bundles/nftables: store rules in dedicated files instead of nftables.conf

2021-12-14 14:03:13 +01:00 · 2021-12-14 14:03:13 +01:00 · 0101e0c92d
commit 0101e0c92d
parent 1742f51778
11 changed files with 77 additions and 102 deletions
--- a/nodes/home/router.py
+++ b/nodes/home/router.py
@ -102,21 +102,17 @@ nodes['home.router'] = {
        },
        'nftables': {
            'rules': {
-                'forward': {
-                    'router': [
-                        # This is a router. Allow forwarding traffic for internal networks.
-                        'ct state { related, established } accept',
-                        'iif enp1s0.23 oif ppp0 accept',
-                        'iif enp1s0.42 accept',
+                '50-router': [
+                    # This is a router. Allow forwarding traffic for internal networks.
+                    'inet filter forward ct state { related, established } accept',
+                    'inet filter forward iif enp1s0.23 oif ppp0 accept',
+                    'inet filter forward iif enp1s0.42 accept',

-                        # yaaaaay, IPv6! No NAT!
-                        'ip6 nexthdr ipv6-icmp accept',
-                        'tcp dport 22 accept',
-                    ],
-                },
-                'nat_prerouting': {
-                    'tcp dport 2022 dnat 172.19.138.20:22',
-                },
+                    # yaaaaay, IPv6! No NAT!
+                    'inet filter forward ip6 nexthdr ipv6-icmp accept',
+                    'inet filter forward tcp dport 22 accept',
+                    'nat prerouting tcp dport 2022 dnat 172.19.138.20:22',
+                ],
            },
        },
        'nginx': {