Created
April 5, 2024 03:13
-
-
Save jackwakefield/404d2649ff6dfae4d5c0b6e396f298c5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| table ip mangle { | |
| chain PREROUTING { | |
| type filter hook prerouting priority mangle; policy accept; | |
| } | |
| chain INPUT { | |
| type filter hook input priority mangle; policy accept; | |
| counter packets 31991 bytes 8791764 jump omr-bypass-dpi | |
| } | |
| chain FORWARD { | |
| type filter hook forward priority mangle; policy accept; | |
| counter packets 162 bytes 7971 jump omr-bypass-dpi | |
| } | |
| chain OUTPUT { | |
| type route hook output priority mangle; policy accept; | |
| } | |
| chain POSTROUTING { | |
| type filter hook postrouting priority mangle; policy accept; | |
| } | |
| chain omr-bypass-dpi { | |
| } | |
| } | |
| table inet fw4 { | |
| ct helper amanda { | |
| type "amanda" protocol udp | |
| l3proto inet | |
| } | |
| ct helper ftp { | |
| type "ftp" protocol tcp | |
| l3proto inet | |
| } | |
| ct helper RAS { | |
| type "RAS" protocol udp | |
| l3proto inet | |
| } | |
| ct helper Q.931 { | |
| type "Q.931" protocol tcp | |
| l3proto inet | |
| } | |
| ct helper irc { | |
| type "irc" protocol tcp | |
| l3proto ip | |
| } | |
| ct helper pptp { | |
| type "pptp" protocol tcp | |
| l3proto ip | |
| } | |
| ct helper sip { | |
| type "sip" protocol udp | |
| l3proto inet | |
| } | |
| ct helper snmp { | |
| type "snmp" protocol udp | |
| l3proto ip | |
| } | |
| ct helper tftp { | |
| type "tftp" protocol udp | |
| l3proto inet | |
| } | |
| set omr_dscp_cs0_4 { | |
| type ipv4_addr | |
| } | |
| set omr_dscp_cs1_4 { | |
| type ipv4_addr | |
| } | |
| set omr_dscp_cs2_4 { | |
| type ipv4_addr | |
| elements = { 74.125.206.188, 142.250.178.10, | |
| 142.250.179.234, 142.250.180.10, | |
| 142.250.187.202, 142.250.187.228, | |
| 142.250.187.234, 142.250.200.10, | |
| 142.250.200.42, 172.217.16.234, | |
| 172.217.169.10, 172.217.169.42, | |
| 172.217.169.74, 173.194.76.84, | |
| 216.58.201.106, 216.58.204.74, | |
| 216.58.212.206, 216.58.212.234, | |
| 216.58.213.10 } | |
| } | |
| set omr_dscp_cs3_4 { | |
| type ipv4_addr | |
| } | |
| set omr_dscp_cs4_4 { | |
| type ipv4_addr | |
| } | |
| set omr_dscp_cs5_4 { | |
| type ipv4_addr | |
| } | |
| set omr_dscp_cs6_4 { | |
| type ipv4_addr | |
| } | |
| set omr_dscp_cs7_4 { | |
| type ipv4_addr | |
| } | |
| set omr_dscp_ef_4 { | |
| type ipv4_addr | |
| } | |
| set omr_dst_bypass_br_lan_4 { | |
| type ipv4_addr | |
| } | |
| set omr_dst_bypass_br_lan_6 { | |
| type ipv6_addr | |
| } | |
| set omr_dst_bypass_lan1_4 { | |
| type ipv4_addr | |
| } | |
| set omr_dst_bypass_lan1_6 { | |
| type ipv6_addr | |
| } | |
| set omr_dst_bypass_lan2_4 { | |
| type ipv4_addr | |
| } | |
| set omr_dst_bypass_lan2_6 { | |
| type ipv6_addr | |
| } | |
| set omr_dst_bypass_tun0_4 { | |
| type ipv4_addr | |
| } | |
| set omr_dst_bypass_tun0_6 { | |
| type ipv6_addr | |
| } | |
| set omr_dst_bypass_all_4 { | |
| type ipv4_addr | |
| } | |
| set omr_dst_bypass_all_6 { | |
| type ipv6_addr | |
| } | |
| set xr_rules_src_bypass { | |
| type ipv4_addr | |
| flags interval | |
| auto-merge | |
| } | |
| set xr_rules6_src_bypass { | |
| type ipv6_addr | |
| flags interval | |
| auto-merge | |
| } | |
| set xr_rules_src_forward { | |
| type ipv4_addr | |
| flags interval | |
| auto-merge | |
| } | |
| set xr_rules6_src_forward { | |
| type ipv6_addr | |
| flags interval | |
| auto-merge | |
| } | |
| set xr_rules_src_checkdst { | |
| type ipv4_addr | |
| flags interval | |
| auto-merge | |
| } | |
