From b017df4879a4daf8e1f4542fd9f7fcf0aab7fc40 Mon Sep 17 00:00:00 2001 From: Nico Schottelius Date: Sun, 12 Jan 2020 13:20:38 +0100 Subject: [PATCH] ignore iso, update nft rules --- .gitignore | 2 ++ uncloud/hack/hackcloud/nftrules | 57 +++++++-------------------------- 2 files changed, 14 insertions(+), 45 deletions(-) diff --git a/.gitignore b/.gitignore index 5c55899..6f0d9df 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,5 @@ uncloud/version.py build/ venv/ dist/ + +*.iso diff --git a/uncloud/hack/hackcloud/nftrules b/uncloud/hack/hackcloud/nftrules index 035b3a8..636c63d 100644 --- a/uncloud/hack/hackcloud/nftrules +++ b/uncloud/hack/hackcloud/nftrules @@ -5,60 +5,27 @@ table bridge filter { type filter hook prerouting priority 0; policy accept; - ibrname br100 jump netpublic + ibrname br100 jump br100 } - chain netpublic { - iifname vxlan100 jump from_uncloud + chain br100 { + # Allow all incoming traffic from outside + iifname vxlan100 accept # Default blocks: router advertisements, dhcpv6, dhcpv4 icmpv6 type nd-router-advert drop ip6 version 6 udp sport 547 drop ip version 4 udp sport 67 drop - # Individual blocks - iifname tap1 jump vm1 + jump br100_vmlist + drop } + chain br100_vmlist { + # VM1 + iifname tap1 ether saddr 02:00:f0:a9:c4:4e ip6 saddr 2a0a:e5c1:111:888:0:f0ff:fea9:c44e accept - chain vm1 { - ether saddr != 02:00:f0:a9:c4:4e drop - ip6 saddr != 2a0a:e5c1:111:888:0:f0ff:fea9:c44e drop - } - - chain from_uncloud { - accept + # VM2 + iifname v343a-0 ether saddr 02:00:f0:a9:c4:4f ip6 saddr 2a0a:e5c1:111:888:0:f0ff:fea9:c44f accept + iifname v343a-0 ether saddr 02:00:f0:a9:c4:4f ip6 saddr 2a0a:e5c1:111:1234::/64 accept } } - -# table ip6 filter { -# chain forward { -# type filter hook forward priority 0; - -# # policy drop; - -# ct state established,related accept; - -# } - -# } - -# table ip filter { -# chain input { -# type filter hook input priority filter; policy drop; -# iif "lo" accept -# icmp type { echo-reply, destination-unreachable, source-quench, redirect, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply } accept -# ct state established,related accept -# tcp dport { 22 } accept -# log prefix "firewall-ipv4: " -# udp sport 67 drop -# } - -# chain forward { -# type filter hook forward priority filter; policy drop; -# log prefix "firewall-ipv4: " -# } - -# chain output { -# type filter hook output priority filter; policy accept; -# } -# }