Reserve IPs by hostname in order to not leak MAC addresses and allow to use random ones

dnsmasq.conf

@@ -8,9 +8,10 @@ dhcp-range=tag:lan0,::1,constructor:lan0,ra-names,12h
 
 local=/h.lyte.dev/
 
-dhcp-host=f0:2f:74:c9:9b:61,dragon,10.0.0.10,12h
+dhcp-host=dragon,10.0.0.10,12h
-dhcp-host=00:50:b6:24:27:0b,faceless,10.0.0.25,12h
+dhcp-host=faceless,10.0.0.25,12h
-dhcp-host=d0:50:99:26:89:86,ourcraft,10.0.0.244,2m
+dhcp-host=kubeworker3,10.0.0.244,2m
+# dhcp-host=kubeworker3,d0:50:99:26:89:86,ourcraft,10.0.0.244,2m
 
 address=/dragon.h.lyte.dev/10.0.0.10
 address=/git.lyte.dev/10.0.0.25

nftables.conf

@@ -82,29 +82,28 @@ table ip io.systemd.nat {
 	}
 }
 
-# nat ipv6 for lan
 table ip6 io.systemd.nat {
-	set masq_saddr {
+	chain input {
-		type ipv6_addr
+		type filter hook input priority filter; policy accept;
-		flags interval
+		iifname "lo" accept
+		ct state invalid drop
+		ct state { established, related } accept
+		# ip6 protocol icmpv6 accept
+		# ip6 protocol icmp accept
+		meta l4proto ipv6-icmp accept
+		tcp dport { 22, 2200, 2221, 2200, 25565 } accept
+		udp dport { 546, 53, 67 } accept comment "allow dhcpv6-client, dns, and dhcp"
+		udp dport { 60000-60009 } accept comment "allow mosh common ports"
+		drop
 	}
 
-	map map_port_ipport {
+	chain forward {
-		type inet_proto . inet_service : ipv6_addr . inet_service
+		type filter hook forward priority filter; policy accept;
-	}
+		accept
-
-	chain prerouting {
-		type nat hook prerouting priority dstnat + 1; policy accept;
-		fib daddr type local dnat ip6 to meta l4proto . th dport map @map_port_ipport
 	}
 
 	chain output {
-		type nat hook output priority -99; policy accept;
+		type filter hook output priority filter; policy accept;
-		ip6 daddr != ::1 oif "lo" dnat ip6 to meta l4proto . th dport map @map_port_ipport
+		accept
-	}
-
-	chain postrouting {
-		type nat hook postrouting priority srcnat + 1; policy accept;
-		ip6 saddr @masq_saddr masquerade
 	}
 }