initial commit

2024-09-14 09:12:10 +03:00
commit 073a3d310a
18 changed files with 2140 additions and 0 deletions
--- a/example-conf/nftables.conf
+++ b/example-conf/nftables.conf
@@ -0,0 +1,66 @@
+#!/usr/sbin/nft -f
+
+define vnet4 = 198.18.0.0/16
+define vnet6 = 2001:db8:1234:5678::/80
+
+table inet uniwall {
+
+    map vmap4 { type ipv4_addr : ipv4_addr ; flags dynamic,timeout ; timeout 1m ; }
+    map vmap6 { type ipv6_addr : ipv6_addr ; flags dynamic,timeout ; timeout 1m ; }
+
+    chain rejectx {
+        reject with icmpx type host-unreachable
+        drop
+    }
+
+    chain dnat_tele4 {
+        meta nfproto ipv4 meta l4proto tcp dnat ip to ip daddr map @vmap4
+        meta nfproto ipv4 meta l4proto udp dnat ip to ip daddr map @vmap4
+        goto rejectx
+    }
+
+    chain dnat_tele6 {
+        meta nfproto ipv6 meta l4proto tcp dnat ip6 to ip6 daddr map @vmap6
+        meta nfproto ipv6 meta l4proto udp dnat ip6 to ip6 daddr map @vmap6
+        goto rejectx
+    }
+
+    chain dnat_map4 {
+        ip daddr vmap {
+            $vnet4 : goto dnat_tele4,
+        }
+        return
+    }
+
+    chain dnat_map6 {
+        ip6 daddr vmap {
+            $vnet6 : goto dnat_tele6,
+        }
+        return
+    }
+
+    chain nat_prerouting {
+        type nat hook prerouting priority dstnat;
+
+        meta nfproto vmap {
+            ipv4 : jump dnat_map4,
+            ipv6 : jump dnat_map6,
+        }
+    }
+
+    chain nat_output {
+        type nat hook output priority dstnat;
+
+        meta nfproto vmap {
+            ipv4 : jump dnat_map4,
+            ipv6 : jump dnat_map6,
+        }
+    }
+
+    chain nat_postrouting {
+        type nat hook postrouting priority srcnat;
+
+        meta oiftype != loopback masquerade
+    }
+
+}