mirror of
https://github.com/HorlogeSkynet/Nftables
synced 2025-10-31 04:00:17 +01:00
Samuel FORESTIER
aecaaa301b
This patch removes support for IPv6 link-local address interface/zone index syntax (e.g. "fe80::dead:beef%eth0"). Rationale is : * nftables doesn't specifically support this notation ; * it actually didn't support compressed format with 3+ segments, nor uncompressed format at all (see <https://regex101.com/r/oIosm6/1>). IPv6 link-local addresses will now be matched as any other IPv6 address.
653 lines
30 KiB
Plaintext
653 lines
30 KiB
Plaintext
# SYNTAX TEST "Nftables.sublime-syntax"
|
|
|
|
#!/usr/sbin/nft -f
|
|
# <- source.nftables punctuation.definition.comment.nftables
|
|
# <- comment.line.nftables
|
|
|
|
include "ipv4-nat.ruleset"
|
|
# <- keyword.control.import.nftables
|
|
# ^ string.quoted.double.nftables meta.string.nftables punctuation.definition.string.begin.nftables
|
|
# ^^^^^^^^^^^^^^^^^ meta.path.nftables string.quoted.double.nftables meta.string.nftables
|
|
# ^ punctuation.definition.string.end.nftables
|
|
|
|
include "some esc\aped character and # false comments"
|
|
# ^^ constant.character.escape.nftables
|
|
# ^^^^^^^^^^^^^^^^^ meta.string.nftables - comment.line.nftables
|
|
|
|
include "a more complex string
|
|
with multiple \
|
|
lines" # <- punctuation.separator.continuation.nftables
|
|
# <- meta.string.nftables
|
|
|
|
define _ = 0xDEAD
|
|
define google_dns = 8.8.8.8
|
|
# <- keyword.control.define.nftables
|
|
# ^^^^^^^^^^ variable.other.constant.nftables
|
|
# ^ keyword.operator.assignment.nftables
|
|
# ^^^^^^^ constant.numeric.ipv4-address.nftables
|
|
|
|
define ntp_servers = { 84.77.40.132, 176.31.53.99, 81.19.96.148 }
|
|
# ^ punctuation.section.braces.begin.anonymous-set.nftables
|
|
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ meta.object.anonymous-set.nftables
|
|
# ^ punctuation.separator.comma.nftables
|
|
# ^ punctuation.section.braces.end.anonymous-set.nftables
|
|
|
|
redefine google_dns = 8.8.4.4 \
|
|
# <- keyword.control.define.nftables
|
|
# ^^^^^ invalid.illegal.trailing-character.nftables
|
|
|
|
define localhost_v6 = ::1/64#IPv6
|
|
# ^^^^^^ constant.numeric.ipv6-subnet.nftables
|
|
# ^ punctuation.definition.comment.nftables
|
|
# ^^^^^ comment.line.nftables
|
|
define localhost_v4 = 127.0.0.1/24
|
|
# ^^^^^^^^^^^^ constant.numeric.ipv4-subnet.nftables
|
|
define local_nets = { $localhost_v4, $localhost_v6 }
|
|
# ^ punctuation.definition.variable.nftables
|
|
# ^ variable.other.constant.nftables
|
|
# ^ punctuation.separator.comma.nftables
|
|
# ^ punctuation.definition.variable.nftables
|
|
# ^ variable.other.constant.nftables
|
|
|
|
define iface = enp0s20f0
|
|
# ^ string.unquoted.nftables
|
|
|
|
;;; ; ;;;
|
|
# <- punctuation.terminator.semi-colon.nftables
|
|
# ^^^ - punctuation.terminator.nftables
|
|
# ^^^ punctuation.terminator.semi-colon.nftables
|
|
|
|
list ruleset arp ; flush ruleset
|
|
# <- keyword.other.command.nftables
|
|
# ^ keyword.other.ruleset.nftables
|
|
