Add rules for local-only forwarding

This commit is contained in:
Wojciech Kozlowski 2023-07-08 12:58:07 +02:00
parent 024b0c7fcc
commit 403b65f812
3 changed files with 19 additions and 3 deletions

View File

@ -0,0 +1,2 @@
---
vpn_bridge_local_only_daddr: []

View File

@ -22,6 +22,13 @@ argument_specs:
vpn_bridge_netmask: vpn_bridge_netmask:
type: "str" type: "str"
required: true required: true
vpn_bridge_subnet:
type: "str"
required: true
vpn_bridge_routing_table: vpn_bridge_routing_table:
type: "int" type: "int"
required: false required: false
vpn_bridge_local_only_daddr:
type: "list"
elements: "str"
required: true

View File

@ -8,14 +8,21 @@ table ip br0_ipv4 {
{% endfor %} {% endfor %}
} }
chain forward {
type filter hook forward priority 0;
{% if local_network is defined %} {% if local_network is defined %}
chain input {
type filter hook input priority 0;
ct state established,related accept; ct state established,related accept;
iif br0 ip daddr {{ local_network }} drop; iif br0 ip daddr {{ local_network }} drop;
}
{% endif %} {% endif %}
{% if vpn_bridge_local_only_daddr %}
# Drop all external traffic for these addresses.
ip saddr != {{ vpn_bridge_subnet }} ip daddr { {{ vpn_bridge_local_only_daddr | join(", ") }} } drop;
{% endif %}
}
chain postrouting { chain postrouting {
type nat hook postrouting priority 100; type nat hook postrouting priority 100;
iif br0 oif {{ ansible_default_ipv4.interface }} masquerade; iif br0 oif {{ ansible_default_ipv4.interface }} masquerade;