{ "nftables": [ { "metainfo": { "version": "1.0.7", "release_name": "Old Doc Yak", "json_schema_version": 1 } }, { "table": { "family": "ip", "name": "qubes", "handle": 1 } }, { "set": { "family": "ip", "name": "downstream", "table": "qubes", "type": "ipv4_addr", "handle": 3 } }, { "set": { "family": "ip", "name": "allowed", "table": "qubes", "type": [ "ifname", "ipv4_addr" ], "handle": 4 } }, { "chain": { "family": "ip", "table": "qubes", "name": "prerouting", "handle": 1, "type": "filter", "hook": "prerouting", "prio": -300, "policy": "accept" } }, { "chain": { "family": "ip", "table": "qubes", "name": "antispoof", "handle": 2 } }, { "chain": { "family": "ip", "table": "qubes", "name": "postrouting", "handle": 60, "type": "nat", "hook": "postrouting", "prio": 100, "policy": "accept" } }, { "chain": { "family": "ip", "table": "qubes", "name": "input", "handle": 61, "type": "filter", "hook": "input", "prio": 0, "policy": "drop" } }, { "chain": { "family": "ip", "table": "qubes", "name": "forward", "handle": 62, "type": "filter", "hook": "forward", "prio": 0, "policy": "accept" } }, { "chain": { "family": "ip", "table": "qubes", "name": "custom-input", "handle": 63 } }, { "chain": { "family": "ip", "table": "qubes", "name": "custom-forward", "handle": 64 } }, { "rule": { "family": "ip", "table": "qubes", "chain": "prerouting", "handle": 5, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "iifgroup" } }, "right": 2 } }, { "goto": { "target": "antispoof" } } ] } }, { "rule": { "family": "ip", "table": "qubes", "chain": "prerouting", "handle": 6, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "ip", "field": "saddr" } }, "right": "@downstream" } }, { "counter": { "packets": 0, "bytes": 0 } }, { "drop": null } ] } }, { "rule": { "family": "ip", "table": "qubes", "chain": "antispoof", "handle": 7, "expr": [ { "match": { "op": "==", "left": { "concat": [ { "meta": { "key": "iifname" } }, { "payload": { "protocol": "ip", "field": "saddr" } } ] }, "right": "@allowed" } }, { "accept": null } ] } }, { "rule": { "family": "ip", "table": "qubes", "chain": "antispoof", "handle": 8, "expr": [ { "counter": { "packets": 0, "bytes": 0 } }, { "drop": null } ] } }, { "rule": { "family": "ip", "table": "qubes", "chain": "postrouting", "handle": 65, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "oifgroup" } }, "right": 2 } }, { "accept": null } ] } }, { "rule": { "family": "ip", "table": "qubes", "chain": "postrouting", "handle": 66, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "oif" } }, "right": "lo" } }, { "accept": null } ] } }, { "rule": { "family": "ip", "table": "qubes", "chain": "postrouting", "handle": 67, "expr": [ { "masquerade": null } ] } }, { "rule": { "family": "ip", "table": "qubes", "chain": "input", "handle": 68, "expr": [ { "jump": { "target": "custom-input" } } ] } }, { "rule": { "family": "ip", "table": "qubes", "chain": "input", "handle": 69, "expr": [ { "match": { "op": "in", "left": { "ct": { "key": "state" } }, "right": "invalid" } }, { "counter": { "packets": 0, "bytes": 0 } }, { "drop": null } ] } }, { "rule": { "family": "ip", "table": "qubes", "chain": "input", "handle": 70, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "iifgroup" } }, "right": 2 } }, { "match": { "op": "==", "left": { "payload": { "protocol": "udp", "field": "dport" } }, "right": 68 } }, { "counter": { "packets": 0, "bytes": 0 } }, { "drop": null } ] } }, { "rule": { "family": "ip", "table": "qubes", "chain": "input", "handle": 71, "expr": [ { "match": { "op": "in", "left": { "ct": { "key": "state" } }, "right": [ "established", "related" ] } }, { "accept": null } ] } }, { "rule": { "family": "ip", "table": "qubes", "chain": "input", "handle": 72, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "iifgroup" } }, "right": 2 } }, { "match": { "op": "==", "left": { "meta": { "key": "l4proto" } }, "right": "icmp" } }, { "accept": null } ] } }, { "rule": { "family": "ip", "table": "qubes", "chain": "input", "handle": 73, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "iif" } }, "right": "lo" } }, { "accept": null } ] } }, { "rule": { "family": "ip", "table": "qubes", "chain": "input", "handle": 74, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "iifgroup" } }, "right": 2 } }, { "counter": { "packets": 0, "bytes": 0 } }, { "reject": { "type": "icmp", "expr": "host-prohibited" } } ] } }, { "rule": { "family": "ip", "table": "qubes", "chain": "input", "handle": 75, "expr": [ { "counter": { "packets": 0, "bytes": 0 } } ] } }, { "rule": { "family": "ip", "table": "qubes", "chain": "forward", "handle": 76, "expr": [ { "jump": { "target": "custom-forward" } } ] } }, { "rule": { "family": "ip", "table": "qubes", "chain": "forward", "handle": 77, "expr": [ { "match": { "op": "in", "left": { "ct": { "key": "state" } }, "right": "invalid" } }, { "counter": { "packets": 0, "bytes": 0 } }, { "drop": null } ] } }, { "rule": { "family": "ip", "table": "qubes", "chain": "forward", "handle": 78, "expr": [ { "match": { "op": "in", "left": { "ct": { "key": "state" } }, "right": [ "established", "related" ] } }, { "accept": null } ] } }, { "rule": { "family": "ip", "table": "qubes", "chain": "forward", "handle": 79, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "oifgroup" } }, "right": 2 } }, { "counter": { "packets": 0, "bytes": 0 } }, { "drop": null } ] } }, { "table": { "family": "ip6", "name": "qubes", "handle": 2 } }, { "set": { "family": "ip6", "name": "downstream", "table": "qubes", "type": "ipv6_addr", "handle": 3 } }, { "set": { "family": "ip6", "name": "allowed", "table": "qubes", "type": [ "ifname", "ipv6_addr" ], "handle": 4 } }, { "chain": { "family": "ip6", "table": "qubes", "name": "antispoof", "handle": 1 } }, { "chain": { "family": "ip6", "table": "qubes", "name": "prerouting", "handle": 2, "type": "filter", "hook": "prerouting", "prio": -300, "policy": "accept" } }, { "chain": { "family": "ip6", "table": "qubes", "name": "postrouting", "handle": 19, "type": "nat", "hook": "postrouting", "prio": 100, "policy": "accept" } }, { "chain": { "family": "ip6", "table": "qubes", "name": "_icmpv6", "handle": 20 } }, { "chain": { "family": "ip6", "table": "qubes", "name": "input", "handle": 21, "type": "filter", "hook": "input", "prio": 0, "policy": "drop" } }, { "chain": { "family": "ip6", "table": "qubes", "name": "forward", "handle": 22, "type": "filter", "hook": "forward", "prio": 0, "policy": "accept" } }, { "chain": { "family": "ip6", "table": "qubes", "name": "custom-input", "handle": 23 } }, { "chain": { "family": "ip6", "table": "qubes", "name": "custom-forward", "handle": 24 } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "antispoof", "handle": 5, "expr": [ { "match": { "op": "==", "left": { "concat": [ { "meta": { "key": "iifname" } }, { "payload": { "protocol": "ip6", "field": "saddr" } } ] }, "right": "@allowed" } }, { "accept": null } ] } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "antispoof", "handle": 6, "expr": [ { "counter": { "packets": 0, "bytes": 0 } }, { "drop": null } ] } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "prerouting", "handle": 7, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "iifgroup" } }, "right": 2 } }, { "goto": { "target": "antispoof" } } ] } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "prerouting", "handle": 8, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "ip6", "field": "saddr" } }, "right": "@downstream" } }, { "counter": { "packets": 0, "bytes": 0 } }, { "drop": null } ] } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "postrouting", "handle": 25, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "oifgroup" } }, "right": 2 } }, { "accept": null } ] } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "postrouting", "handle": 26, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "oif" } }, "right": "lo" } }, { "accept": null } ] } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "postrouting", "handle": 27, "expr": [ { "masquerade": null } ] } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "_icmpv6", "handle": 28, "expr": [ { "match": { "op": "!=", "left": { "meta": { "key": "l4proto" } }, "right": "ipv6-icmp" } }, { "counter": { "packets": 0, "bytes": 0 } }, { "reject": { "type": "icmpv6", "expr": "admin-prohibited" } } ] } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "_icmpv6", "handle": 30, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "icmpv6", "field": "type" } }, "right": { "set": [ "nd-router-advert", "nd-redirect" ] } } }, { "counter": { "packets": 0, "bytes": 0 } }, { "drop": null } ] } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "_icmpv6", "handle": 31, "expr": [ { "accept": null } ] } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "input", "handle": 32, "expr": [ { "jump": { "target": "custom-input" } } ] } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "input", "handle": 33, "expr": [ { "match": { "op": "in", "left": { "ct": { "key": "state" } }, "right": "invalid" } }, { "counter": { "packets": 0, "bytes": 0 } }, { "drop": null } ] } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "input", "handle": 34, "expr": [ { "match": { "op": "in", "left": { "ct": { "key": "state" } }, "right": [ "established", "related" ] } }, { "accept": null } ] } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "input", "handle": 35, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "iifgroup" } }, "right": 2 } }, { "goto": { "target": "_icmpv6" } } ] } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "input", "handle": 36, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "iif" } }, "right": "lo" } }, { "accept": null } ] } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "input", "handle": 37, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "ip6", "field": "saddr" } }, "right": { "prefix": { "addr": "fe80::", "len": 64 } } } }, { "match": { "op": "==", "left": { "payload": { "protocol": "ip6", "field": "daddr" } }, "right": { "prefix": { "addr": "fe80::", "len": 64 } } } }, { "match": { "op": "==", "left": { "payload": { "protocol": "udp", "field": "dport" } }, "right": 546 } }, { "accept": null } ] } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "input", "handle": 38, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "l4proto" } }, "right": "ipv6-icmp" } }, { "accept": null } ] } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "input", "handle": 39, "expr": [ { "counter": { "packets": 0, "bytes": 0 } } ] } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "forward", "handle": 40, "expr": [ { "jump": { "target": "custom-forward" } } ] } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "forward", "handle": 41, "expr": [ { "match": { "op": "in", "left": { "ct": { "key": "state" } }, "right": "invalid" } }, { "counter": { "packets": 0, "bytes": 0 } }, { "drop": null } ] } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "forward", "handle": 42, "expr": [ { "match": { "op": "in", "left": { "ct": { "key": "state" } }, "right": [ "established", "related" ] } }, { "accept": null } ] } }, { "rule": { "family": "ip6", "table": "qubes", "chain": "forward", "handle": 43, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "oifgroup" } }, "right": 2 } }, { "counter": { "packets": 0, "bytes": 0 } }, { "drop": null } ] } } ] }