| set xr_rules6_src_checkdst { | |
| type ipv6_addr | |
| flags interval | |
| auto-merge | |
| } | |
| set xr_rules_remote_servers { | |
| type ipv4_addr | |
| flags interval | |
| auto-merge | |
| elements = { 194.164.28.247 } | |
| } | |
| set xr_rules6_remote_servers { | |
| type ipv6_addr | |
| flags interval | |
| auto-merge | |
| } | |
| set xr_rules_dst_bypass { | |
| type ipv4_addr | |
| flags interval | |
| auto-merge | |
| } | |
| set xr_rules6_dst_bypass { | |
| type ipv6_addr | |
| flags interval | |
| auto-merge | |
| } | |
| set xr_rules_dst_bypass_ { | |
| type ipv4_addr | |
| flags interval | |
| auto-merge | |
| elements = { 0.0.0.0/8, 10.0.0.0/8, | |
| 100.64.0.0/10, 127.0.0.0/8, | |
| 169.254.0.0/16, 172.16.0.0/12, | |
| 192.0.0.0/24, 192.0.2.0/24, | |
| 192.31.196.0/24, 192.52.193.0/24, | |
| 192.88.99.0/24, 192.168.0.0/16, | |
| 192.175.48.0/24, 198.18.0.0/15, | |
| 198.51.100.0/24, 203.0.113.0/24, | |
| 224.0.0.0/3 } | |
| } | |
| set xr_rules6_dst_bypass_ { | |
| type ipv6_addr | |
| flags interval | |
| auto-merge | |
| elements = { ::/127, | |
| ::ffff:0.0.0.0/96, | |
| 64:ff9b:1::/48, | |
| 100::/64, | |
| 2001::/23, | |
| fc00::/7, | |
| fe80::/10 } | |
| } | |
| set xr_rules_dst_forward { | |
| type ipv4_addr | |
| flags interval | |
| auto-merge | |
| } | |
| set xr_rules6_dst_forward { | |
| type ipv6_addr | |
| flags interval | |
| auto-merge | |
| } | |
| set xr_rules_dst_forward_rrst_ { | |
| type ipv4_addr | |
| flags interval | |
| auto-merge | |
| } | |
| set xr_rules6_dst_forward_rrst_ { | |
| type ipv6_addr | |
| flags interval | |
| auto-merge | |
| } | |
| chain xr_rules_pre_tcp { | |
| type nat hook prerouting priority filter + 1; policy accept; | |
| ip daddr @omr_dst_bypass_all_4 accept | |
| ip daddr @omr_dst_bypass_tun0_4 accept | |
| ip daddr @omr_dst_bypass_lan2_4 accept | |
| ip daddr @omr_dst_bypass_lan1_4 accept | |
| ip daddr @omr_dst_bypass_br_lan_4 accept | |
| meta l4proto tcp goto xr_rules_pre_src_tcp | |
| } | |
| chain xr_rules_pre_src_tcp { | |
| ip daddr @xr_rules_dst_bypass_ accept | |
| ip6 daddr @xr_rules6_dst_bypass_ accept | |
| goto xr_rules_src_tcp | |
| } | |
| chain xr_rules_src_tcp { | |
| ip saddr @xr_rules_src_bypass accept | |
| ip saddr @xr_rules_src_forward goto xr_rules_forward_tcp | |
| ip saddr @xr_rules_src_checkdst goto xr_rules_dst_tcp | |
| ip6 saddr @xr_rules6_src_bypass accept | |
| ip6 saddr @xr_rules6_src_forward goto xr_rules_forward_tcp | |
| ip6 saddr @xr_rules6_src_checkdst goto xr_rules_dst_tcp | |
| goto xr_rules_dst_tcp | |
| } | |
| chain xr_rules_dst_tcp { | |
| ip daddr @xr_rules_dst_bypass accept | |
| ip daddr @xr_rules_remote_servers accept | |
| ip daddr @xr_rules_dst_forward goto xr_rules_forward_tcp | |
| ip6 daddr @xr_rules6_dst_bypass accept | |
| ip6 daddr @xr_rules6_remote_servers accept | |
| ip6 daddr @xr_rules6_dst_forward goto xr_rules_forward_tcp | |
| goto xr_rules_forward_tcp | |
| } | |
| chain xr_rules_forward_tcp { | |
| meta l4proto tcp redirect to :1897 | |
| } | |
| chain xr_rules_local_out { | |
| type nat hook output priority filter - 1; policy accept; | |
| ip daddr @omr_dst_bypass_all_4 accept | |
| ip daddr @omr_dst_bypass_tun0_4 accept | |
| ip daddr @omr_dst_bypass_lan2_4 accept | |
| ip daddr @omr_dst_bypass_lan1_4 accept | |
| ip daddr @omr_dst_bypass_br_lan_4 accept | |
| meta l4proto != tcp accept | |
| ip daddr @xr_rules_remote_servers accept | |
| ip daddr @xr_rules_dst_bypass_ accept | |
| ip daddr @xr_rules_dst_bypass accept | |
| ip6 daddr @xr_rules6_remote_servers accept | |
