58 lines
2.1 KiB
Plaintext
58 lines
2.1 KiB
Plaintext
#!/usr/bin/env -S nft -f
|
|
|
|
table inet ${IFACE}_inet {
|
|
chain postrouting {
|
|
type nat hook postrouting priority 100;
|
|
iif ${IFACE} oif { {{ [
|
|
ansible_default_ipv4.interface | default(ansible_default_ipv6.interface),
|
|
ansible_default_ipv6.interface | default(ansible_default_ipv4.interface)
|
|
] | unique | join(", ") }} } masquerade;
|
|
}
|
|
}
|
|
|
|
table ip ${IFACE}_ipv4 {
|
|
chain prerouting {
|
|
type nat hook prerouting priority -100;
|
|
{% for forward in vpn_bridge_dnat %}
|
|
iif {{ ansible_default_ipv4.interface | default(ansible_default_ipv6.interface) }} tcp dport { {{ forward.ports | join(", ") }} } dnat to {{ forward.inet_address }};
|
|
{% endfor %}
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0;
|
|
{% if local_inet_network is defined %}
|
|
|
|
ct state established,related accept;
|
|
iif ${IFACE} ip daddr {{ local_inet_network }} drop;
|
|
{% endif %}
|
|
{% if vpn_bridge_local_only_inet_daddr %}
|
|
|
|
# Drop all external traffic for these addresses.
|
|
ip saddr != {{ vpn_bridge_inet_subnet }} ip daddr { {{ vpn_bridge_local_only_inet_daddr | join(", ") }} } drop;
|
|
{% endif %}
|
|
}
|
|
}
|
|
|
|
table ip6 ${IFACE}_ipv6 {
|
|
chain prerouting {
|
|
type nat hook prerouting priority -100;
|
|
{% for forward in vpn_bridge_dnat %}
|
|
iif {{ ansible_default_ipv6.interface | default(ansible_default_ipv4.interface) }} tcp dport { {{ forward.ports | join(", ") }} } dnat to {{ forward.inet6_address }};
|
|
{% endfor %}
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0;
|
|
{% if local_inet6_network is defined %}
|
|
|
|
ct state established,related accept;
|
|
iif ${IFACE} ip6 daddr {{ local_inet6_network }} drop;
|
|
{% endif %}
|
|
{% if vpn_bridge_local_only_inet6_daddr %}
|
|
|
|
# Drop all external traffic for these addresses.
|
|
ip6 saddr != {{ vpn_bridge_inet6_subnet }} ip6 daddr { {{ vpn_bridge_local_only_inet6_daddr | join(", ") }} } drop;
|
|
{% endif %}
|
|
}
|
|
}
|