# ^ constant.language.family-type.nftables
|
|
# ^ punctuation.terminator.semi-colon.nftables
|
|
# ^ keyword.other.command.nftables
|
|
# ^ keyword.other.ruleset.nftables
|
|
|
|
add table ip6 filter
|
|
# <- keyword.other.command.nftables
|
|
# ^ storage.type.table.nftables
|
|
# ^ constant.language.family-type.nftables
|
|
# ^ entity.name.table.nftables
|
|
|
|
add table inet mytable { flags dormant; }
|
|
# ^^^^^^^^^^^^^^^^^^ meta.block.table.nftables
|
|
# ^ storage.type.table-flags.nftables
|
|
# ^ constant.language.table-flag.nftables
|
|
# ^ punctuation.terminator.semi-colon.nftables
|
|
|
|
destroy table ip missingtable
|
|
# <- keyword.other.command.nftables
|
|
# ^ entity.name.table.nftables
|
|
|
|
add chain filter input { type filter hook input priority 0; }
|
|
# <- keyword.other.command.nftables
|
|
# ^ storage.type.chain.nftables
|
|
# ^ variable.other.readwrite.table.nftables
|
|
# ^ entity.name.chain.nftables
|
|
# ^ punctuation.section.block.begin.chain.nftables
|
|
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ meta.block.chain.nftables
|
|
# ^ storage.type.chain-type.nftables
|
|
# ^ constant.language.chain-type.nftables
|
|
# ^ storage.type.chain-hook.nftables
|
|
# ^ constant.language.hook.nftables
|
|
# ^ storage.type.chain-priority.nftables
|
|
# ^ constant.numeric.integer.decimal.nftables
|
|
# ^ punctuation.terminator.semi-colon.nftables
|
|
# ^ punctuation.section.block.end.chain.nftables
|
|
|
|
add rule filter input ip saddr $google_dns counter
|
|
# <- keyword.other.command.nftables
|
|
# ^ storage.type.rule.nftables
|
|
# ^ variable.other.readwrite.table.nftables
|
|
# ^ variable.other.readwrite.chain.nftables
|
|
# ^^^^^^^^ source.nftables
|
|
# ^ punctuation.definition.variable.nftables
|
|
# ^ variable.other.constant.nftables
|
|
# ^ keyword.control.rule-statement.nftables
|
|
|
|
add rule filter input ct helper set udp dport map { \
|
|
# ^ storage.type.ct-helper.nftables keyword.declaration.ct-helper.nftables
|
|
# ^ keyword.control.rule-statement.nftables
|
|
# ^ storage.type.map.nftables
|
|
# ^ punctuation.section.braces.begin.anonymous-set.nftables
|
|
# ^ punctuation.separator.continuation.nftables
|
|
69 : "tftp-69", \
|
|
# <- constant.numeric.integer.decimal.nftables
|
|
# ^ punctuation.separator.colon.nftables
|
|
# ^^^^^^^^^ string.quoted.double.nftables meta.string.nftables
|
|
# ^ punctuation.separator.comma.nftables
|
|
5060 : "sip-5060" \
|
|
}
|
|
# <- punctuation.section.braces.end.anonymous-set.nftables
|
|
|
|
add filter input position 1 ip saddr $ntp_servers counter
|
|
# ^ variable.other.readwrite.table.nftables
|
|
# ^ variable.other.readwrite.chain.nftables
|
|
# ^ keyword.other.handle.nftables
|
|
# ^ constant.numeric.integer.decimal.nftables
|
|
# ^ punctuation.definition.variable.nftables
|
|
# ^ variable.other.constant.nftables
|
|
# ^ keyword.control.rule-statement.nftables
|
|
|
|
add rule ip filter input ip protocol vmap { tcp : jump tcp-chain, udp : jump udp-chain, icmp : jump icmp-chain }
