This commit is contained in:
Daniel Flanagan 2021-07-10 14:46:26 -05:00
parent 7e787a9f9f
commit be853cc9f6
3 changed files with 25 additions and 8 deletions

View file

@ -224,6 +224,8 @@ dhcp-range=10.0.0.5,10.0.0.250,255.255.255.0,10m
# need to be on the same network. The order of the parameters in these # need to be on the same network. The order of the parameters in these
# do not matter, it's permissible to give name, address and MAC in any # do not matter, it's permissible to give name, address and MAC in any
# order. # order.
dhcp-host=f0:2f:74:c9:9b:61,dragon,10.0.0.5,12h
# dhcp-host=????,faceless,10.0.0.10,12h
# Always allocate the host with Ethernet address 11:22:33:44:55:66 # Always allocate the host with Ethernet address 11:22:33:44:55:66
# The IP address 192.168.0.60 # The IP address 192.168.0.60

View file

@ -2,9 +2,19 @@
# TODO: diff with existing before just overwriting what's here in git? # TODO: diff with existing before just overwriting what's here in git?
f="$(dirname "$(realpath "$0")")/nftables" my_config="$(dirname "$(realpath "$0")")/nftables.conf"
sudo rm "$f"
printf "flush ruleset\n\n" > "$f" # we don't care about existing rules - just use ours, thanks
sudo nft -s list ruleset >> "$f" # sudo nft -s list ruleset >> "$f"
sudo nvim "$f" && sudo nft -f "$f"
# TODO: should this be sync'd to /etc/nftables.conf sudo nvim "$my_config"
cat "$my_config"
echo "Do you want to load this config? [y/N]"
read -r l
[[ $l == "y" ]] && {
printf "flush ruleset\n\n" > "/tmp/nftables.txt"
cat "$my_config" >> "/tmp/nftables.conf"
sudo nft -f "/tmp/nftables.conf"
sudo cp "$my_config" "/etc/nftables.conf"
echo "Done loading!"
}

View file

@ -1,5 +1,3 @@
flush ruleset
table inet filter { table inet filter {
chain input { chain input {
type filter hook input priority filter; policy accept; type filter hook input priority filter; policy accept;
@ -23,6 +21,11 @@ table inet filter {
type filter hook output priority filter; policy accept; type filter hook output priority filter; policy accept;
} }
} }
# the following two blocks were generated by restarting systemd-networkd and
# dumping nftables
# nat ipv4 for lan
table ip io.systemd.nat { table ip io.systemd.nat {
set masq_saddr { set masq_saddr {
type ipv4_addr type ipv4_addr
@ -49,6 +52,8 @@ table ip io.systemd.nat {
ip saddr @masq_saddr masquerade ip saddr @masq_saddr masquerade
} }
} }
# nat ipv6 for lan (probably unnecessary?)
table ip6 io.systemd.nat { table ip6 io.systemd.nat {
set masq_saddr { set masq_saddr {
type ipv6_addr type ipv6_addr