More xlink firewall fixes (#581)

This commit is contained in:
Tim Wilkinson 2022-12-23 21:00:35 -08:00 committed by GitHub
parent 2ce44832cf
commit 9ee849eb3f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 3 deletions

View File

@ -54,7 +54,7 @@ if nixio.fs.stat("/etc/config.mesh/xlink") then
local ifname = section.ifname local ifname = section.ifname
nft_delete("forward", "iifname \"" .. ifname .. "\".*jump forward_dtdlink") nft_delete("forward", "iifname \"" .. ifname .. "\".*jump forward_dtdlink")
nft_delete("input", "iifname \"" .. ifname .. "\".*jump input_dtdlink") nft_delete("input", "iifname \"" .. ifname .. "\".*jump input_dtdlink")
nft_delete("output", "oifname \"" .. ifname .. "\".*jump accept_to_dtdlink") nft_delete("output", "oifname \"" .. ifname .. "\".*jump output_dtdlink")
nft_delete("accept_to_dtdlink", "oifname \"" .. ifname .. "\".*accept") nft_delete("accept_to_dtdlink", "oifname \"" .. ifname .. "\".*accept")
nft_delete("reject_to_dtdlink", "oifname \"" .. ifname .. "\".*reject") nft_delete("reject_to_dtdlink", "oifname \"" .. ifname .. "\".*reject")
nft_delete("reject_from_dtdlink", "iifname \"" .. ifname .. "\".*reject") nft_delete("reject_from_dtdlink", "iifname \"" .. ifname .. "\".*reject")
@ -66,8 +66,8 @@ if nixio.fs.stat("/etc/config.mesh/xlink") then
function(section) function(section)
local ifname = section.ifname local ifname = section.ifname
os.execute("/usr/sbin/nft insert rule ip fw4 forward iifname \"" .. ifname .. "\" counter jump forward_dtdlink") os.execute("/usr/sbin/nft insert rule ip fw4 forward iifname \"" .. ifname .. "\" counter jump forward_dtdlink")
os.execute("/usr/sbin/nft insert rule ip fw4 input iifname \"" .. ifname .. "\" counter jump input_dtdlink") os.execute("/usr/sbin/nft add rule ip fw4 input iifname \"" .. ifname .. "\" counter jump input_dtdlink")
os.execute("/usr/sbin/nft insert rule ip fw4 output oifname \"" .. ifname .. "\" counter jump accept_to_dtdlink") os.execute("/usr/sbin/nft add rule ip fw4 output oifname \"" .. ifname .. "\" counter jump output_dtdlink")
os.execute("/usr/sbin/nft add rule ip fw4 accept_to_dtdlink oifname \"" .. ifname .. "\" counter accept") os.execute("/usr/sbin/nft add rule ip fw4 accept_to_dtdlink oifname \"" .. ifname .. "\" counter accept")
os.execute("/usr/sbin/nft add rule ip fw4 reject_to_dtdlink oifname \"" .. ifname .. "\" counter reject") os.execute("/usr/sbin/nft add rule ip fw4 reject_to_dtdlink oifname \"" .. ifname .. "\" counter reject")
os.execute("/usr/sbin/nft add rule ip fw4 reject_from_dtdlink iifname \"" .. ifname .. "\" counter reject") os.execute("/usr/sbin/nft add rule ip fw4 reject_from_dtdlink iifname \"" .. ifname .. "\" counter reject")