|
|
# ^ constant.language.family-type.nftables
|
|
# ^ storage.type.map.nftables keyword.declaration.map.nftables
|
|
# ^ punctuation.section.braces.begin.anonymous-set.nftables
|
|
# ^ keyword.control.rule-statement.verdict.nftables
|
|
# ^^^^^^^^^ variable.other.readwrite.chain.nftables
|
|
|
|
reset rules
|
|
# <- keyword.other.command.nftables
|
|
# ^ storage.type.rules.nftables
|
|
reset rules table inet t
|
|
# ^ storage.type.table.nftables
|
|
# ^ constant.language.family-type.nftables
|
|
# ^ variable.other.readwrite.table.nftables
|
|
reset rules chain inet t c
|
|
# ^ storage.type.chain.nftables
|
|
# ^ constant.language.family-type.nftables
|
|
# ^ variable.other.readwrite.table.nftables
|
|
# ^ variable.other.readwrite.chain.nftables
|
|
|
|
add map filter ports { type inet_service : verdict ; }
|
|
# ^ storage.type.set.nftables keyword.declaration.set.nftables
|
|
# ^ variable.other.readwrite.table.nftables
|
|
# ^ entity.name.set.nftables
|
|
# ^ punctuation.section.braces.begin.named-set.nftables
|
|
# ^ storage.type.set-type.nftables
|
|
# ^ constant.language.data-type.nftables
|
|
# ^ constant.language.verdict.nftables
|
|
|
|
add rule filter output quota name tcp dport map @ports
|
|
# ^ storage.type.quota.nftables keyword.declaration.quota.nftables
|
|
# ^ storage.type.map.nftables keyword.declaration.map.nftables
|
|
# ^ punctuation.definition.variable.nftables
|
|
# ^ variable.other.readwrite.set.nftables
|
|
|
|
add rule netdev filter output ether saddr set aa:BB:cc:dd:ff:ee fwd to eth0
|
|
# ^^^ keyword.control.rule-statement.nftables
|
|
# ^^^^^^^^^^^^^^^^^ constant.numeric.mac-address.nftables
|
|
# ^^^ keyword.control.rule-statement.nftables
|
|
|
|
insert rule filter output position 8 ip daddr 127.0.0.8 drop
|
|
# <- keyword.other.command.nftables
|
|
# ^ storage.type.rule.nftables
|
|
# ^ variable.other.readwrite.table.nftables
|
|
# ^ variable.other.readwrite.chain.nftables
|
|
# ^ keyword.other.handle.nftables
|
|
# ^ constant.numeric.integer.decimal.nftables
|
|
# ^ keyword.control.rule-statement.verdict.nftables
|
|
|
|
replace rule filter input handle 2 counter
|
|
# <- keyword.other.command.nftables
|
|
# ^ storage.type.rule.nftables
|
|
# ^ variable.other.readwrite.table.nftables
|
|
# ^ variable.other.readwrite.chain.nftables
|
|
# ^ keyword.other.handle.nftables
|
|
# ^ constant.numeric.integer.decimal.nftables
|
|
# ^ keyword.control.rule-statement.nftables
|
|
|
|
## Not yet implemented, but who knows ?
|
|
## See <https://wiki.nftables.org/wiki-nftables/index.php/Simple_rule_management#Removing_rules>
|
|
delete rule filter output ip saddr 192.168.1.1 counter
|
|
# <- keyword.other.command.nftables
|
|
# ^ storage.type.rule.nftables
|
|
# ^ variable.other.readwrite.table.nftables
|
|
# ^ variable.other.readwrite.chain.nftables
|
|
# ^ keyword.control.rule-statement.nftables
|
|
|
|
add map filter whitelist { type ipv4_addr . inet_service : verdict ; }
|
|
# ^ keyword.operator.concatenation.nftables
|
|
# ^ constant.language.data-type.nftables
|
|
# ^ constant.language.verdict.nftables
|
