[go: up one dir, main page]
Skip to content

Commit

Permalink
fix: incorrect netfilter chain when do deny/allow-outgoing
Browse files Browse the repository at this point in the history
  • Loading branch information
@ktmlm
ktmlm committed Oct 6, 2020
1 parent fb67535 commit bcad031
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 5 deletions.
2 changes: 2 additions & 0 deletions core/src/freebsd/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@
//!
//! Use Bhyve + IPFW + ZFS on FreeBSD.
//!
//! **NOTE**: TT on freebsd is experimental, do **NOT** use it in production.
//!

pub(crate) mod nat;
pub(crate) mod vm;
Expand Down
10 changes: 5 additions & 5 deletions core/src/linux/nat/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,18 +114,18 @@ pub(crate) mod real {
delete table {proto} {table};
add table {proto} {table};
add set {proto} {table} BLACK_LIST {{ type ipv4_addr; }};
add chain {proto} {table} FWD_CHAIN {{ type filter hook forward priority 0; policy accept; }};
add rule {proto} {table} FWD_CHAIN ct state established,related accept;
add rule {proto} {table} FWD_CHAIN {proto} saddr @BLACK_LIST drop;
add map {proto} {table} PORT_TO_PORT {{ type inet_service: inet_service; }};
add map {proto} {table} PORT_TO_IPV4 {{ type inet_service: ipv4_addr; }};
add chain {proto} {table} DNAT_CHAIN {{ type nat hook prerouting priority -100; }};
add chain {proto} {table} SNAT_CHAIN {{ type nat hook postrouting priority 100; }};
add rule {proto} {table} DNAT_CHAIN dnat tcp dport map @PORT_TO_IPV4: tcp dport map @PORT_TO_PORT;
add rule {proto} {table} DNAT_CHAIN dnat udp dport map @PORT_TO_IPV4: udp dport map @PORT_TO_PORT;
add rule {proto} {table} SNAT_CHAIN ip saddr 10.0.0.0/8 ip daddr != 10.0.0.0/8 snat to {pubip};
add set {proto} {table} BLACK_LIST {{ type ipv4_addr; }};
add chain {proto} {table} FILTER_CHAIN {{ type filter hook output priority 0; policy accept; }};
add rule {proto} {table} FILTER_CHAIN ct state established,related accept;
add rule {proto} {table} FILTER_CHAIN {proto} saddr @BLACK_LIST drop;
",
proto=TABLE_PROTO,
table=TABLE_NAME,
Expand Down

0 comments on commit bcad031

Please sign in to comment.