fwl/examples/simple-router.fwl

interface wan : WAN { dynamic; };
interface lan : LAN { cidr4 = { 10.0.0.0/24 }; };

zone lan_zone = { lan };

let rfc1918 : Set<IPv4> = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 };

-- Single IPv4 port forward: tcp:8080 -> 10.0.0.10:80
let forwards : Map<(Protocol, Port), (IP, Port)> = {
  (tcp, :8080) -> (10.0.0.10, :80)
};

-- Open inbound ports on the router itself
let open_ports : Set<Port> = { :22 };

-- IPv6 forwarded destination: tcp . 2001:db8::1 . 22000
let forwards_v6 : Set<(Protocol, IP, Port)> = {
  (tcp, 2001:db8::1, :22000)
};

policy input : Frame
  on { hook = Input, table = Filter, priority = Filter }
  = {
    | _ if ct.state in { Established, Related }              -> Allow;
    | Frame(lo, _)                                           -> Allow;
    | Frame(_, IPv6(ip6, ICMPv6(_, _)))
        if ip6.src in fe80::/10                              -> Allow;
    | Frame(_, IPv4(_, TCP(tcp, _)))
        if tcp.dport in open_ports                           -> Allow;
    | Frame(_, IPv4(_, UDP(udp, _)))
        if udp.dport == :51944                               -> Allow;
    | _                                                      -> Drop;
  };

policy forward : Frame
  on { hook = Forward, table = Filter, priority = Filter }
  = {
    | _ if ct.state in { Established, Related }              -> Allow;
    | _ if ct.status == DNAT                                 -> Allow;
    | Frame(iif in lan_zone -> wan, _)                       -> Allow;
    | Frame(wan -> iif in lan_zone, IPv4(ip, TCP(th, _) | UDP(th, _)))
        if (ip.protocol, th.dport) in forwards               -> Allow;
    | Frame(wan -> iif in lan_zone, IPv6(ip6, TCP(th, _) | UDP(th, _)))
        if (ip6.protocol, ip6.dst, th.dport) in forwards_v6  -> Allow;
    | _                                                      -> Drop;
  };

policy output : Frame
  on { hook = Output, table = Filter, priority = Filter }
  = {
    | _ -> Allow;
  };

policy nat_prerouting : Frame
  on { hook = Prerouting, table = NAT, priority = DstNat }
  = {
    | Frame(_, IPv4(ip, TCP(th, _) | UDP(th, _))) ->
        if perform FIB.daddrLocal(ip.dst)
        then DNATMap((ip.protocol, th.dport), forwards)
        else Allow;
    | _ -> Allow;
  };

policy nat_postrouting : Frame
  on { hook = Postrouting, table = NAT, priority = SrcNat }
  = {
    | Frame(_ -> wan, IPv4(ip, _)) if ip.src in rfc1918      -> Masquerade;
    | _                                                      -> Allow;
  };