powerdns-remote-http-example/example-conf/nftables.conf

67 lines
1.5 KiB
Plaintext
Raw Permalink Normal View History

2024-09-14 09:12:10 +03:00
#!/usr/sbin/nft -f
define vnet4 = 198.18.0.0/16
define vnet6 = 2001:db8:1234:5678::/80
table inet uniwall {
map vmap4 { type ipv4_addr : ipv4_addr ; flags dynamic,timeout ; timeout 1m ; }
map vmap6 { type ipv6_addr : ipv6_addr ; flags dynamic,timeout ; timeout 1m ; }
chain rejectx {
reject with icmpx type host-unreachable
drop
}
chain dnat_tele4 {
meta nfproto ipv4 meta l4proto tcp dnat ip to ip daddr map @vmap4
meta nfproto ipv4 meta l4proto udp dnat ip to ip daddr map @vmap4
goto rejectx
}
chain dnat_tele6 {
meta nfproto ipv6 meta l4proto tcp dnat ip6 to ip6 daddr map @vmap6
meta nfproto ipv6 meta l4proto udp dnat ip6 to ip6 daddr map @vmap6
goto rejectx
}
chain dnat_map4 {
ip daddr vmap {
$vnet4 : goto dnat_tele4,
}
return
}
chain dnat_map6 {
ip6 daddr vmap {
$vnet6 : goto dnat_tele6,
}
return
}
chain nat_prerouting {
type nat hook prerouting priority dstnat;
meta nfproto vmap {
ipv4 : jump dnat_map4,
ipv6 : jump dnat_map6,
}
}
chain nat_output {
type nat hook output priority dstnat;
meta nfproto vmap {
ipv4 : jump dnat_map4,
ipv6 : jump dnat_map6,
}
}
chain nat_postrouting {
type nat hook postrouting priority srcnat;
meta oiftype != loopback masquerade
}
}