{
"rule": [
{
- ".description": "Proto 'icmp' maps to IPv4 and IPv6 rules",
+ ".description": "Proto 'icmp' maps to a single IPv4 and IPv6 rule",
"proto": "icmp",
"name": "ICMP rule #1"
},
flush table inet fw4
table inet fw4 {
- #
- # Set definitions
- #
-
-
#
# Defines
#
oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
- meta l4proto icmp counter comment "!fw4: ICMP rule #1"
+ meta l4proto { "icmp", "ipv6-icmp" } counter comment "!fw4: ICMP rule #1"
meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #2"
meta nfproto ipv6 meta l4proto ipv6-icmp counter comment "!fw4: ICMP rule #3"
meta nfproto ipv4 icmp type . icmp code { 12 . 0 } counter comment "!fw4: ICMP rule #4"
meta nfproto ipv6 icmpv6 type . icmpv6 code { 136 . 0 } counter comment "!fw4: ICMP rule #5"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
type filter hook prerouting priority mangle; policy accept;
}
+ chain mangle_postrouting {
+ type filter hook postrouting priority mangle; policy accept;
+ }
+
+ chain mangle_input {
+ type filter hook input priority mangle; policy accept;
+ }
+
chain mangle_output {
- type filter hook output priority mangle; policy accept;
+ type route hook output priority mangle; policy accept;
}
chain mangle_forward {
projects / project / firewall4.git / blobdiff