| ip6 daddr @xr_rules6_dst_bypass_ accept | |
| ip6 daddr @xr_rules6_dst_bypass accept | |
| goto xr_rules_forward_tcp | |
| } | |
| chain input { | |
| type filter hook input priority filter; policy drop; | |
| iif "lo" accept comment "!fw4: Accept traffic from loopback" | |
| ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows" | |
| tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets" | |
| iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" | |
| iifname { "lan1", "lan2" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" | |
| iifname "tun0" jump input_vpn comment "!fw4: Handle vpn IPv4/IPv6 input traffic" | |
| jump handle_reject | |
| } | |
| chain forward { | |
| type filter hook forward priority filter; policy drop; | |
| ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows" | |
| icmp type echo-request limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-All-Ping" | |
| icmpv6 type echo-request limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-All-Ping" | |
| udp dport 443 counter packets 0 bytes 0 drop comment "!fw4: Block QUIC All" | |
| iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" | |
| iifname { "lan1", "lan2" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" | |
| iifname "tun0" jump forward_vpn comment "!fw4: Handle vpn IPv4/IPv6 forward traffic" | |
| jump upnp_forward comment "Hook into miniupnpd forwarding chain" | |
| jump handle_reject | |
| } | |
| chain output { | |
| type filter hook output priority filter; policy drop; | |
| oif "lo" accept comment "!fw4: Accept traffic towards loopback" | |
| ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows" | |
| oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" | |
| oifname { "lan1", "lan2" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" | |
| oifname "tun0" jump output_vpn comment "!fw4: Handle vpn IPv4/IPv6 output traffic" | |
| jump handle_reject | |
| } | |
| chain prerouting { | |
| type filter hook prerouting priority filter; policy accept; | |
| icmp type echo-request limit rate 1000/second burst 5 packets counter packets 137 bytes 11508 accept comment "!fw4: Allow-All-Ping" | |
| icmpv6 type echo-request limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-All-Ping" | |
| udp dport 443 counter packets 19 bytes 25780 drop comment "!fw4: Block QUIC All" | |
| counter packets 33420 bytes 9364211 jump accept_to_vpn comment "!fw4: Allow-All-LAN-to-VPN" | |
| counter packets 33420 bytes 9364211 jump accept_to_wan comment "!fw4: Allow-Lan-to-Wan" | |
| jump accept_to_wan comment "!fw4: Accept lan to wan forwarding" | |
| jump accept_to_vpn comment "!fw4: Accept lan to vpn forwarding" | |
| iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment" | |
| icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward" | |
| icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward" | |
| meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP" | |
| udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP" | |
| } | |
| chain handle_reject { | |
| meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" | |
| reject comment "!fw4: Reject any other traffic" | |
| } | |
| chain syn_flood { | |
| limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit" | |
| drop comment "!fw4: Drop excess packets" | |
| } | |
| chain input_lan { | |
| icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second burst 5 packets counter packets 3 bytes 304 accept comment "!fw4: ICMPv6-Lan-to-OMR" | |
| udp dport 443 counter packets 0 bytes 0 drop comment "!fw4: Block QUIC Proxy" | |
