flowtable ft {
hook ingress priority 0;
- devices = { "eth0", "eth1" };
+ devices = { "eth0" };
flags offload;
}
define lan_devices = { "br-lan" }
define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
- define wan_devices = { "eth1" }
+ define wan_devices = { "pppoe-wan" }
define wan_subnets = { 10.11.12.0/24, 2001:db8:54:321::/64 }
#
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
- iifname "eth1" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
+ iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
}
chain forward {
meta l4proto { tcp, udp } flow offload @ft;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
- iifname "eth1" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
+ iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
jump handle_reject
}
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
meta l4proto tcp counter comment "!fw4: Test-Deprecated-Rule-Option"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
- oifname "eth1" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
+ oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
}
chain handle_reject {
}
chain accept_to_wan {
- oifname "eth1" counter accept comment "!fw4: accept wan IPv4/IPv6 traffic"
+ oifname "pppoe-wan" counter accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain reject_from_wan {
- iifname "eth1" counter jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
+ iifname "pppoe-wan" counter jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain reject_to_wan {
- oifname "eth1" counter jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
+ oifname "pppoe-wan" counter jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
- oifname "eth1" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
+ oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
}
chain srcnat_wan {
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
- iifname "eth1" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
- oifname "eth1" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
+ iifname "pppoe-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
+ oifname "pppoe-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
}
}
-- End --
[call] ctx.call object <network.device> method <status> args <null>
[call] fs.opendir path </sys/class/net/br-lan>
[call] fs.opendir path </sys/class/net/eth0>
-[call] fs.opendir path </sys/class/net/eth1>
-[call] fs.opendir path </sys/class/net/eth1>
-[call] system command </usr/sbin/nft -c 'add table inet fw4-hw-offload-test; add flowtable inet fw4-hw-offload-test ft { hook ingress priority 0; devices = { "eth0", "eth1" }; flags offload; }' 2>/dev/null> timeout <null>
+[call] fs.opendir path </sys/class/net/pppoe-wan>
+[call] fs.opendir path </sys/class/net/pppoe-wan>
+[call] system command </usr/sbin/nft -c 'add table inet fw4-hw-offload-test; add flowtable inet fw4-hw-offload-test ft { hook ingress priority 0; devices = { "eth0" }; flags offload; }' 2>/dev/null> timeout <null>
[call] fs.popen cmdline </usr/sbin/nft --terse --json list flowtables inet> mode <r>
[call] fs.open path </sys/class/net/br-lan/flags> mode <r>
[call] fs.open path </sys/class/net/br-lan/flags> mode <r>
define lan_devices = { "br-lan" }
define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
- define wan_devices = { "eth1" }
+ define wan_devices = { "pppoe-wan" }
define wan_subnets = { 10.11.12.0/24 }
#
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
- iifname "eth1" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
+ iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
}
chain forward {
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
- iifname "eth1" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
+ iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
}
chain output {
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
- oifname "eth1" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
+ oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
}
chain handle_reject {
}
chain accept_to_wan {
- oifname "eth1" counter accept comment "!fw4: accept wan IPv4/IPv6 traffic"
+ oifname "pppoe-wan" counter accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain drop_from_wan {
- iifname "eth1" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
+ iifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
}
chain drop_to_wan {
- oifname "eth1" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
+ oifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
}
# Defines
#
- define wan_devices = { "eth1" }
+ define wan_devices = { "pppoe-wan" }
define wan_subnets = { 2001:db8:54:321::/64 }
define lan_devices = { "br-lan" }
define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
- iifname "eth1" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
+ iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "br-guest" jump input_guest comment "!fw4: Handle guest IPv4/IPv6 input traffic"
}
type filter hook forward priority filter; policy drop;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
- iifname "eth1" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
+ iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "br-guest" jump forward_guest comment "!fw4: Handle guest IPv4/IPv6 forward traffic"
}
ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::9 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2"
ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff == ::10 ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2"
ip6 saddr { ::3, ::4 } ip6 saddr != { ::7, ::8 } ip6 saddr & ::ffff != ::5 ip6 saddr & ::ffff != ::6 ip6 daddr { ::11, ::12 } ip6 daddr != { ::15, ::16 } ip6 daddr & ::ffff != ::13 ip6 daddr & ::ffff != ::14 counter comment "!fw4: Mask rule #2"
- oifname "eth1" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
+ oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "br-guest" jump output_guest comment "!fw4: Handle guest IPv4/IPv6 output traffic"
}
}
chain drop_from_wan {
- iifname "eth1" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
+ iifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
}
chain drop_to_wan {
- oifname "eth1" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
+ oifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
}
chain input_lan {
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
- iifname "eth1" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
+ iifname "pppoe-wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
iifname "br-guest" jump dstnat_guest comment "!fw4: Handle guest IPv4/IPv6 dstnat traffic"
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
- oifname "eth1" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
+ oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
oifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
oifname "br-guest" jump srcnat_guest comment "!fw4: Handle guest IPv4/IPv6 srcnat traffic"
}
# Defines
#
- define wan_devices = { "eth1" }
+ define wan_devices = { "pppoe-wan" }
define wan_subnets = { 10.11.12.0/24, 2001:db8:54:321::/64 }
define lan_devices = { "br-lan" }
define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
- iifname "eth1" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
+ iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "wwan0" jump input_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 input traffic"
}
type filter hook forward priority filter; policy drop;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
- iifname "eth1" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
+ iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "wwan0" jump forward_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 forward traffic"
}
oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
- oifname "eth1" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
+ oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "wwan0" jump output_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 output traffic"
}
}
chain drop_from_wan {
- iifname "eth1" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
+ iifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
}
chain drop_to_wan {
- oifname "eth1" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
+ oifname "pppoe-wan" counter drop comment "!fw4: drop wan IPv4/IPv6 traffic"
}
chain input_lan {
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
- iifname "eth1" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
+ iifname "pppoe-wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
iifname "wwan0" jump dstnat_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 dstnat traffic"
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
- oifname "eth1" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
+ oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
oifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
oifname "wwan0" jump srcnat_noaddr comment "!fw4: Handle noaddr IPv4/IPv6 srcnat traffic"
}
"autostart": true,
"dynamic": false,
"uptime": 35968,
- "l3_device": "eth1",
- "proto": "dhcp",
- "device": "wan",
+ "l3_device": "pppoe-wan",
+ "proto": "pppoe",
+ "device": "eth1",
"metric": 0,
"dns_metric": 0,
"delegation": true,
]
},
"data": {
- "hostname": "OpenWrt",
- "leasetime": 43200
+
}
},
{
"autostart": true,
"dynamic": false,
"uptime": 16264,
- "l3_device": "eth1",
- "proto": "6in4",
+ "l3_device": "pppoe-wan",
+ "proto": "dhcpv6",
"updated": [
"addresses",
"routes",
projects / project / firewall4.git / commitdiff