|
@@ -57,22 +57,12 @@ table ip filter {
|
|
|
|
|
|
chain forward {
|
|
|
type filter hook forward priority 0; policy {{ forward['policy'] }}; # {{ forward['policy_reason'] }}
|
|
|
+ jump urpf
|
|
|
{#- custom rules #}
|
|
|
{%- for rule in forward['rules'].get ('4', []) %}
|
|
|
{{ rule }}
|
|
|
{%- endfor %}
|
|
|
|
|
|
-{#- uRPF #}
|
|
|
-{%- for iface_cfg in urpf %}
|
|
|
- {%- if loop.first %}
|
|
|
- # uRPF
|
|
|
- {%- endif %}
|
|
|
- {%- for pfx in iface_cfg[4] %}
|
|
|
- iif {{ iface_cfg['iface'] }} ip saddr {{ pfx }} accept
|
|
|
- {%- endfor %}
|
|
|
- iif {{ iface_cfg['iface'] }} counter drop
|
|
|
-{%- endfor %}
|
|
|
-
|
|
|
{%- if forward['policy'] == 'drop' %}
|
|
|
limit rate 1/second burst 3 packets counter log prefix "nf forward: "
|
|
|
limit rate 1/second burst 3 packets counter reject with icmp type admin-prohibited
|
|
@@ -123,6 +113,15 @@ table ip filter {
|
|
|
{%- endfor %}
|
|
|
}
|
|
|
|
|
|
+ chain urpf {
|
|
|
+{%- for iface_cfg in urpf %}
|
|
|
+ {%- for pfx in iface_cfg[4] %}
|
|
|
+ iif {{ iface_cfg['iface'] }} ip saddr {{ pfx }} return
|
|
|
+ {%- endfor %}
|
|
|
+ iif {{ iface_cfg['iface'] }} counter drop
|
|
|
+{%- endfor %}
|
|
|
+ }
|
|
|
+
|
|
|
chain vxlan {
|
|
|
{%- for iface in node_config['ifaces'] if node_config['ifaces'][iface].get ('batman_connect_sites') %}
|
|
|
iif {{ iface }} accept
|
|
@@ -175,22 +174,12 @@ table ip6 filter {
|
|
|
|
|
|
chain forward {
|
|
|
type filter hook forward priority 0; policy {{ forward['policy'] }}; # {{ forward['policy_reason'] }}
|
|
|
+ jump urpf
|
|
|
{#- custom rules #}
|
|
|
{%- for rule in forward['rules'].get ('6', []) %}
|
|
|
{{ rule }}
|
|
|
{%- endfor %}
|
|
|
|
|
|
-{#- uRPF #}
|
|
|
-{%- for iface_cfg in urpf %}
|
|
|
- {%- if loop.first %}
|
|
|
- # uRPF
|
|
|
- {%- endif %}
|
|
|
- {%- for pfx in iface_cfg[6] %}
|
|
|
- iif {{ iface_cfg['iface'] }} ip6 saddr {{ pfx }} accept
|
|
|
- {%- endfor %}
|
|
|
- iif {{ iface_cfg['iface'] }} counter drop
|
|
|
-{%- endfor %}
|
|
|
-
|
|
|
{%- if forward['policy'] == 'drop' %}
|
|
|
limit rate 1/second burst 3 packets counter log prefix "nf forward: "
|
|
|
limit rate 1/second burst 3 packets counter reject with icmp type admin-prohibited
|
|
@@ -243,6 +232,15 @@ table ip6 filter {
|
|
|
{%- endif %}
|
|
|
}
|
|
|
|
|
|
+ chain urpf {
|
|
|
+{%- for iface_cfg in urpf %}
|
|
|
+ {%- for pfx in iface_cfg[6] %}
|
|
|
+ iif {{ iface_cfg['iface'] }} ip6 saddr {{ pfx }} return
|
|
|
+ {%- endfor %}
|
|
|
+ iif {{ iface_cfg['iface'] }} counter drop
|
|
|
+{%- endfor %}
|
|
|
+ }
|
|
|
+
|
|
|
chain vxlan {
|
|
|
{%- for iface in node_config['ifaces'] if node_config['ifaces'][iface].get ('batman_connect_sites') %}
|
|
|
iif {{ iface }} accept
|