| ct status dnat accept comment "!fw4: Accept port redirections" | |
| jump accept_from_lan | |
| } | |
| chain output_lan { | |
| jump accept_to_lan | |
| } | |
| chain forward_lan { | |
| counter packets 5 bytes 220 jump accept_to_vpn comment "!fw4: Allow-All-LAN-to-VPN" | |
| counter packets 1 bytes 52 jump accept_to_wan comment "!fw4: Allow-Lan-to-Wan" | |
| jump accept_to_wan comment "!fw4: Accept lan to wan forwarding" | |
| jump accept_to_vpn comment "!fw4: Accept lan to vpn forwarding" | |
| ct status dnat accept comment "!fw4: Accept port forwards" | |
| jump accept_to_lan | |
| } | |
| chain helper_lan { | |
| udp dport 10080 ct helper set "amanda" comment "!fw4: Amanda backup and archiving proto" | |
| tcp dport 21 ct helper set "ftp" comment "!fw4: FTP passive connection tracking" | |
| udp dport 1719 ct helper set "RAS" comment "!fw4: RAS proto tracking" | |
| tcp dport 1720 ct helper set "Q.931" comment "!fw4: Q.931 proto tracking" | |
| meta nfproto ipv4 tcp dport 6667 ct helper set "irc" comment "!fw4: IRC DCC connection tracking" | |
| meta nfproto ipv4 tcp dport 1723 ct helper set "pptp" comment "!fw4: PPTP VPN connection tracking" | |
| udp dport 5060 ct helper set "sip" comment "!fw4: SIP VoIP connection tracking" | |
| meta nfproto ipv4 udp dport 161 ct helper set "snmp" comment "!fw4: SNMP monitoring connection tracking" | |
| udp dport 69 ct helper set "tftp" comment "!fw4: TFTP connection tracking" | |
| } | |
| chain accept_from_lan { | |
| iifname "br-lan" counter packets 646 bytes 75160 accept comment "!fw4: accept lan IPv4/IPv6 traffic" | |
| } | |
| chain accept_to_lan { | |
| oifname "br-lan" counter packets 0 bytes 0 accept comment "!fw4: accept lan IPv4/IPv6 traffic" | |
| } | |
| chain input_wan { | |
| meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew" | |
| icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping" | |
| meta nfproto ipv4 meta l4proto igmp counter packets 3 bytes 108 accept comment "!fw4: Allow-IGMP" | |
| meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6" | |
| ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD" | |
| icmpv6 type { nd-router-solicit, nd-router-advert } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow IPv6 ICMP" | |
| icmpv6 type . icmpv6 code { nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow IPv6 ICMP" | |
| meta nfproto ipv6 udp sport 546 udp dport 547 counter packets 0 bytes 0 accept comment "!fw4: Allow DHCPv6 (546-to-547)" | |
| meta nfproto ipv6 udp sport 547 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow DHCPv6 (547-to-546)" | |
| ct status dnat accept comment "!fw4: Accept port redirections" | |
| jump reject_from_wan | |
| } | |
| chain output_wan { | |
| jump accept_to_wan | |
| } | |
| chain forward_wan { | |
| icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward" | |
| icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward" | |
| meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP" | |
| udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP" | |
| ct status dnat accept comment "!fw4: Accept port forwards" | |
| jump reject_to_wan | |
| } | |
| chain accept_to_wan { | |
| meta nfproto ipv4 oifname { "lan1", "lan2" } ct state invalid counter packets 2 bytes 116 drop comment "!fw4: Prevent NAT leakage" | |
| oifname { "lan1", "lan2" } counter packets 2203 bytes 159800 accept comment "!fw4: accept wan IPv4/IPv6 traffic" | |
| } | |
| chain reject_from_wan { | |
| iifname { "lan1", "lan2" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic" | |
| } | |
| chain reject_to_wan { | |
