diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-09 13:08:37 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-09 13:08:37 +0000 |
| commit | 971e619d8602fa52b1bfcb3ea65b7ab96be85318 (patch) | |
| tree | 26feb2498c72b796e07b86349d17f544046de279 /tests/shell/testcases/nft-f/dumps | |
| parent | Initial commit. (diff) | |
| download | nftables-971e619d8602fa52b1bfcb3ea65b7ab96be85318.tar.xz nftables-971e619d8602fa52b1bfcb3ea65b7ab96be85318.zip | |
Adding upstream version 1.0.9.upstream/1.0.9upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tests/shell/testcases/nft-f/dumps')
34 files changed, 505 insertions, 0 deletions
diff --git a/tests/shell/testcases/nft-f/dumps/0001define_slash_0.nft b/tests/shell/testcases/nft-f/dumps/0001define_slash_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0001define_slash_0.nft diff --git a/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.nft b/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.nft new file mode 100644 index 0000000..3fad909 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0002rollback_rule_0.nft @@ -0,0 +1,16 @@ +table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222, 33333 } + ip saddr @t drop + jump other + } + + chain other { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.nft b/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.nft new file mode 100644 index 0000000..3fad909 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0003rollback_jump_0.nft @@ -0,0 +1,16 @@ +table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222, 33333 } + ip saddr @t drop + jump other + } + + chain other { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.nft b/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.nft new file mode 100644 index 0000000..3fad909 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0004rollback_set_0.nft @@ -0,0 +1,16 @@ +table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222, 33333 } + ip saddr @t drop + jump other + } + + chain other { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.nft b/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.nft new file mode 100644 index 0000000..3fad909 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0005rollback_map_0.nft @@ -0,0 +1,16 @@ +table ip t { + set t { + type ipv4_addr + elements = { 1.1.1.1 } + } + + chain c { + ct state new + tcp dport { 22222, 33333 } + ip saddr @t drop + jump other + } + + chain other { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0006action_object_0.nft b/tests/shell/testcases/nft-f/dumps/0006action_object_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0006action_object_0.nft diff --git a/tests/shell/testcases/nft-f/dumps/0007action_object_set_segfault_1.nft b/tests/shell/testcases/nft-f/dumps/0007action_object_set_segfault_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0007action_object_set_segfault_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft new file mode 100644 index 0000000..d7e7808 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0008split_tables_0.nft @@ -0,0 +1,10 @@ +table inet filter { + chain ssh { + type filter hook input priority filter; policy accept; + tcp dport 22 accept + } + + chain input { + type filter hook input priority filter + 1; policy accept; + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0009variable_0.nft b/tests/shell/testcases/nft-f/dumps/0009variable_0.nft new file mode 100644 index 0000000..7f59a27 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0009variable_0.nft @@ -0,0 +1,7 @@ +table inet forward { + set concat-set-variable { + type ipv4_addr . inet_service + elements = { 10.10.10.10 . 25, + 10.10.10.10 . 143 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0010variable_0.nft b/tests/shell/testcases/nft-f/dumps/0010variable_0.nft new file mode 100644 index 0000000..1f3d05e --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0010variable_0.nft @@ -0,0 +1,6 @@ +table inet filter { + set whitelist_v4 { + type ipv4_addr + elements = { 1.1.1.1 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0011manydefines_0.nodump b/tests/shell/testcases/nft-f/dumps/0011manydefines_0.nodump new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0011manydefines_0.nodump diff --git a/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft new file mode 100644 index 0000000..4734b2f --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0012different_defines_0.nft @@ -0,0 +1,21 @@ +table inet t { + chain c { + iifname "whatever" oifname "whatever" iif "lo" oif "lo" + iifname { "whatever" } iif { "lo" } meta mark 0x0000007b + ct state established,related,new + ct state != established | related | new + ip saddr 10.0.0.0 ip daddr 10.0.0.2 ip saddr 10.0.0.0 + ip6 daddr fe0::1 ip6 saddr fe0::2 + ip saddr vmap { 10.0.0.0 : drop, 10.0.0.2 : accept } + ip6 daddr vmap { fe0::1 : drop, fe0::2 : accept } + ip6 saddr . ip6 nexthdr { fe0::2 . tcp, fe0::1 . udp } + ip daddr . iif vmap { 10.0.0.0 . "lo" : accept } + tcp dport 100-222 + udp dport vmap { 100-222 : accept } + tcp sport 1 tcp dport 1 oifname "foobar" queue flags bypass to 0 + tcp sport 1 tcp dport 1 oifname "foobar" queue to 1-42 + tcp sport 1 tcp dport 1 oifname "foobar" queue flags bypass,fanout to 1-42 + tcp sport 1 tcp dport 1 oifname "foobar" queue to symhash mod 2 + tcp sport 1 tcp dport 1 oifname "foobar" queue flags bypass to jhash tcp dport . tcp sport mod 4 + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0013defines_1.nft b/tests/shell/testcases/nft-f/dumps/0013defines_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0013defines_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0014defines_1.nft b/tests/shell/testcases/nft-f/dumps/0014defines_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0014defines_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0015defines_1.nft b/tests/shell/testcases/nft-f/dumps/0015defines_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0015defines_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0016redefines_1.nft b/tests/shell/testcases/nft-f/dumps/0016redefines_1.nft new file mode 100644 index 0000000..65b7f49 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0016redefines_1.nft @@ -0,0 +1,6 @@ +table ip x { + chain y { + ip saddr { 1.1.1.1, 2.2.2.2 } + ip saddr { 3.3.3.3, 4.4.4.4 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft new file mode 100644 index 0000000..c5d9649 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0017ct_timeout_obj_0.nft @@ -0,0 +1,11 @@ +table ip filter { + ct timeout cttime { + protocol tcp + l3proto ip + policy = { established : 2m3s, close : 12s } + } + + chain c { + ct timeout set "cttime" + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.nft b/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.nft new file mode 100644 index 0000000..396185e --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0018ct_expectation_obj_0.nft @@ -0,0 +1,13 @@ +table ip filter { + ct expectation ctexpect { + protocol tcp + dport 9876 + timeout 1m + size 12 + l3proto ip + } + + chain c { + ct expectation set "ctexpect" + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0018jump_variable_0.nft b/tests/shell/testcases/nft-f/dumps/0018jump_variable_0.nft new file mode 100644 index 0000000..0ddaf07 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0018jump_variable_0.nft @@ -0,0 +1,8 @@ +table ip foo { + chain bar { + jump ber + } + + chain ber { + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0019jump_variable_1.nft b/tests/shell/testcases/nft-f/dumps/0019jump_variable_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0019jump_variable_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0020jump_variable_1.nft b/tests/shell/testcases/nft-f/dumps/0020jump_variable_1.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0020jump_variable_1.nft diff --git a/tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.nft b/tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.nft new file mode 100644 index 0000000..b2cd401 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0021list_ruleset_0.nft @@ -0,0 +1,5 @@ +table ip filter { + chain prerouting { + type filter hook prerouting priority -50; policy accept; + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0022variables_0.nft b/tests/shell/testcases/nft-f/dumps/0022variables_0.nft new file mode 100644 index 0000000..d30f4d5 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0022variables_0.nft @@ -0,0 +1,14 @@ +table ip x { + set y { + type ipv4_addr + size 65535 + flags dynamic,timeout + } + + chain z { + type filter hook input priority filter; policy accept; + add @y { ip saddr } + update @y { ip saddr timeout 30s } + ip saddr @y + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0023check_1.nft b/tests/shell/testcases/nft-f/dumps/0023check_1.nft new file mode 100644 index 0000000..04b9e70 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0023check_1.nft @@ -0,0 +1,5 @@ +table ip foo { + chain bar { + type filter hook