67 lines
1.6 KiB
Plaintext
67 lines
1.6 KiB
Plaintext
#!/usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
# Counting IPv4 packets in `inet` tables:
|
|
# meta nfproto ipv4 counter accept
|
|
|
|
# NAT when routing packets from some VRF to "up" VRF
|
|
table inet nat {
|
|
chain postrouting {
|
|
type nat hook postrouting priority srcnat; policy accept;
|
|
ip saddr 100.64.0.0/10 oif "up" counter masquerade
|
|
# 192.0.2.2 is statically routed: stops working as soon as NAT is enabled
|
|
# ip saddr 192.0.2.2/32 oif "up" counter masquerade
|
|
accept # less noise in trace
|
|
}
|
|
|
|
# pre kernel 4.18 needs this:
|
|
chain prerouting {
|
|
type nat hook prerouting priority -100; policy accept;
|
|
accept # less noise in trace
|
|
}
|
|
}
|
|
|
|
# Trace all IPv4:
|
|
# define filter hooks so we see packets tracing through them
|
|
|
|
table inet main {
|
|
chain prerouting {
|
|
type filter hook prerouting priority filter; policy accept;
|
|
accept # less noise in trace
|
|
}
|
|
|
|
chain input {
|
|
type filter hook input priority filter; policy accept;
|
|
accept # less noise in trace
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority filter; policy accept;
|
|
accept # less noise in trace
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority filter; policy accept;
|
|
accept # less noise in trace
|
|
}
|
|
|
|
chain postrouting {
|
|
type filter hook postrouting priority filter; policy accept;
|
|
accept # less noise in trace
|
|
}
|
|
}
|
|
|
|
# enable tracing for all IPv4 packets (either start in prerouting or output)
|
|
table ip traceall {
|
|
chain prerouting {
|
|
type filter hook prerouting priority -350; policy accept;
|
|
meta nftrace set 1 accept
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority -350; policy accept;
|
|
meta nftrace set 1 accept
|
|
}
|
|
}
|