|
|
|
add element filter whitelist { 1.2.3.4 . 22 : accept}
|
|
# ^ storage.type.element.nftables keyword.declaration.element.nftables
|
|
# ^ variable.other.readwrite.table.nftables
|
|
# ^ variable.other.readwrite.set.nftables
|
|
# ^ punctuation.section.braces.begin.anonymous-set.nftables
|
|
# ^^^^^^^ constant.numeric.ipv4-address.nftables
|
|
# ^ keyword.operator.concatenation.nftables
|
|
# ^^ constant.numeric.integer.decimal.nftables
|
|
# ^ keyword.control.rule-statement.verdict.nftables
|
|
|
|
add map filter mystats { \
|
|
type ipv4_addr : counter ; }
|
|
# <- storage.type.set-type.nftables
|
|
# ^ constant.language.data-type.nftables
|
|
|
|
add rule filter input counter name \
|
|
ip saddr map @mystats
|
|
# ^ keyword.declaration.map.nftables
|
|
# ^ variable.other.readwrite.set.nftables
|
|
|
|
add rule filter input delete @mystats { ip daddr }
|
|
# ^ keyword.control.rule-statement.nftables
|
|
|
|
add secmark filter sshtag { "system_u:object_r:ssh_server_packet_t:s0" }
|
|
# ^ storage.type.secmark.nftables
|
|
# ^ entity.name.secmark.nftables
|
|
# ^ meta.object.secmark.nftables punctuation.section.braces.begin.secmark.nftables
|
|
# ^ string.quoted.double.nftables
|
|
|
|
table ip nat {
|
|
# <- storage.type.table.nftables keyword.declaration.table.nftables
|
|
# ^ constant.language.family-type.nftables
|
|
# ^ entity.name.table.nftables
|
|
# ^ punctuation.section.block.begin.table.nftables
|
|
|
|
chain prerouting {
|
|
# <- storage.type.chain.nftables keyword.declaration.chain.nftables
|
|
# ^ entity.name.chain.nftables
|
|
# ^ punctuation.section.block.begin.chain.nftables
|
|
|
|
# <- meta.block.table.nftables meta.block.chain.nftables
|
|
|
|
type nat hook prerouting priority 0; policy accept
|
|
# ^ punctuation.terminator.semi-colon.nftables
|
|
# ^ storage.type.chain-policy.nftables
|
|
# ^ constant.language.chain-policy.nftables
|
|
|
|
# <- meta.block.table.nftables meta.block.chain.nftables
|
|
|
|
dnat tcp dport map { 1000 : ::1, 2000 : 2.2.2.2 } : tcp dport map { 1000 : 1234, 2000 : 2345 } ;
|
|
# ^ storage.type.map.nftables
|
|
# ^ punctuation.section.braces.begin.anonymous-set.nftables
|
|
# ^^^^ constant.numeric.integer.decimal.nftables
|
|
# ^ punctuation.separator.colon.nftables
|
|
# ^^^ constant.numeric.ipv6-address.nftables
|
|
# ^ punctuation.separator.comma.nftables
|
|
# ^ punctuation.separator.colon.nftables
|
|
|
|
# <- meta.block.table.nftables meta.block.chain.nftables
|
|
}
|
|
# <- punctuation.section.block.end.chain.nftables
|
|
|
|
# <- meta.block.table.nftables - meta.block.chain.nftables
|
|
}
|
|
# <- punctuation.section.block.end.table.nftables
|
|
|
|
# <- - meta.block.table.nftables
|
|
|
|
table inet filter {
|
|
chain input {
|
|
# ^^^^^ entity.name.chain.nftables
|
|
|
|
ct status dnat accept
|
|
# ^^^^ - keyword.control.rule-statement.nftables
|
|
# ^ keyword.control.rule-statement.verdict.nftables
|
|
|
|
ct status ! snat,dnat accept
|
|
# ^ keyword.operator.bitwise.nftables
|
|
# ^^^^ - keyword.control.rule-statement.nftables
|
|
# ^ punctuation.separator.comma.nftables
|