prerouting priority filter; policy accept; + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0024priority_0.nft b/tests/shell/testcases/nft-f/dumps/0024priority_0.nft new file mode 100644 index 0000000..cd7fc50 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0024priority_0.nft @@ -0,0 +1,10 @@ +table inet statelessnat { + chain prerouting { + type filter hook prerouting priority dstnat; policy accept; + ip daddr set numgen inc mod 16 map { 0-7 : 10.0.1.1, 8-15 : 10.0.1.2 } + } + + chain postrouting { + type filter hook postrouting priority srcnat; policy accept; + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.nft b/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.nft new file mode 100644 index 0000000..33b9e4f --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0025empty_dynset_0.nft @@ -0,0 +1,18 @@ +table ip foo { + set inflows { + type ipv4_addr . inet_service . ifname . ipv4_addr . inet_service + flags dynamic + elements = { 10.1.0.3 . 39466 . "veth1" . 10.3.0.99 . 5201 counter packets 0 bytes 0 } + } + + set inflows6 { + type ipv6_addr . inet_service . ifname . ipv6_addr . inet_service + flags dynamic + } + + set inflows_ratelimit { + type ipv4_addr . inet_service . ifname . ipv4_addr . inet_service + flags dynamic + elements = { 10.1.0.3 . 39466 . "veth1" . 10.3.0.99 . 5201 limit rate 1/second burst 5 packets counter packets 0 bytes 0 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0026listing_0.nft b/tests/shell/testcases/nft-f/dumps/0026listing_0.nft new file mode 100644 index 0000000..fd0bb68 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0026listing_0.nft @@ -0,0 +1,5 @@ +table ip A { + chain B { + tcp dport { 1, 2 } accept + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0027split_chains_0.nft b/tests/shell/testcases/nft-f/dumps/0027split_chains_0.nft new file mode 100644 index 0000000..39198be --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0027split_chains_0.nft @@ -0,0 +1,9 @@ +table inet filter { + chain x { + } + + chain input { + type filter hook input priority filter; policy accept; + jump x + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.nft b/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.nft new file mode 100644 index 0000000..aa08112 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0028variable_cmdline_0.nft @@ -0,0 +1,8 @@ +table inet filter { + set whitelist_v4 { + type ipv4_addr + elements = { 1.1.1.1, 2.2.2.2, + 3.3.3.3, 4.4.4.4, + 5.5.5.5 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0029split_file_0.nft b/tests/shell/testcases/nft-f/dumps/0029split_file_0.nft new file mode 100644 index 0000000..32d5c0e --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0029split_file_0.nft @@ -0,0 +1,10 @@ +table inet filter { + set whitelist_v4 { + type ipv4_addr + } + + chain prerouting { + type filter hook prerouting priority filter; policy accept; + ip daddr @whitelist_v4 + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0030variable_reuse_0.nft b/tests/shell/testcases/nft-f/dumps/0030variable_reuse_0.nft new file mode 100644 index 0000000..635901f --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0030variable_reuse_0.nft @@ -0,0 +1,11 @@ +table ip x { + set y { + type ipv4_addr + elements = { 1.1.1.1, 2.2.2.2 } + } + + set z { + type ipv4_addr + elements = { 1.1.1.1, 3.3.3.3 } + } +} diff --git a/tests/shell/testcases/nft-f/dumps/0031vmap_string_0.nft b/tests/shell/testcases/nft-f/dumps/0031vmap_string_0.nft new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0031vmap_string_0.nft diff --git a/tests/shell/testcases/nft-f/dumps/0032pknock_0.nft b/tests/shell/testcases/nft-f/dumps/0032pknock_0.nft new file mode 100644 index 0000000..f29dfb2 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/0032pknock_0.nft @@ -0,0 +1,25 @@ +table inet portknock { + set clients_ipv4 { + type ipv4_addr + size 65535 + flags dynamic,timeout + } + + set candidates_ipv4 { + type ipv4_addr . inet_service + size 65535 + flags dynamic,timeout + } + + chain input { + type filter hook input priority filter - 10; policy accept; + tcp dport 10001 add @candidates_ipv4 { ip saddr . 