You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
66 lines
1.6 KiB
66 lines
1.6 KiB
#!/usr/sbin/nft -f |
|
|
|
flush ruleset |
|
|
|
# Counting IPv4 packets in `inet` tables: |
|
# meta nfproto ipv4 counter accept |
|
|
|
# NAT when routing packets from some VRF to "up" VRF |
|
table inet nat { |
|
chain postrouting { |
|
type nat hook postrouting priority srcnat; policy accept; |
|
ip saddr 100.64.0.0/10 oif "up" counter masquerade |
|
# 192.0.2.2 is statically routed: stops working as soon as NAT is enabled |
|
# ip saddr 192.0.2.2/32 oif "up" counter masquerade |
|
accept # less noise in trace |
|
} |
|
|
|
# pre kernel 4.18 needs this: |
|
chain prerouting { |
|
type nat hook prerouting priority -100; policy accept; |
|
accept # less noise in trace |
|
} |
|
} |
|
|
|
# Trace all IPv4: |
|
# define filter hooks so we see packets tracing through them |
|
|
|
table inet main { |
|
chain prerouting { |
|
type filter hook prerouting priority filter; policy accept; |
|
accept # less noise in trace |
|
} |
|
|
|
chain input { |
|
type filter hook input priority filter; policy accept; |
|
accept # less noise in trace |
|
} |
|
|
|
chain forward { |
|
type filter hook forward priority filter; policy accept; |
|
accept # less noise in trace |
|
} |
|
|
|
chain output { |
|
type filter hook output priority filter; policy accept; |
|
accept # less noise in trace |
|
} |
|
|
|
chain postrouting { |
|
type filter hook postrouting priority filter; policy accept; |
|
accept # less noise in trace |
|
} |
|
} |
|
|
|
# enable tracing for all IPv4 packets (either start in prerouting or output) |
|
table ip traceall { |
|
chain prerouting { |
|
type filter hook prerouting priority -350; policy accept; |
|
meta nftrace set 1 accept |
|
} |
|
|
|
chain output { |
|
type filter hook output priority -350; policy accept; |
|
meta nftrace set 1 accept |
|
} |
|
}
|
|
|