"set": [
"wg0",
"lan",
"lan.10",
"lan.20",
"lan.30",
"lan.40",
"lan.50"
]
}
}
},
{
"jump": {
"target": "zone_lan_input"
}
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "input",
"handle": 25,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip6",
"field": "saddr"
}
},
"right": {
"set": [
{
"prefix": {
"addr": "2600:1700:115f:3000::",
"len": 64
}
},
{
"prefix": {
"addr": "2600:1700:115f:300d::",
"len": 64
}
}
]
}
}
},
{
"jump": {
"target": "zone_lan_input"
}
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "forward",
"handle": 26,
"expr": [
{
"match": {
"op": "in",
"left": {
"ct": {
"key": "state"
}
},
"right": [
"established",
"related"
]
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "forward",
"handle": 27,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "iifname"
}
},
"right": "wan"
}
},
{
"jump": {
"target": "zone_wan_forward"
}
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "forward",
"handle": 29,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "iifname"
}
},
"right": {
"set": [
"wg0",
"lan",
"lan.10",
"lan.20",
"lan.30",
"lan.40",
"lan.50"
]
}
}
},
{
"jump": {
"target": "zone_lan_forward"
}
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "forward",
"handle": 31,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip6",
"field": "saddr"
}
},
"right": {
"set": [
{
"prefix": {
"addr": "2600:1700:115f:3000::",
"len": 64
}
},
{
"prefix": {
"addr": "2600:1700:115f:300d::",
"len": 64
}
}
]
}
}
},
{
"jump": {
"target": "zone_lan_forward"
}
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "zone_wan_forward",
"handle": 32,
"expr": [
{
"match": {
"op": "in",
"left": {
"ct": {
"key": "status"
}
},
"right": "dnat"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "zone_wan_forward",
"handle": 33,
"expr": [
{
"match": {
"op": "==",
"left": {
"concat": [
{
"meta": {
"key": "l4proto"
}
},
{
"payload": {
"protocol": "ip6",
"field": "daddr"
}
},
{
"payload": {
"protocol": "th",
"field": "dport"
}
}
]
},
"right": "@port_forward_v6"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "zone_wan_forward",
"handle": 35,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip6",
"field": "saddr"
}
},
"right": {
"set": [
{
"prefix": {
"addr": "2400:cb00::",
"len": 32
}
},
{
"prefix": {
"addr": "2405:8100::",
"len": 32
}
},
{
"prefix": {
"addr": "2405:b500::",
"len": 32
}
},
{
"prefix": {
"addr": "2606:4700::",
"len": 32
}
},
{
"prefix": {
"addr": "2803:f800::",
"len": 32
}
},
{
"prefix": {
"addr": "2a06:98c0::",
"len": 29
}
},
{
"prefix": {
"addr": "2c0f:f248::",
"len": 32
}
}
]
}
}
},
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip6",
"field": "daddr"
}
},
"right": "@cloudflare_forward_v6"
}
},
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "th",
"field": "dport"
}
},
"right": 443
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "zone_lan_input",
"handle": 36,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip6",
"field": "nexthdr"
}
},
"right": "ipv6-icmp"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "zone_lan_input",
"handle": 37,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip",
"field": "protocol"
}
},
"right": "icmp"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "zone_lan_input",
"handle": 39,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "tcp",
"field": "dport"
}
},
"right": {
"set": [
22,
443
]
}
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "zone_lan_input",
"handle": 41,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "udp",
"field": "dport"
}
},
"right": {
"set": [
53,
67,
443,
547
]
}
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "zone_lan_forward",
"handle": 42,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "oifname"
}
},
"right": "wan"
}
},
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip6",
"field": "saddr"
}
},
"right": {
"prefix": {
"addr": "fd00::",
"len": 8
}
}
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "zone_lan_forward",
"handle": 43,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "oifname"
}
},
"right": "wan"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "inet",
"table": "firewall",
"chain": "zone_lan_forward",
"handle": 45,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "oifname"
}
},
"right": {
"set": [
"wg0",
"lan",
"lan.10",
"lan.20",
"lan.30",
"lan.40",
"lan.50"
]
}
}
},
{
"accept": null
}
]
}
},
{
"table": {
"family": "ip",
"name": "nat4",
"handle": 43
}
},
{
"chain": {
"family": "ip",
"table": "nat4",
"name": "prerouting",
"handle": 1,
"type": "nat",
"hook": "prerouting",
"prio": -100,
"policy": "accept"
}
},
{
"chain": {
"family": "ip",
"table": "nat4",
"name": "postrouting",
"handle": 2,
"type": "nat",
"hook": "postrouting",
"prio": 100,
"policy": "accept"
}
},
{
"map": {
"family": "ip",
"name": "port_forward",
"table": "nat4",
"type": [
"inet_proto",
"inet_service"
],
"handle": 3,
"map": [
"ipv4_addr",
"inet_service"
],
"elem": [
[
{
"concat": [
"udp",
35848
]
},
{
"concat": [
"10.17.1.250",
35848
]
}
],
[
{
"concat": [
"udp",
37138
]
},
{
"concat": [
"10.17.10.31",
37138
]
}
],
[
{
"concat": [
"udp",
40993
]
},
{
"concat": [
"10.17.1.250",
40993
]
}
],
[
{
"concat": [
"udp",
45608
]
},
{
"concat": [
"10.17.1.250",
45608
]
}
],
[
{
"concat": [
"udp",
48425
]
},
{
"concat": [
"10.17.1.250",
48425
]
}
],
[
{
"concat": [
"tcp",
8006
]
},
{
"concat": [
"10.17.50.10",
8006
]
}
],
[
{
"concat": [
"tcp",
38247
]
},
{
"concat": [
"10.17.10.31",
22
]
}
],
[
{
"concat": [
"udp",
48512
]
},
{
"concat": [
"10.17.1.250",
48512
]
}
],
[
{
"concat": [
"udp",
24454
]
},
{
"concat": [
"10.17.1.11",
24454
]
}
],
[
{
"concat": [
"udp",
18596
]
},
{
"concat": [
"10.17.1.250",
18596
]
}
],
[
{
"concat": [
"tcp",
25565
]
},
{
"concat": [
"10.17.1.11",
25565
]
}
],
[
{
"concat": [
"udp",
25565
]
},
{
"concat": [
"10.17.1.11",
25565
]
}
]
]
}
},
{
"rule": {
"family": "ip",
"table": "nat4",
"chain": "prerouting",
"handle": 4,
"expr": [
{
"match": {
"op": "==",
"left": {
"fib": {
"result": "type",
"flags": [
"daddr"
]
}
},
"right": "local"
}
},
{
"dnat": {
"family": "ip",
"addr": {
"map": {
"key": {
"concat": [
{
"meta": {
"key": "l4proto"
}
},
{
"payload": {
"protocol": "th",
"field": "dport"
}
}
]
},
"data": "@port_forward"
}
}
}
}
]
}
},
{
"rule": {
"family": "ip",
"table": "nat4",
"chain": "postrouting",
"handle": 6,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "oifname"
}
},
"right": "wan"
}
},
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip",
"field": "saddr"
}
},
"right": {
"set": [
{
"prefix": {
"addr": "10.0.0.0",
"len": 8
}
},
{
"prefix": {
"addr": "172.0.0.0",
"len": 12
}
},
{
"prefix": {
"addr": "192.168.0.0",
"len": 16
}
}
]
}
}
},
{
"masquerade": null
}
]
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink