ignore iso, update nft rules

This commit is contained in:
Nico Schottelius 2020-01-12 13:20:38 +01:00
parent aaf29adcbb
commit b017df4879
2 changed files with 14 additions and 45 deletions

2
.gitignore vendored
View file

@ -16,3 +16,5 @@ uncloud/version.py
build/ build/
venv/ venv/
dist/ dist/
*.iso

View file

@ -5,60 +5,27 @@ table bridge filter {
type filter hook prerouting priority 0; type filter hook prerouting priority 0;
policy accept; policy accept;
ibrname br100 jump netpublic ibrname br100 jump br100
} }
chain netpublic { chain br100 {
iifname vxlan100 jump from_uncloud # Allow all incoming traffic from outside
iifname vxlan100 accept
# Default blocks: router advertisements, dhcpv6, dhcpv4 # Default blocks: router advertisements, dhcpv6, dhcpv4
icmpv6 type nd-router-advert drop icmpv6 type nd-router-advert drop
ip6 version 6 udp sport 547 drop ip6 version 6 udp sport 547 drop
ip version 4 udp sport 67 drop ip version 4 udp sport 67 drop
# Individual blocks jump br100_vmlist
iifname tap1 jump vm1 drop
} }
chain br100_vmlist {
# VM1
iifname tap1 ether saddr 02:00:f0:a9:c4:4e ip6 saddr 2a0a:e5c1:111:888:0:f0ff:fea9:c44e accept
chain vm1 { # VM2
ether saddr != 02:00:f0:a9:c4:4e drop iifname v343a-0 ether saddr 02:00:f0:a9:c4:4f ip6 saddr 2a0a:e5c1:111:888:0:f0ff:fea9:c44f accept
ip6 saddr != 2a0a:e5c1:111:888:0:f0ff:fea9:c44e drop iifname v343a-0 ether saddr 02:00:f0:a9:c4:4f ip6 saddr 2a0a:e5c1:111:1234::/64 accept
}
chain from_uncloud {
accept
} }
} }
# table ip6 filter {
# chain forward {
# type filter hook forward priority 0;
# # policy drop;
# ct state established,related accept;
# }
# }
# table ip filter {
# chain input {
# type filter hook input priority filter; policy drop;
# iif "lo" accept
# icmp type { echo-reply, destination-unreachable, source-quench, redirect, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, info-request, info-reply, address-mask-request, address-mask-reply } accept
# ct state established,related accept
# tcp dport { 22 } accept
# log prefix "firewall-ipv4: "
# udp sport 67 drop
# }
# chain forward {
# type filter hook forward priority filter; policy drop;
# log prefix "firewall-ipv4: "
# }
# chain output {
# type filter hook output priority filter; policy accept;
# }
# }