| oifname { "lan1", "lan2" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic" | |
| } | |
| chain input_vpn { | |
| meta l4proto { icmp, ipv6-icmp } counter packets 34 bytes 2856 accept comment "!fw4: Allow-VPN-ICMP" | |
| ct status dnat accept comment "!fw4: Accept port redirections" | |
| jump reject_from_vpn | |
| } | |
| chain output_vpn { | |
| jump accept_to_vpn | |
| } | |
| chain forward_vpn { | |
| ct status dnat accept comment "!fw4: Accept port forwards" | |
| jump accept_to_vpn | |
| } | |
| chain accept_to_vpn { | |
| meta nfproto ipv4 oifname "tun0" ct state invalid counter packets 0 bytes 0 drop comment "!fw4: Prevent NAT leakage" | |
| oifname "tun0" counter packets 466 bytes 36822 accept comment "!fw4: accept vpn IPv4/IPv6 traffic" | |
| } | |
| chain reject_from_vpn { | |
| iifname "tun0" counter packets 45 bytes 2145 jump handle_reject comment "!fw4: reject vpn IPv4/IPv6 traffic" | |
| } | |
| chain dstnat { | |
| type nat hook prerouting priority dstnat; policy accept; | |
| jump upnp_prerouting comment "Hook into miniupnpd prerouting chain" | |
| } | |
| chain srcnat { | |
| type nat hook postrouting priority srcnat; policy accept; | |
| oifname { "lan1", "lan2" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic" | |
| oifname "tun0" jump srcnat_vpn comment "!fw4: Handle vpn IPv4/IPv6 srcnat traffic" | |
| jump upnp_postrouting comment "Hook into miniupnpd postrouting chain" | |
| } | |
| chain srcnat_wan { | |
| meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic" | |
| } | |
| chain srcnat_vpn { | |
| meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 vpn traffic" | |
| } | |
| chain raw_prerouting { | |
| type filter hook prerouting priority raw; policy accept; | |
| } | |
| chain raw_output { | |
| type filter hook output priority raw; policy accept; | |
| } | |
| chain mangle_prerouting { | |
| type filter hook prerouting priority mangle; policy accept; | |
| meta l4proto tcp iifname "br-lan" ip daddr @omr_dscp_cs0_4 counter packets 0 bytes 0 ip dscp set cs0 comment "!fw4: omr_dscp_cs0_4" | |
| meta l4proto udp iifname "br-lan" ip daddr @omr_dscp_cs0_4 counter packets 0 bytes 0 ip dscp set cs0 comment "!fw4: omr_dscp_cs0_4" | |
| meta l4proto tcp iifname "br-lan" ip daddr @omr_dscp_cs1_4 counter packets 0 bytes 0 ip dscp set cs1 comment "!fw4: omr_dscp_cs1_4" | |
| meta l4proto udp iifname "br-lan" ip daddr @omr_dscp_cs1_4 counter packets 0 bytes 0 ip dscp set cs1 comment "!fw4: omr_dscp_cs1_4" | |
| meta l4proto tcp iifname "br-lan" ip daddr @omr_dscp_cs2_4 counter packets 542 bytes 84104 ip dscp set cs2 comment "!fw4: omr_dscp_cs2_4" | |
| meta l4proto udp iifname "br-lan" ip daddr @omr_dscp_cs2_4 counter packets 0 bytes 0 ip dscp set cs2 comment "!fw4: omr_dscp_cs2_4" | |
| meta l4proto tcp iifname "br-lan" ip daddr @omr_dscp_cs3_4 counter packets 0 bytes 0 ip dscp set cs3 comment "!fw4: omr_dscp_cs3_4" | |
| meta l4proto udp iifname "br-lan" ip daddr @omr_dscp_cs3_4 counter packets 0 bytes 0 ip dscp set cs3 comment "!fw4: omr_dscp_cs3_4" | |
| meta l4proto tcp iifname "br-lan" ip daddr @omr_dscp_cs4_4 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_cs4_4" | |
| meta l4proto udp iifname "br-lan" ip daddr @omr_dscp_cs4_4 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_cs4_4" | |
| meta l4proto tcp iifname "br-lan" ip daddr @omr_dscp_cs5_4 counter packets 0 bytes 0 ip dscp set cs5 comment "!fw4: omr_dscp_cs5_4" | |
| meta l4proto udp iifname "br-lan" ip daddr @omr_dscp_cs5_4 counter packets 0 bytes 0 ip dscp set cs5 comment "!fw4: omr_dscp_cs5_4" | |
