remove rp_filter unicast limitation + nat only unicast
This commit is contained in:
User
parent
eb3865cb23
commit
2c36defc83
1 changed files with 7 additions and 7 deletions
14
firewall.py
14
firewall.py
|
|
@ -356,14 +356,8 @@ def parse_reverse_path_filter(rpf: ReversePathFilter) -> nft.Table:
|
|||
right=False,
|
||||
)
|
||||
|
||||
rule_pkttype = nft.Match(
|
||||
op="==",
|
||||
left=nft.Meta("pkttype"),
|
||||
right="host",
|
||||
)
|
||||
|
||||
chain_filter.rules.append(
|
||||
nft.Rule([rule_iifname, rule_fib, rule_pkttype, nft.Verdict("drop")])
|
||||
nft.Rule([rule_iifname, rule_fib, nft.Verdict("drop")])
|
||||
)
|
||||
|
||||
# Resulting table
|
||||
|
|
@ -582,6 +576,12 @@ def parse_nat(nat: list[Nat], zones: Zones) -> nft.Table:
|
|||
)
|
||||
)
|
||||
|
||||
rule.stmts.append(nft.Match(
|
||||
op="==",
|
||||
left=nft.Fib(flags=["daddr"], result="type"),
|
||||
right="unicast",
|
||||
))
|
||||
|
||||
rule.stmts.append(
|
||||
nft.Snat(
|
||||
addr=entry.snat.addr,
|
||||
|
|
|
|||
Loading…
Reference in a new issue