gaschz/qubes-network-server
1
0
Fork 0
mirror of https://github.com/Rudd-O/qubes-network-server.git synced 2025-03-01 14:22:35 +01:00
Code Issues Packages Projects Releases Wiki Activity
qubes-network-server/qubesroutingmanager/fixtures/no_routing_manager.json
Manuel Amador (Rudd-O) f7bfd46bdc Ensure the forward rule is added after connection tracking. 
Also improve tests and add Tox for mypy and pytest.
2024-02-29 03:24:36 +00:00

1291 lines
24 KiB
JSON
Raw Blame History

{
"nftables": [
{
"metainfo": {
"version": "1.0.7",
"release_name": "Old Doc Yak",
"json_schema_version": 1
}
},
{
"table": {
"family": "ip",
"name": "qubes",
"handle": 1
}
},
{
"set": {
"family": "ip",
"name": "downstream",
"table": "qubes",
"type": "ipv4_addr",
"handle": 3
}
},
{
"set": {
"family": "ip",
"name": "allowed",
"table": "qubes",
"type": [
"ifname",
"ipv4_addr"
],
"handle": 4
}
},
{
"chain": {
"family": "ip",
"table": "qubes",
"name": "prerouting",
"handle": 1,
"type": "filter",
"hook": "prerouting",
"prio": -300,
"policy": "accept"
}
},
{
"chain": {
"family": "ip",
"table": "qubes",
"name": "antispoof",
"handle": 2
}
},
{
"chain": {
"family": "ip",
"table": "qubes",
"name": "postrouting",
"handle": 60,
"type": "nat",
"hook": "postrouting",
"prio": 100,
"policy": "accept"
}
},
{
"chain": {
"family": "ip",
"table": "qubes",
"name": "input",
"handle": 61,
"type": "filter",
"hook": "input",
"prio": 0,
"policy": "drop"
}
},
{
"chain": {
"family": "ip",
"table": "qubes",
"name": "forward",
"handle": 62,
"type": "filter",
"hook": "forward",
"prio": 0,
"policy": "accept"
}
},
{
"chain": {
"family": "ip",
"table": "qubes",
"name": "custom-input",
"handle": 63
}
},
{
"chain": {
"family": "ip",
"table": "qubes",
"name": "custom-forward",
"handle": 64
}
},
{
"rule": {
"family": "ip",
"table": "qubes",
"chain": "prerouting",
"handle": 5,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "iifgroup"
}
},
"right": 2
}
},
{
"goto": {
"target": "antispoof"
}
}
]
}
},
{
"rule": {
"family": "ip",
"table": "qubes",
"chain": "prerouting",
"handle": 6,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip",
"field": "saddr"
}
},
"right": "@downstream"
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "qubes",
"chain": "antispoof",
"handle": 7,
"expr": [
{
"match": {
"op": "==",
"left": {
"concat": [
{
"meta": {
"key": "iifname"
}
},
{
"payload": {
"protocol": "ip",
"field": "saddr"
}
}
]
},
"right": "@allowed"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "qubes",
"chain": "antispoof",
"handle": 8,
"expr": [
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "qubes",
"chain": "postrouting",
"handle": 65,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "oifgroup"
}
},
"right": 2
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "qubes",
"chain": "postrouting",
"handle": 66,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "oif"
}
},
"right": "lo"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "qubes",
"chain": "postrouting",
"handle": 67,
"expr": [
{
"masquerade": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "qubes",
"chain": "input",
"handle": 68,
"expr": [
{
"jump": {
"target": "custom-input"
}
}
]
}
},
{
"rule": {
"family": "ip",
"table": "qubes",
"chain": "input",
"handle": 69,
"expr": [
{
"match": {
"op": "in",
"left": {
"ct": {
"key": "state"
}
},
"right": "invalid"
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "qubes",
"chain": "input",
"handle": 70,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "iifgroup"
}
},
"right": 2
}
},
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "udp",
"field": "dport"
}
},
"right": 68
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "qubes",
"chain": "input",
"handle": 71,
"expr": [
{
"match": {
"op": "in",
"left": {
"ct": {
"key": "state"
}
},
"right": [
"established",
"related"
]
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "qubes",
"chain": "input",
"handle": 72,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "iifgroup"
}
},
"right": 2
}
},
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "l4proto"
}
},
"right": "icmp"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "qubes",
"chain": "input",
"handle": 73,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "iif"
}
},
"right": "lo"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "qubes",
"chain": "input",
"handle": 74,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "iifgroup"
}
},
"right": 2
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"reject": {
"type": "icmp",
"expr": "host-prohibited"
}
}
]
}
},
{
"rule": {
"family": "ip",
"table": "qubes",
"chain": "input",
"handle": 75,
"expr": [
{
"counter": {
"packets": 0,
"bytes": 0
}
}
]
}
},
{
"rule": {
"family": "ip",
"table": "qubes",
"chain": "forward",
"handle": 76,
"expr": [
{
"jump": {
"target": "custom-forward"
}
}
]
}
},
{
"rule": {
"family": "ip",
"table": "qubes",
"chain": "forward",
"handle": 77,
"expr": [
{
"match": {
"op": "in",
"left": {
"ct": {
"key": "state"
}
},
"right": "invalid"
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "qubes",
"chain": "forward",
"handle": 78,
"expr": [
{
"match": {
"op": "in",
"left": {
"ct": {
"key": "state"
}
},
"right": [
"established",
"related"
]
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip",
"table": "qubes",
"chain": "forward",
"handle": 79,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "oifgroup"
}
},
"right": 2
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"drop": null
}
]
}
},
{
"table": {