10002 timeout 1s } + tcp dport 10002 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10003 timeout 1s } + tcp dport 10003 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10004 timeout 1s } + tcp dport 10004 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10005 timeout 1s } + tcp dport 10005 ip saddr . tcp dport @candidates_ipv4 add @clients_ipv4 { ip saddr timeout 10m } log prefix "Successful portknock: " + tcp dport 22 ip saddr @clients_ipv4 counter packets 0 bytes 0 accept + tcp dport 22 ct state established,related counter packets 0 bytes 0 accept + tcp dport 22 reject with tcp reset + } +} diff --git a/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft b/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft new file mode 100644 index 0000000..480b694 --- /dev/null +++ b/tests/shell/testcases/nft-f/dumps/sample-ruleset.nft @@ -0,0 +1,239 @@ +table inet filter { + map if_input { + type ifname : verdict + elements = { "eth0" : jump public_input, + "eth1" : jump home_input, + "eth2.10" : jump home_input, + "eth2.20" : jump home_input } + } + + map if_forward { + type ifname : verdict + elements = { "eth0" : jump public_forward, + "eth1" : jump trusted_forward, + "eth2.10" : jump voip_forward, + "eth2.20" : jump guest_forward } + } + + map if_output { + type ifname : verdict + elements = { "eth0" : jump public_output, + "eth1" : jump home_output, + "eth2.10" : jump home_output, + "eth2.20" : jump home_output } + } + + set ipv4_blacklist { + type ipv4_addr + flags interval + auto-merge + } + + set ipv6_blacklist { + type ipv6_addr + flags interval + auto-merge + } + + set limit_src_ip { + type ipv4_addr + size 1024 + flags dynamic,timeout + } + + set limit_src_ip6 { + type ipv6_addr + size 1024 + flags dynamic,timeout + } + + chain PREROUTING_RAW { + type filter hook prerouting priority raw; policy accept; + meta l4proto != { icmp, tcp, udp, ipv6-icmp } counter packets 0 bytes 0 drop + tcp flags syn jump { + tcp option maxseg size 1-500 counter packets 0 bytes 0 drop + tcp sport 0 counter packets 0 bytes 0 drop + } + rt type 0 counter packets 0 bytes 0 drop + } + + chain PREROUTING_MANGLE { + type filter hook prerouting priority mangle; policy accept; + ct state vmap { invalid : jump ct_invalid_pre, related : jump rpfilter, new : jump ct_new_pre, untracked : jump ct_untracked_pre } + } + + chain ct_invalid_pre { + counter packets 0 bytes 0 drop + } + + chain ct_untracked_pre { + icmpv6 type { mld-listener-query, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } return + counter packets 0 bytes 0 drop + } + + chain ct_new_pre { + jump rpfilter + tcp flags != syn / fin,syn,rst,ack counter packets 0 bytes 0 drop + iifname "eth0" meta nfproto vmap { ipv4 : jump blacklist_input_ipv4, ipv6 : jump blacklist_input_ipv6 } + } + + chain rpfilter { + ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp sport 68 udp dport 67 return + ip6 saddr :: ip6 daddr . icmpv6 type { ff02::1:ff00:0/104 . nd-neighbor-solicit, ff02::16 . mld2-listener-report } return + fib saddr . iif oif 0 counter packets 0 bytes 0 drop + } + + chain blacklist_input_ipv4 { + ip saddr { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/3 } counter packets 0 bytes 0 drop + ip saddr @ipv4_blacklist counter packets 0 bytes 0 drop + } + + chain blacklist_input_ipv6 { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 saddr fe80::/64 return + udp sport 547 ip6 saddr fe80::/64 return + ip6 saddr { ::/3, 2001::/32, 2001:2::/48, 2001:3::/32, 2001:10::-2001:2f:ffff:ffff:ffff:ffff:ffff:ffff, 2001:db8::/32, 2002::/16, 3000::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff } counter packets 0 bytes 0 drop + ip6 saddr @ipv6_blacklist counter packets 0 bytes 0 drop + } + + chain INPUT { + type filter hook input priority filter; policy drop; + iif "lo" accept + ct state established,related accept + iifname vmap @if_input + log prefix "NFT REJECT IN " flags ip options flags ether limit rate 5/second burst 10 packets reject + } + + chain public_input { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 saddr fe80::/64 ip6 hoplimit 255 accept + udp sport 547 udp dport 546 ip6 saddr fe80::/64 accept + fib daddr type { broadcast, anycast, multicast } counter packets 0 bytes 0 drop + counter packets 0 bytes 0 drop + } + + chain home_input { + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept + icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept + udp sport 68 udp dport 67 accept + udp sport 546 udp dport 547 iifname { "eth1", "eth2.10", "eth2.20" } accept + fib daddr type { broadcast, anycast, multicast } counter packets 0 bytes 0 drop + icmp type echo-request accept + icmpv6 type echo-request accept + tcp dport 22 iifname "eth1" accept + meta l4proto { tcp, udp } th dport 53 jump { + ip6 saddr != { fd00::/8, fe80::/64 } counter packets 0 bytes 0 reject with icmpv6 port-unreachable + accept + } + udp dport 123 accept + tcp dport 8443 accept + } + + chain FORWARD_MANGLE { + type filter hook forward priority mangle; policy accept; + oifname "eth0" jump { + ct state new meta nfproto vmap { ipv4 : jump blacklist_output_ipv4, ipv6 : jump blacklist_output_ipv6 } + tcp flags syn / syn,rst tcp option maxseg size set rt mtu + } + } + + chain blacklist_output_ipv4 { + ip daddr { 0.