blob: e4f68ed77cf060e2bfc0b315f3d5ad5fdb7d5962 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
#!/usr/bin/nft -f
# vim:set ts=2 sw=2 et:
# IPv4/IPv6 Simple & Safe firewall ruleset.
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
destroy table inet filter
table inet filter {
chain input {
type filter hook input priority filter
policy drop
ct state invalid drop comment "early drop of invalid connections"
ct state {established, related} accept comment "allow tracked connections"
iif lo accept comment "allow from loopback"
meta l4proto { icmp, icmpv6 } accept comment "allow icmp"
# libvirt's NAT bridge: let guests reach the host's dnsmasq for DHCP+DNS.
# libvirt manages its own forward/NAT chains but does NOT touch the input
# chain, so without this rule guests get no IP (DHCP packets are dropped
# before dnsmasq sees them).
iifname "virbr0" udp dport { 53, 67 } accept comment "libvirt: DHCP+DNS from guests"
iifname "virbr0" tcp dport 53 accept comment "libvirt: DNS over TCP from guests"
# Waydroid's NAT bridge: same pattern as libvirt. The Android container's
# DhcpClient broadcasts DHCPDISCOVER on waydroid0; without this rule it's
# dropped before dnsmasq sees it and the container never gets an IP.
iifname "waydroid0" udp dport { 53, 67 } accept comment "waydroid: DHCP+DNS from container"
iifname "waydroid0" tcp dport 53 accept comment "waydroid: DNS over TCP from container"
pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
counter
}
chain forward {
type filter hook forward priority filter
policy drop
# libvirt's NAT bridge: permit guest traffic to be forwarded. libvirt's
# own table accepts these explicitly at the same hook+priority, but with
# nftables a packet must be accepted by ALL chains at that priority, so
# our policy=drop would otherwise block all guest egress and return
# traffic. Mirror libvirt's accepts here for the default NAT bridge.
# Use iifname/oifname (string match) instead of iif/oif so the rules
# load before libvirtd has created virbr0 at boot.
iifname "virbr0" accept comment "libvirt: guest egress"
oifname "virbr0" ct state established,related accept comment "libvirt: guest return"
# Waydroid's NAT bridge: same pattern as libvirt. Waydroid's container
# service installs MASQUERADE itself via iptables-nft compat, so no
# explicit nat table is needed here -- only the forward-chain accepts.
iifname "waydroid0" accept comment "waydroid: guest egress"
oifname "waydroid0" ct state established,related accept comment "waydroid: guest return"
}
}
|