"family": "ip6",
"name": "qubes",
"handle": 2
}
},
{
"set": {
"family": "ip6",
"name": "downstream",
"table": "qubes",
"type": "ipv6_addr",
"handle": 3
}
},
{
"set": {
"family": "ip6",
"name": "allowed",
"table": "qubes",
"type": [
"ifname",
"ipv6_addr"
],
"handle": 4
}
},
{
"chain": {
"family": "ip6",
"table": "qubes",
"name": "antispoof",
"handle": 1
}
},
{
"chain": {
"family": "ip6",
"table": "qubes",
"name": "prerouting",
"handle": 2,
"type": "filter",
"hook": "prerouting",
"prio": -300,
"policy": "accept"
}
},
{
"chain": {
"family": "ip6",
"table": "qubes",
"name": "postrouting",
"handle": 19,
"type": "nat",
"hook": "postrouting",
"prio": 100,
"policy": "accept"
}
},
{
"chain": {
"family": "ip6",
"table": "qubes",
"name": "_icmpv6",
"handle": 20
}
},
{
"chain": {
"family": "ip6",
"table": "qubes",
"name": "input",
"handle": 21,
"type": "filter",
"hook": "input",
"prio": 0,
"policy": "drop"
}
},
{
"chain": {
"family": "ip6",
"table": "qubes",
"name": "forward",
"handle": 22,
"type": "filter",
"hook": "forward",
"prio": 0,
"policy": "accept"
}
},
{
"chain": {
"family": "ip6",
"table": "qubes",
"name": "custom-input",
"handle": 23
}
},
{
"chain": {
"family": "ip6",
"table": "qubes",
"name": "custom-forward",
"handle": 24
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "antispoof",
"handle": 5,
"expr": [
{
"match": {
"op": "==",
"left": {
"concat": [
{
"meta": {
"key": "iifname"
}
},
{
"payload": {
"protocol": "ip6",
"field": "saddr"
}
}
]
},
"right": "@allowed"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "antispoof",
"handle": 6,
"expr": [
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "prerouting",
"handle": 7,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "iifgroup"
}
},
"right": 2
}
},
{
"goto": {
"target": "antispoof"
}
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "prerouting",
"handle": 8,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip6",
"field": "saddr"
}
},
"right": "@downstream"
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "postrouting",
"handle": 25,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "oifgroup"
}
},
"right": 2
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "postrouting",
"handle": 26,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "oif"
}
},
"right": "lo"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "postrouting",
"handle": 27,
"expr": [
{
"masquerade": null
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "_icmpv6",
"handle": 28,
"expr": [
{
"match": {
"op": "!=",
"left": {
"meta": {
"key": "l4proto"
}
},
"right": "ipv6-icmp"
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"reject": {
"type": "icmpv6",
"expr": "admin-prohibited"
}
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "_icmpv6",
"handle": 30,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "icmpv6",
"field": "type"
}
},
"right": {
"set": [
"nd-router-advert",
"nd-redirect"
]
}
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "_icmpv6",
"handle": 31,
"expr": [
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "input",
"handle": 32,
"expr": [
{
"jump": {
"target": "custom-input"
}
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "input",
"handle": 33,
"expr": [
{
"match": {
"op": "in",
"left": {
"ct": {
"key": "state"
}
},
"right": "invalid"
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "input",
"handle": 34,
"expr": [
{
"match": {
"op": "in",
"left": {
"ct": {
"key": "state"
}
},
"right": [
"established",
"related"
]
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "input",
"handle": 35,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "iifgroup"
}
},
"right": 2
}
},
{
"goto": {
"target": "_icmpv6"
}
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "input",
"handle": 36,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "iif"
}
},
"right": "lo"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "input",
"handle": 37,
"expr": [
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip6",
"field": "saddr"
}
},
"right": {
"prefix": {
"addr": "fe80::",
"len": 64
}
}
}
},
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "ip6",
"field": "daddr"
}
},
"right": {
"prefix": {
"addr": "fe80::",
"len": 64
}
}
}
},
{
"match": {
"op": "==",
"left": {
"payload": {
"protocol": "udp",
"field": "dport"
}
},
"right": 546
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "input",
"handle": 38,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "l4proto"
}
},
"right": "ipv6-icmp"
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "input",
"handle": 39,
"expr": [
{
"counter": {
"packets": 0,
"bytes": 0
}
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "forward",
"handle": 40,
"expr": [
{
"jump": {
"target": "custom-forward"
}
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "forward",
"handle": 41,
"expr": [
{
"match": {
"op": "in",
"left": {
"ct": {
"key": "state"
}
},
"right": "invalid"
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"drop": null
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "forward",
"handle": 42,
"expr": [
{
"match": {
"op": "in",
"left": {
"ct": {
"key": "state"
}
},
"right": [
"established",
"related"
]
}
},
{
"accept": null
}
]
}
},
{
"rule": {
"family": "ip6",
"table": "qubes",
"chain": "forward",
"handle": 43,
"expr": [
{
"match": {
"op": "==",
"left": {
"meta": {
"key": "oifgroup"
}
},
"right": 2
}
},
{
"counter": {
"packets": 0,
"bytes": 0
}
},
{
"drop": null
}
]
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink