"!::15/128",
"!::16/128"
]
+ },
+ {
+ ".description": "Ensure that CIDRs with negative bitcount are properly translated",
+ "proto": "all",
+ "name": "Mask rule #3",
+ "src_ip": "::1/-64",
+ "dest_ip": "!::2/-64"
}
],
"redirect": [
flush table inet fw4
table inet fw4 {
- #
- # Set definitions
- #
-
-
#
# Defines
#
- define wan_devices = { "eth1" }
+ define wan_devices = { "pppoe-wan" }
define wan_subnets = { 2001:db8:54:321::/64 }
+
define lan_devices = { "br-lan" }
define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
+
define guest_devices = { "br-guest" }
define guest_subnets = { 10.1.0.0/24, 192.168.27.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
+
#
# User includes
#
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
- iifname "eth1" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
+ iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "br-guest" jump input_guest comment "!fw4: Handle guest IPv4/IPv6 input traffic"
}
type filter hook forward priority filter; policy drop;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
- iifname "eth1" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
+ iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "br-guest" jump forward_guest comment "!fw4: Handle guest IPv4/IPv6 forward traffic"
}
ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::9 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2"
ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::10 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2"
ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr { ::11, ::12 } ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2"
- oifname "eth1" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
+ ip6 saddr & ::ffff:ffff:ffff:ffff == ::1 ip6 daddr & ::ffff:ffff:ffff:ffff != ::2 counter comment "!fw4: Mask rule #3"
+ oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "br-guest" jump output_guest comment "!fw4: Handle guest IPv4/IPv6 output traffic"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
}
chain drop_from_wan {
- iifname "eth1" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
+ iifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
}
chain drop_to_wan {
- oifname "eth1" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
+ oifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
}
chain input_lan {
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
- iifname "eth1" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
+ iifname "pppoe-wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
iifname "br-guest" jump dstnat_guest comment "!fw4: Handle guest IPv4/IPv6 dstnat traffic"
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
- oifname "eth1" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
+ oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
oifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
oifname "br-guest" jump srcnat_guest comment "!fw4: Handle guest IPv4/IPv6 srcnat traffic"
}
}
chain srcnat_lan {
- ip6 saddr 2001:db8:1000::/60 ip6 daddr ::99 snat 2001:db8:1000:1::1 comment "!fw4: Mask rule #3 (reflection)"
- ip6 saddr fd63:e2f:f706::/60 ip6 daddr ::99 snat fd63:e2f:f706:1::1 comment "!fw4: Mask rule #3 (reflection)"
+ ip6 saddr { 2001:db8:1000::/60, fd63:e2f:f706::/60 } ip6 daddr ::99 snat 2001:db8:1000:1::1 comment "!fw4: Mask rule #3 (reflection)"
}
chain dstnat_guest {
}
chain srcnat_guest {
- ip6 saddr 2001:db8:1000::/60 ip6 daddr ::99 snat 2001:db8:1000:2::1 comment "!fw4: Mask rule #3 (reflection)"
- ip6 saddr fd63:e2f:f706::/60 ip6 daddr ::99 snat fd63:e2f:f706:2::1 comment "!fw4: Mask rule #3 (reflection)"
+ ip6 saddr { 2001:db8:1000::/60, fd63:e2f:f706::/60 } ip6 daddr ::99 snat 2001:db8:1000:2::1 comment "!fw4: Mask rule #3 (reflection)"
}
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
}
chain mangle_output {
- type filter hook output priority mangle; policy accept;
+ type route hook output priority mangle; policy accept;
}
chain mangle_forward {
projects / project / firewall4.git / blobdiff