-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathnftables.conf
75 lines (63 loc) · 2.13 KB
/
nftables.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/usr/bin/nft -f
flush ruleset
table inet filter {
flowtable f {
hook ingress priority 0; devices = { ${wan}, ${lan} };
}
set blocklist4 {
type ipv4_addr
timeout 10s
}
set blocklist6 {
type ipv6_addr
timeout 5m
}
chain output {
type filter hook output priority 0; policy accept;
}
chain input {
type filter hook input priority 0; policy drop;
iifname "${lan}" accept
iifname "${wan}" ct state { established, related } accept
iifname "${wan}" drop
}
chain sniqueue {
type filter hook forward priority -2; policy accept;
ip daddr @blocklist4 tcp dport 443 reject
ip daddr @blocklist4 udp dport 443 reject
ip6 daddr @blocklist6 tcp dport 443 reject
ip6 daddr @blocklist6 udp dport 443 reject
ct mark 101 accept comment "Accept known good SNI not yet offloaded"
ct mark 100 reject comment "Reject known bad SNI"
tcp dport 443 ct mark set 102 comment "Mark all unjudged packets"
udp dport 443 ct mark set 102 comment "Mark all unjudged packets"
meta mark set ct mark
tcp dport 443 ct original packets <20 queue num 100 bypass
udp dport 443 ct original packets <20 queue num 100 bypass
}
chain sniqueue_block {
type filter hook forward priority -1; policy accept;
ip protocol { tcp, udp } meta mark 100 add @blocklist4 { ip daddr }
ip6 nexthdr { tcp, udp } meta mark 100 add @blocklist6 { ip6 daddr }
ct mark set meta mark
ct mark 102 accept comment "Accept packets without verdict"
ct mark 100 reject comment "Reject known bad"
ct mark 101 flow offload @f comment "Offload known good SNI"
}
chain forward {
type filter hook forward priority 0; policy drop;
ct mark != 102 flow offload @f comment "Offload packets not sent to SNIqueue"
iifname "${lan}" oifname "${wan}" accept
iifname "${wan}" oifname "${lan}" ct state established,related accept
}
}
table ip nat {
chain prerouting {
type nat hook output priority 0; policy accept;
}
# Setup NAT masquerading on the wan interface
chain postrouting {
type nat hook postrouting priority 0; policy accept;
oifname "${wan}" masquerade
}
}