diff options
| author | Kjetil Orbekk <kj@orbekk.com> | 2023-02-27 08:16:25 -0500 |
|---|---|---|
| committer | Kjetil Orbekk <kj@orbekk.com> | 2023-02-27 08:16:25 -0500 |
| commit | d4cac17c7e9cc7ce92fcf8ba091cbfa9da43ee21 (patch) | |
| tree | dafe11fabf53eebb91fd5deb8edb97171a54f973 | |
| parent | 03bb6960ec0ef4bc756bed6e0333ef91dc68890c (diff) | |
use iifname/oifname in nftables to allow loading it early
| -rw-r--r-- | modules/router.nix | 27 |
1 files changed, 12 insertions, 15 deletions
diff --git a/modules/router.nix b/modules/router.nix index 8267967..81c8c86 100644 --- a/modules/router.nix +++ b/modules/router.nix @@ -159,9 +159,6 @@ let }; networking.firewall.enable = false; - systemd.services.nftables.before = mkForce ["network.target"]; - systemd.services.nftables.after = ["kjlan-netdev.service" "he0.service"]; - systemd.services.nftables.wantedBy = mkForce ["network.target"]; networking.nftables.enable = true; networking.nftables.ruleset = let @@ -177,7 +174,7 @@ let table inet filter { chain input { type filter hook input priority 0 - iif lo accept + iifname lo accept ct state {established, related} counter accept meta l4proto {tcp, udp} th dport {bootps, bootpc, domain, dhcpv6-client, dhcpv6-server} counter accept @@ -187,7 +184,7 @@ let ip6 nexthdr ipv6-icmp counter accept comment "accept all ICMP types" - iif wan-vport counter drop + iifname wan-vport counter drop meta nftrace set 1 counter drop } @@ -204,13 +201,13 @@ let ip6 nexthdr ipv6-icmp limit rate 4/second counter accept comment "accept all ICMP types" ct state vmap { established : accept, related : accept, invalid : drop } - oif he0 counter accept - oif wan-vport counter accept - oif mullvad counter accept + oifname he0 counter accept + oifname wan-vport counter accept + oifname mullvad counter accept - oif servers-vport meta l4proto {tcp, udp} th dport $SERVER_WAN_PORTS counter accept - iif lan-vport oif servers-vport meta l4proto {tcp, udp} th dport $SERVER_LAN_PORTS counter accept - iif servers-vport counter accept + oifname servers-vport meta l4proto {tcp, udp} th dport $SERVER_WAN_PORTS counter accept + iifname lan-vport oifname servers-vport meta l4proto {tcp, udp} th dport $SERVER_LAN_PORTS counter accept + iifname servers-vport counter accept counter drop } @@ -221,19 +218,19 @@ let type filter hook prerouting priority -150 # ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta nftrace set 1 ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta mark set ${toString heMark} - iif vpnlan-vport meta mark set ${toString mullvadMark} + iifname vpnlan-vport meta mark set ${toString mullvadMark} } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept - iif wan-vport tcp dport $SERVER_WAN_PORTS dnat to 172.20.20.2 + iifname wan-vport tcp dport $SERVER_WAN_PORTS dnat to 172.20.20.2 } chain postrouting { type nat hook postrouting priority 100; policy accept - ip saddr 172.16.0.0/12 oif {"wan-vport"} masquerade - ip saddr 172.16.0.0/12 oif {"mullvad"} masquerade + ip saddr 172.16.0.0/12 oifname {"wan-vport"} masquerade + ip saddr 172.16.0.0/12 oifname {"mullvad"} masquerade } } ''; |