flowtable ft {
hook ingress priority 0;
- devices = { "br-lan", "wan" };
+ devices = { "br-lan", "eth1" };
flags offload;
}
#
define lan_devices = { "br-lan" }
- define lan_subnets = { 192.168.26.0/24, fd63:e2f:f706::/60 }
- define wan_devices = { "wan" }
- define wan_subnets = { 10.11.12.0/24 }
+ define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
+ define wan_devices = { "eth1" }
+ define wan_subnets = { 10.11.12.0/24, 2001:db8:54:321::/64 }
#
# User includes
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
- iifname "wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
+ iifname "eth1" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
}
chain forward {
meta l4proto { tcp, udp } flow offload @ft;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
- iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
+ iifname "eth1" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
jump handle_reject
}
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
meta l4proto tcp counter comment "!fw4: Test-Deprecated-Rule-Option"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
- oifname "wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
+ oifname "eth1" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
}
chain handle_reject {
}
chain accept_to_wan {
- oifname "wan" counter accept comment "!fw4: accept wan IPv4/IPv6 traffic"
+ oifname "eth1" counter accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain reject_from_wan {
- iifname "wan" counter jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
+ iifname "eth1" counter jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain reject_to_wan {
- oifname "wan" counter jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
+ oifname "eth1" counter jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
- oifname "wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
+ oifname "eth1" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
}
chain srcnat_wan {
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
- iifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
- oifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
+ iifname "eth1" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
+ oifname "eth1" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
}
}
-- End --
{
"interface": [
+ {
+ "interface": "loopback",
+ "up": true,
+ "pending": false,
+ "available": true,
+ "autostart": true,
+ "dynamic": false,
+ "uptime": 89939,
+ "l3_device": "lo",
+ "proto": "static",
+ "device": "lo",
+ "updated": [
+ "addresses"
+ ],
+ "metric": 0,
+ "dns_metric": 0,
+ "delegation": true,
+ "ipv4-address": [
+ {
+ "address": "127.0.0.1",
+ "mask": 8
+ }
+ ],
+ "ipv6-address": [
+
+ ],
+ "ipv6-prefix": [
+
+ ],
+ "ipv6-prefix-assignment": [
+
+ ],
+ "route": [
+
+ ],
+ "dns-server": [
+
+ ],
+ "dns-search": [
+
+ ],
+ "neighbors": [
+
+ ],
+ "inactive": {
+ "ipv4-address": [
+
+ ],
+ "ipv6-address": [
+
+ ],
+ "route": [
+
+ ],
+ "dns-server": [
+
+ ],
+ "dns-search": [
+
+ ],
+ "neighbors": [
+
+ ]
+ },
+ "data": {
+
+ }
+ },
{
"interface": "lan",
"up": true,
"dns_metric": 0,
"delegation": true,
"ipv4-address": [
+ {
+ "address": "10.0.0.1",
+ "mask": 24
+ },
{
"address": "192.168.26.1",
"mask": 24
],
"ipv6-prefix-assignment": [
{
- "address": "fd63:e2f:f706::",
+ "address": "2001:db8:1000:1::",
"mask": 60,
"local-address": {
- "address": "fd63:e2f:f706::1",
+ "address": "2001:db8:1000:1::1",
+ "mask": 60
+ }
+ },
+ {
+ "address": "fd63:e2f:f706:1::",
+ "mask": 60,
+ "local-address": {
+ "address": "fd63:e2f:f706:1::1",
"mask": 60
}
}
}
},
{
- "interface": "loopback",
+ "interface": "guest",
"up": true,
"pending": false,
"available": true,
"autostart": true,
"dynamic": false,
- "uptime": 89939,
- "l3_device": "lo",
+ "uptime": 89940,
+ "l3_device": "br-guest",
"proto": "static",
- "device": "lo",
+ "device": "br-guest",
"updated": [
"addresses"
],
"delegation": true,
"ipv4-address": [
{
- "address": "127.0.0.1",
- "mask": 8
+ "address": "10.1.0.1",
+ "mask": 24
+ },
+ {
+ "address": "192.168.27.1",
+ "mask": 24
}
],
"ipv6-address": [
],
"ipv6-prefix-assignment": [
-
+ {
+ "address": "2001:db8:1000:2::",
+ "mask": 60,
+ "local-address": {
+ "address": "2001:db8:1000:2::1",
+ "mask": 60
+ }
+ },
+ {
+ "address": "fd63:e2f:f706:2::",
+ "mask": 60,
+ "local-address": {
+ "address": "fd63:e2f:f706:2::1",
+ "mask": 60
+ }
+ }
],
"route": [
}
},
- {
- "interface": "wan6",
- "up": false,
- "pending": true,
- "available": true,
- "autostart": true,
- "dynamic": false,
- "proto": "dhcpv6",
- "device": "wan",
- "data": {
-
- }
- },
{
"interface": "wan",
"up": true,
"autostart": true,
"dynamic": false,
"uptime": 35968,
- "l3_device": "wan",
+ "l3_device": "eth1",
"proto": "dhcp",
"device": "wan",
"metric": 0,
"hostname": "OpenWrt",
"leasetime": 43200
}
+ },
+ {
+ "interface": "wan6",
+ "up": true,
+ "pending": false,
+ "available": true,
+ "autostart": true,
+ "dynamic": false,
+ "uptime": 16264,
+ "l3_device": "eth1",
+ "proto": "6in4",
+ "updated": [
+ "addresses",
+ "routes",
+ "prefixes"
+ ],
+ "metric": 0,
+ "dns_metric": 0,
+ "delegation": true,
+ "ipv4-address": [
+
+ ],
+ "ipv6-address": [
+ {
+ "address": "2001:db8:54:321::2",
+ "mask": 64
+ }
+ ],
+ "ipv6-prefix": [
+ {
+ "address": "2001:db8:1000::",
+ "mask": 48,
+ "class": "wan6",
+ "assigned": {
+ "lan": {
+ "address": "2001:db8:1000:1::",
+ "mask": 60
+ },
+ "guest": {
+ "address": "2001:db8:1000:2::",
+ "mask": 60
+ }
+ }
+ }
+ ],
+ "ipv6-prefix-assignment": [
+
+ ],
+ "route": [
+ {
+ "target": "::",
+ "mask": 0,
+ "nexthop": "::",
+ "source": "2001:db8:1000::/48"
+ },
+ {
+ "target": "::",
+ "mask": 0,
+ "nexthop": "::",
+ "source": "2001:db8:54:321::2/64"
+ }
+ ],
+ "dns-server": [
+
+ ],
+ "dns-search": [
+
+ ],
+ "neighbors": [
+
+ ],
+ "inactive": {
+ "ipv4-address": [
+
+ ],
+ "ipv6-address": [
+
+ ],
+ "route": [
+
+ ],
+ "dns-server": [
+
+ ],
+ "dns-search": [
+
+ ],
+ "neighbors": [
+
+ ]
+ },
+ "data": {
+
+ }
}
]
}
projects / project / firewall4.git / commitdiff