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/3 } goto log_blacklist + ip daddr @ipv4_blacklist goto log_blacklist + } + + chain blacklist_output_ipv6 { + icmpv6 type . ip6 daddr { nd-router-solicit . ff02::2, nd-neighbor-solicit . ff02::1:ff00:0/104, nd-neighbor-advert . fe80::/64, nd-neighbor-advert . ff02::1, nd-neighbor-advert . ff02::1:ff00:0/104, mld2-listener-report . ff02::16 } return + udp dport 547 ip6 daddr ff02::1:2 return + ip6 daddr { ::/3, 2001::/32, 2001:2::/48, 2001:3::/32, 2001:10::-2001:2f:ffff:ffff:ffff:ffff:ffff:ffff, 2001:db8::/32, 2002::/16, 3000::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff } goto log_blacklist + ip6 daddr @ipv6_blacklist goto log_blacklist + } + + chain log_blacklist { + log prefix "NFT BLACKLIST " flags ip options flags ether limit rate 5/minute burst 10 packets drop + counter packets 0 bytes 0 drop + } + + chain FORWARD { + type filter hook forward priority filter; policy drop; + ct state established,related accept + fib daddr type { broadcast, anycast, multicast } counter packets 0 bytes 0 drop + iifname vmap @if_forward + log prefix "NFT REJECT FWD " flags ip options flags ether limit rate 5/second burst 10 packets reject + } + + chain public_forward { + udp dport { 5060, 7078-7097 } oifname "eth2.10" jump { + ip6 saddr { 2001:db8::1-2001:db8::2 } accept + meta nfproto ipv6 log prefix "NFT DROP SIP " flags ip options flags ether limit rate 5/second burst 10 packets drop + } + counter packets 0 bytes 0 drop + } + + chain trusted_forward { + oifname "eth0" accept + icmp type echo-request accept + icmpv6 type echo-request accept + ip daddr { 192.168.3.30, 192.168.4.40 } tcp dport vmap { 22 : accept, 80 : drop, 443 : accept } + ip daddr 192.168.2.20 jump { + tcp dport { 80, 443, 515, 631, 9100 } accept + udp dport 161 accept + } + } + + chain voip_forward { + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } oifname "eth0" accept + ip6 daddr { 2001:db8::1-2001:db8::2 } jump { + udp dport { 3478, 5060 } accept + udp sport 7078-7097 accept + tcp dport 5061 accept + } + tcp dport 587 ip daddr 10.0.0.1 accept + tcp dport 80 oifname "eth0" counter packets 0 bytes 0 reject + } + + chain guest_forward { + oifname "eth0" accept + } + + chain OUTPUT { + type filter hook output priority filter; policy drop; + oif "lo" accept + ct state vmap { invalid : jump ct_invalid_out, established : accept, related : accept, untracked : jump ct_untracked_out } + oifname vmap @if_output + log prefix "NFT REJECT OUT " flags ip options flags ether limit rate 5/second burst 10 packets reject + } + + chain ct_invalid_out { + counter packets 0 bytes 0 drop + } + + chain ct_untracked_out { + icmpv6 type { mld-listener-query, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } return + counter packets 0 bytes 0 drop + } + + chain public_output { + ct state new meta nfproto vmap { ipv4 : jump blacklist_output_ipv4, ipv6 : jump blacklist_output_ipv6 } + icmp type { destination-unreachable, echo-request, time-exceeded, parameter-problem } accept + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } accept + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept + icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept + udp dport 547 ip6 saddr fe80::/64 ip6 daddr ff02::1:2 accept + udp dport { 53, 123 } accept + tcp dport { 443, 587, 853 } accept + } + + chain home_output { + icmp type { destination-unreachable, echo-request, time-exceeded, parameter-problem } accept + icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request } accept + icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 accept + icmpv6 type { mld-listener-query, mld2-listener-report } ip6 hoplimit 1 accept + udp sport 547 udp dport 546 ip6 saddr fe80::/64 oifname { "eth1", "eth2.10", "eth2.20" } accept + udp sport 67 udp dport 68 ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } accept + tcp dport 22 ip daddr 192.168.1.10 accept + } + + chain POSTROUTING_SRCNAT { + type nat hook postrouting priority srcnat; policy accept; + ip saddr { 192.168.1.0-192.168.4.255 } oifname "eth0" masquerade + } +} |