build/layer/router-alix/nftables.rules

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;

    ip protocol icmp accept

    ct state established, related accept
    ct state invalid drop

    iifname lo accept
    iifname port0 accept
    iifname port1 accept

    reject
  }

  chain forward {
    type filter hook forward priority 0;

    iifname port0 jump forward_port0
    iifname port1 jump forward_port1
    iifname port2 jump forward_port2
  }
  chain forward_port0 {
    oifname port2 accept
    reject
  }
  chain forward_port1 {
    oifname port2 accept
    reject
  }
  chain forward_port2 {
    ct state related, established accept
    drop
  }

  chain output {
    type filter hook output priority 0; policy accept;
  }
}

table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0;
  }

  chain postrouting {
    type nat hook postrouting priority 0;

    oifname port2 masquerade
  }
}
Add routing configuration Signed-off-by: David Oberhollenzer <david.oberhollenzer@tele2.at> 2018-07-23 22:08:42 +02:00			`flush ruleset`

			`table inet filter {`
			`chain input {`
			`type filter hook input priority 0; policy drop;`

			`ip protocol icmp accept`

Update nftables ruleset syntax Apparently the tooling is now more strict in what syntax it accepts. Signed-off-by: David Oberhollenzer <david.oberhollenzer@tele2.at> 2019-01-11 14:06:54 +01:00			`ct state established, related accept`
Add routing configuration Signed-off-by: David Oberhollenzer <david.oberhollenzer@tele2.at> 2018-07-23 22:08:42 +02:00			`ct state invalid drop`

			`iifname lo accept`
			`iifname port0 accept`
			`iifname port1 accept`

			`reject`
			`}`

			`chain forward {`
			`type filter hook forward priority 0;`

			`iifname port0 jump forward_port0`
			`iifname port1 jump forward_port1`
			`iifname port2 jump forward_port2`
			`}`
			`chain forward_port0 {`
			`oifname port2 accept`
			`reject`
			`}`
			`chain forward_port1 {`
			`oifname port2 accept`
			`reject`
			`}`
			`chain forward_port2 {`
			`ct state related, established accept`
			`drop`
			`}`

			`chain output {`
			`type filter hook output priority 0; policy accept;`
			`}`
			`}`

			`table ip nat {`
			`chain prerouting {`
			`type nat hook prerouting priority 0;`
			`}`

			`chain postrouting {`
			`type nat hook postrouting priority 0;`

			`oifname port2 masquerade`
			`}`
			`}`