diff options
| author | Kjetil Orbekk <kj@orbekk.com> | 2025-12-15 19:17:03 -0500 |
|---|---|---|
| committer | Kjetil Orbekk <kj@orbekk.com> | 2025-12-15 19:17:03 -0500 |
| commit | fdc08bbeca685b3dd2d2b60a1da53af8f6d8c9e9 (patch) | |
| tree | d92659c21f9f8269331eeb7cf81f465439751ec7 /modules | |
| parent | 67fe5946de2fc5441dc9fa2dc052eb42ebb9f287 (diff) | |
fix
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/router.nix | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/modules/router.nix b/modules/router.nix index 3864d06..63b39fb 100644 --- a/modules/router.nix +++ b/modules/router.nix @@ -291,11 +291,13 @@ let chain forward { type filter hook forward priority 0; policy drop - ip protocol icmp limit rate 4/second counter accept comment "icmp v4" +ip protocol icmp limit rate 4/second counter accept comment "icmp v4" ip6 nexthdr ipv6-icmp limit rate 4/second counter accept comment "accept all ICMP types" ct state vmap { established : accept, related : accept, invalid : drop } + jump miniupnpd + # Don't allow accidental vpn forwarding to wan. iifname vpnlan-vport oifname wan-vport counter reject oifname he0 counter accept @@ -346,7 +348,16 @@ let meta nfproto ipv6 oifname {"mullvad"} counter masquerade } } - ''; + table inet miniupnpd { + chain miniupnpd {} + chain prerouting_miniupnpd { + type nat hook prerouting priority dstnat; policy accept; + } + chain postrouting_miniupnpd { + type nat hook postrouting priority srcnat; policy accept; + } + } + ''; }; in { options = { |