forked from uncloud/uncloud
ignore iso, update nft rules
This commit is contained in:
parent
aaf29adcbb
commit
b017df4879
2 changed files with 14 additions and 45 deletions
2
.gitignore
vendored
2
.gitignore
vendored
|
@ -16,3 +16,5 @@ uncloud/version.py
|
||||||
build/
|
build/
|
||||||
venv/
|
venv/
|
||||||
dist/
|
dist/
|
||||||
|
|
||||||
|
*.iso
|
||||||
|
|
|
@ -5,60 +5,27 @@ table bridge filter {
|
||||||
type filter hook prerouting priority 0;
|
type filter hook prerouting priority 0;
|
||||||
policy accept;
|
policy accept;
|
||||||
|
|
||||||
ibrname br100 jump netpublic
|
ibrname br100 jump br100
|
||||||
}
|
}
|
||||||
|
|
||||||
chain netpublic {
|
chain br100 {
|
||||||
iifname vxlan100 jump from_uncloud
|
# Allow all incoming traffic from outside
|
||||||
|
iifname vxlan100 accept
|
||||||
|
|
||||||
# Default blocks: router advertisements, dhcpv6, dhcpv4
|
# Default blocks: router advertisements, dhcpv6, dhcpv4
|
||||||
icmpv6 type nd-router-advert drop
|
icmpv6 type nd-router-advert drop
|
||||||
ip6 version 6 udp sport 547 drop
|
ip6 version 6 udp sport 547 drop
|
||||||
ip version 4 udp sport 67 drop
|
ip version 4 udp sport 67 drop
|
||||||
|
|
||||||
# Individual blocks
|
jump br100_vmlist
|
||||||
iifname tap1 jump vm1
|
drop
|
||||||
}
|
}
|
||||||
|
chain br100_vmlist {
|
||||||
|
# VM1
|
||||||
|
iifname tap1 ether saddr 02:00:f0:a9:c4:4e ip6 saddr 2a0a:e5c1:111:888:0:f0ff:fea9:c44e accept
|
||||||
|
|
||||||
chain vm1 {
|
# VM2
|
||||||
ether saddr != 02:00:f0:a9:c4:4e drop
|
iifname v343a-0 ether saddr 02:00:f0:a9:c4:4f ip6 saddr 2a0a:e5c1:111:888:0:f0ff:fea9:c44f accept
|
||||||
ip6 saddr != 2a0a:e5c1:111:888:0:f0ff:fea9:c44e drop
|
iifname v343a-0 ether saddr 02:00:f0:a9:c4:4f ip6 saddr 2a0a:e5c1:111:1234::/64 accept
|
||||||
}
|
|
||||||
|
|
||||||
chain from_uncloud {
|
|
||||||
accept
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# table ip6 filter {
|
|
||||||
# chain forward {
|
|
||||||
# type filter hook forward priority 0;
|
|
||||||
|
|
||||||
# # policy drop;
|
|
||||||
|
|
||||||
# ct state established,related accept;
|
|
||||||
|
|
||||||
# }
|
|
||||||
|
|
||||||
# }
|
|
||||||
|
|
||||||
# table ip filter {
|
|
||||||
# chain input {
|
|
||||||
# type filter hook input priority filter; policy drop;
|
|
||||||
# iif "lo" accept
|
|
||||||
# icmp type { echo-reply, destination-unreachable, source-quench, redirect, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply } accept
|
|
||||||
# ct state established,related accept
|
|
||||||
# tcp dport { 22 } accept
|
|
||||||
# log prefix "firewall-ipv4: "
|
|
||||||
# udp sport 67 drop
|
|
||||||
# }
|
|
||||||
|
|
||||||
# chain forward {
|
|
||||||
# type filter hook forward priority filter; policy drop;
|
|
||||||
# log prefix "firewall-ipv4: "
|
|
||||||
# }
|
|
||||||
|
|
||||||
# chain output {
|
|
||||||
# type filter hook output priority filter; policy accept;
|
|
||||||
# }
|
|
||||||
# }
|
|
||||||
|
|
Loading…
Reference in a new issue