| meta l4proto tcp iifname "br-lan" ip daddr @omr_dscp_cs6_4 counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_cs6_4" | |
| meta l4proto udp iifname "br-lan" ip daddr @omr_dscp_cs6_4 counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_cs6_4" | |
| meta l4proto tcp iifname "br-lan" ip daddr @omr_dscp_cs7_4 counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_cs7_4" | |
| meta l4proto udp iifname "br-lan" ip daddr @omr_dscp_cs7_4 counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_cs7_4" | |
| meta l4proto tcp iifname "br-lan" ip daddr @omr_dscp_ef_4 counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_ef_4" | |
| meta l4proto udp iifname "br-lan" ip daddr @omr_dscp_ef_4 counter packets 0 bytes 0 ip dscp set ef comment "!fw4: omr_dscp_ef_4" | |
| meta l4proto tcp iifname "br-lan" ether saddr 38:8a:06:c3:b9:7e counter packets 483 bytes 67608 meta mark set 0x00045399 comment "!fw4: omr_dst_bypass_lan1_mac" | |
| meta l4proto udp iifname "br-lan" ether saddr 38:8a:06:c3:b9:7e counter packets 26 bytes 7843 meta mark set 0x00045399 comment "!fw4: omr_dst_bypass_lan1_mac" | |
| } | |
| chain mangle_postrouting { | |
| type filter hook postrouting priority mangle; policy accept; | |
| oifname "br-lan" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone lan IPv4/IPv6 egress MTU fixing" | |
| oifname { "lan1", "lan2" } tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing" | |
| oifname "tun0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 egress MTU fixing" | |
| } | |
| chain mangle_input { | |
| type filter hook input priority mangle; policy accept; | |
| meta l4proto icmp iifname "br-lan" ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 counter packets 35 bytes 2940 ip dscp set cs7 comment "!fw4: omr_dscp_rule1" | |
| iifname "br-lan" ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport { 53, 123, 5353 } udp dport 0-65535 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_rule2" | |
| iifname "br-lan" ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport { 53, 5353 } tcp dport 0-65535 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_rule3" | |
| iifname "br-lan" ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport 65500 counter packets 0 bytes 0 ip dscp set cs4 comment "!fw4: omr_dscp_rule4" | |
| iifname "br-lan" ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport { 65001, 65011, 65301, 65401 } counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_rule5" | |
| iifname "br-lan" ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 udp sport 0-65535 udp dport { 65001, 65301 } counter packets 0 bytes 0 ip dscp set cs7 comment "!fw4: omr_dscp_rule6" | |
| iifname "br-lan" ip saddr 0.0.0.0/0 ip daddr 0.0.0.0/0 tcp sport 0-65535 tcp dport { 65101, 65228 } counter packets 0 bytes 0 ip dscp set cs6 comment "!fw4: omr_dscp_rule7" | |
| } | |
| chain mangle_output { | |
| type route hook output priority mangle; policy accept; | |
| } | |
| chain mangle_forward { | |
| type filter hook forward priority mangle; policy accept; | |
| iifname "br-lan" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone lan IPv4/IPv6 ingress MTU fixing" | |
| iifname { "lan1", "lan2" } tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing" | |
| iifname "tun0" tcp flags syn / fin,syn,rst tcp option maxseg size set rt mtu comment "!fw4: Zone vpn IPv4/IPv6 ingress MTU fixing" | |
| } | |
| chain upnp_forward { | |
| } | |
| chain upnp_prerouting { | |
| } | |
| chain upnp_postrouting { | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment