mirror of
https://github.com/speatzle/nfsense.git
synced 2025-05-11 02:48:21 +00:00
97 lines
3.1 KiB
Cheetah
97 lines
3.1 KiB
Cheetah
#!/usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
# nfsense nftables inet (ipv4 + ipv6) table
|
|
table inet nfsense_inet {
|
|
|
|
# Rule Counters for Forward Rules
|
|
{{- range $i, $rule := $.Firewall.ForwardRules }}
|
|
{{- if $rule.Counter }}
|
|
counter fw_{{ $i }} {
|
|
comment "{{ $rule.Name }}"
|
|
}
|
|
{{- end}}
|
|
{{- end}}
|
|
|
|
# Rule Counters for Destination NAT Rules
|
|
{{- range $i, $rule := $.Firewall.DestinationNATRules }}
|
|
{{- if $rule.Counter }}
|
|
counter dnat_{{ $i }} {
|
|
comment "{{ $rule.Name }}"
|
|
}
|
|
{{- end}}
|
|
{{- end}}
|
|
|
|
# Rule Counters for Source NAT Rules
|
|
{{- range $i, $rule := $.Firewall.SourceNATRules }}
|
|
{{- if $rule.Counter }}
|
|
counter snat_{{ $i }} {
|
|
comment "{{ $rule.Name }}"
|
|
}
|
|
{{- end}}
|
|
{{- end}}
|
|
|
|
# Inbound Rules
|
|
chain inbound {
|
|
type filter hook input priority 0; policy drop;
|
|
|
|
# Allow traffic from established and related packets, drop invalid
|
|
ct state vmap { established : accept, related : accept, invalid : drop }
|
|
|
|
# Allow loopback traffic
|
|
iifname lo accept
|
|
|
|
# temp Allow Inbound traffic
|
|
counter accept comment "temp inbound allow"
|
|
}
|
|
|
|
# Forward Rules
|
|
chain forward {
|
|
type filter hook forward priority 0; policy drop;
|
|
|
|
# Allow traffic from established and related packets, drop invalid
|
|
ct state vmap { established : accept, related : accept, invalid : drop }
|
|
|
|
# Generated Forward Rules
|
|
{{- range $i, $rule := $.Firewall.ForwardRules }}
|
|
{{ addressMatcher $.Object.Addresses $rule.Match }} jump {
|
|
{{- $baseServices := getBaseServices $.Object.Services $rule.Match.Services }}
|
|
{{- range $service := $baseServices }}
|
|
{{ serviceMatcher $service }}{{ if $rule.Counter }} counter name fw_{{ $i }}{{ end }} {{ $rule.Verdict.String }}
|
|
{{- end}}
|
|
}
|
|
{{- end}}
|
|
}
|
|
|
|
# Destination NAT Rules
|
|
chain prerouting {
|
|
type nat hook prerouting priority -100; policy accept;
|
|
|
|
# Generated Destination NAT Rules
|
|
{{- range $i, $rule := $.Firewall.DestinationNATRules }}
|
|
{{ addressMatcher $.Object.Addresses $rule.Match }} jump {
|
|
{{- $baseServices := getBaseServices $.Object.Services $rule.Match.Services }}
|
|
{{- range $service := $baseServices }}
|
|
{{ serviceMatcher $service }}{{ if $rule.Counter }} counter name dnat_{{ $i }}{{ end }} {{ destinationNatAction $ $rule }}
|
|
{{- end}}
|
|
}
|
|
{{- end}}
|
|
}
|
|
|
|
# Source NAT Rules
|
|
chain postrouting {
|
|
type nat hook postrouting priority 100; policy accept;
|
|
|
|
# Generated Source NAT Rules
|
|
{{- range $i, $rule := $.Firewall.SourceNATRules }}
|
|
{{ addressMatcher $.Object.Addresses $rule.Match }} jump {
|
|
{{- $baseServices := getBaseServices $.Object.Services $rule.Match.Services }}
|
|
{{- range $service := $baseServices }}
|
|
{{ serviceMatcher $service }}{{ if $rule.Counter }} counter name snat_{{ $i }}{{ end }} {{ sourceNatAction $ $rule }}
|
|
{{- end}}
|
|
}
|
|
{{- end}}
|
|
}
|
|
}
|
|
|