|
|
|
@ -242,21 +242,21 @@ def unmarshall_ports(elements: set[Port | PortRange]) -> Iterator[int]:
|
|
|
|
|
if isinstance(element, int):
|
|
|
|
|
yield element
|
|
|
|
|
if isinstance(element, range):
|
|
|
|
|
yield from element
|
|
|
|
|
yield nft.Range(element.start, element.stop - 1)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def split_v4_v6(
|
|
|
|
|
addrs: Iterator[IPvAnyNetwork],
|
|
|
|
|
) -> tuple[set[nft.Immediate[IPv4Network]], set[nft.Immediate[IPv6Network]]]:
|
|
|
|
|
) -> tuple[set[IPv4Network], set[IPv6Network]]:
|
|
|
|
|
v4, v6 = set(), set()
|
|
|
|
|
|
|
|
|
|
for addr in addrs:
|
|
|
|
|
match addr:
|
|
|
|
|
case IPv4Network():
|
|
|
|
|
v4.add(nft.Immediate(addr))
|
|
|
|
|
v4.add(addr)
|
|
|
|
|
|
|
|
|
|
case IPv6Network():
|
|
|
|
|
v6.add(nft.Immediate(addr))
|
|
|
|
|
v6.add(addr)
|
|
|
|
|
|
|
|
|
|
return v4, v6
|
|
|
|
|
|
|
|
|
@ -307,12 +307,12 @@ def parse_blacklist(blacklist: Blacklist, zones: Zones) -> nft.Table:
|
|
|
|
|
rule_v4 = nft.Match(
|
|
|
|
|
op="==",
|
|
|
|
|
left=nft.Payload(protocol="ip", field="saddr"),
|
|
|
|
|
right=nft.Immediate("@blacklist_v4"),
|
|
|
|
|
right="@blacklist_v4",
|
|
|
|
|
)
|
|
|
|
|
rule_v6 = nft.Match(
|
|
|
|
|
op="==",
|
|
|
|
|
left=nft.Payload(protocol="ip6", field="saddr"),
|
|
|
|
|
right=nft.Immediate("@blacklist_v6"),
|
|
|
|
|
right="@blacklist_v6",
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
chain_filter.rules.append(nft.Rule([rule_v4, nft.Verdict("drop")]))
|
|
|
|
@ -331,7 +331,7 @@ def parse_reverse_path_filter(rpf: ReversePathFilter) -> nft.Table:
|
|
|
|
|
# Set disabled_ifs
|
|
|
|
|
disabled_ifs = nft.Set(name="disabled_ifs", type="ifname")
|
|
|
|
|
|
|
|
|
|
disabled_ifs.elements.extend(map(nft.Immediate, rpf.interfaces))
|
|
|
|
|
disabled_ifs.elements.extend(rpf.interfaces)
|
|
|
|
|
|
|
|
|
|
# Chain filter
|
|
|
|
|
chain_filter = nft.Chain(
|
|
|
|
@ -343,21 +343,19 @@ def parse_reverse_path_filter(rpf: ReversePathFilter) -> nft.Table:
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
rule_iifname = nft.Match(
|
|
|
|
|
op="!=",
|
|
|
|
|
left=nft.Meta("iifname"),
|
|
|
|
|
right=nft.Immediate("@disabled_ifs"),
|
|
|
|
|
op="!=", left=nft.Meta("iifname"), right="@disabled_ifs"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
rule_fib = nft.Match(
|
|
|
|
|
op="==",
|
|
|
|
|
left=nft.Fib(flags=["saddr", "iif"], result="oif"),
|
|
|
|
|
right=nft.Immediate(False),
|
|
|
|
|
right=False,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
rule_pkttype = nft.Match(
|
|
|
|
|
op="==",
|
|
|
|
|
left=nft.Meta("pkttype"),
|
|
|
|
|
right=nft.Immediate("host"),
|
|
|
|
|
right="host",
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
chain_filter.rules.append(
|
|
|
|
@ -414,7 +412,7 @@ def parse_filter_rule(rule: Rule, zones: Zones) -> list[nft.Rule]:
|
|
|
|
|
nft.Match(
|
|
|
|
|
op="==",
|
|
|
|
|
left=nft.Meta(f"{attr}name"),
|
|
|
|
|
right=nft.Immediate(getattr(rule, attr)),
|
|
|
|
|
right=getattr(rule, attr),
|
|
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
@ -429,7 +427,7 @@ def parse_filter_rule(rule: Rule, zones: Zones) -> list[nft.Rule]:
|
|
|
|
|
nft.Match(
|
|
|
|
|
op="==",
|
|
|
|
|
left=nft.Payload(protocol="ip", field=field),
|
|
|
|
|
right=nft.Immediate(addr_v4),
|
|
|
|
|
right=addr_v4,
|
|
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
else:
|
|
|
|
@ -440,7 +438,7 @@ def parse_filter_rule(rule: Rule, zones: Zones) -> list[nft.Rule]:
|
|
|
|
|
nft.Match(
|
|
|
|
|
op="==",
|
|
|
|
|
left=nft.Payload(protocol="ip6", field=field),
|
|
|
|
|
right=nft.Immediate(addr_v6),
|
|
|
|
|
right=addr_v6,
|
|
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
else:
|
|
|
|
@ -465,7 +463,7 @@ def parse_filter_rule(rule: Rule, zones: Zones) -> list[nft.Rule]:
|
|
|
|
|
nft.Match(
|
|
|
|
|
op="==",
|
|
|
|
|
left=nft.Payload(protocol="ip", field="protocol"),
|
|
|
|
|
right=nft.Immediate(protos_v4),
|
|
|
|
|
right=protos_v4,
|
|
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
@ -474,7 +472,7 @@ def parse_filter_rule(rule: Rule, zones: Zones) -> list[nft.Rule]:
|
|
|
|
|
nft.Match(
|
|
|
|
|
op="==",
|
|
|
|
|
left=nft.Payload(protocol="ip6", field="nexthdr"),
|
|
|
|
|
right=nft.Immediate(protos_v6),
|
|
|
|
|
right=protos_v6,
|
|
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
@ -492,7 +490,7 @@ def parse_filter_rule(rule: Rule, zones: Zones) -> list[nft.Rule]:
|
|
|
|
|
nft.Match(
|
|
|
|
|
op="==",
|
|
|
|
|
left=nft.Payload(protocol=proto, field=port),
|
|
|
|
|
right=nft.Immediate(ports),
|
|
|
|
|
right=ports,
|
|
|
|
|
),
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
@ -531,13 +529,13 @@ def parse_filter(filter: Filter, zones: Zones) -> nft.Table:
|
|
|
|
|
rule_ct_accept = nft.Match(
|
|
|
|
|
op="==",
|
|
|
|
|
left=nft.Ct("state"),
|
|
|
|
|
right=nft.Immediate({"established", "related"}),
|
|
|
|
|
right={"established", "related"},
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
rule_ct_drop = nft.Match(
|
|
|
|
|
op="in",
|
|
|
|
|
left=nft.Ct("state"),
|
|
|
|
|
right=nft.Immediate("invalid"),
|
|
|
|
|
right="invalid",
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
chain_conntrack.rules = [
|
|
|
|
|