|
# ^^^^ - keyword.control.rule-statement.nftables
|
|
# ^ keyword.control.rule-statement.verdict.nftables
|
|
|
|
ct status { snat, dnat } accept
|
|
# ^^^^ - keyword.control.rule-statement.nftables
|
|
# ^ punctuation.separator.comma.nftables
|
|
# ^^^^ - keyword.control.rule-statement.nftables
|
|
# ^ keyword.control.rule-statement.verdict.nftables
|
|
|
|
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert } accept
|
|
# ^^^^ - storage.type.nftables
|
|
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ meta.object.anonymous-set.nftables
|
|
|
|
fib daddr . iif type local accept
|
|
# ^ keyword.operator.concatenation.nftables
|
|
# ^^^^ - storage.type.nftables
|
|
# ^ keyword.control.rule-statement.verdict.nftables
|
|
ip daddr != 127.0.0.0/8 fib daddr type local counter
|
|
# ^^^^ - storage.type.nftables
|
|
# ^ keyword.control.rule-statement.nftables
|
|
|
|
last
|
|
# <- keyword.control.rule-statement.nftables
|
|
last used never
|
|
# <- keyword.control.rule-statement.nftables
|
|
# ^ constant.language.last-used.nftables
|
|
# ^ constant.language.last-never.nftables
|
|
last used 49m54s884ms
|
|
# ^^^^^^^^^^^ string.unquoted.time-string.nftables
|
|
|
|
counter packets 42 bytes 1764
|
|
# <- keyword.control.rule-statement.nftables
|
|
# ^ string.unquoted.counter-unit.nftables
|
|
# ^ constant.numeric.integer.decimal.nftables
|
|
# ^ string.unquoted.counter-unit.nftables
|
|
# ^ constant.numeric.integer.decimal.nftables
|
|
}
|
|
}
|
|
|
|
table a-strang3_Name {
|
|
# ^^^^^^^^^^^^^^ entity.name.table.nftables
|
|
|
|
flags dormant
|
|
# <- storage.type.table-flags.nftables
|
|
# ^ constant.language.table-flag.nftables
|
|
|
|
undefine google_dns
|
|
# <- keyword.control.undefine.nftables
|
|
# ^ variable.other.constant.nftables
|
|
|
|
synproxy https-synproxy {
|
|
# <- storage.type.synproxy.nftables
|
|
# ^ entity.name.synproxy.nftables
|
|
mss 1460
|
|
# <- storage.type.synproxy-mss.nftables
|
|
# ^ constant.numeric.integer.decimal.nftables
|
|
wscale 7;
|
|
# <- storage.type.synproxy-wscale.nftables
|
|
# ^ constant.numeric.integer.decimal.nftables
|
|
# ^ punctuation.terminator.semi-colon.nftables
|
|
timestamp sack-perm
|
|
# <- storage.type.synproxy-timestamp.nftables
|
|
# ^ storage.type.synproxy-sack-perm.nftables
|
|
}
|
|
|
|
secmark sshtag { "system_u:object_r:ssh_server_packet_t:s0" }
|
|
# <- storage.type.secmark.nftables
|
|
# ^ entity.name.secmark.nftables
|
|
# ^ meta.object.secmark.nftables punctuation.section.braces.begin.secmark.nftables
|
|
# ^ string.quoted.double.nftables
|
|
|
|
quota q_until_sip { until 100 mbytes used 0 bytes }
|
|
# <- storage.type.quota.nftables keyword.declaration.quota.nftables
|
|
# ^ entity.name.quota.nftables
|
|
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ meta.object.quota.nftables
|
|
# ^ constant.language.quota-mode.nftables
|
|
# ^^^ constant.numeric.integer.decimal.nftables
|
|
# ^ constant.language.quota-used.nftables
|
|
# ^ constant.numeric.integer.decimal.nftables
|
|
quota q_over_http { over 500 mbytes ; comment "cap http (but not https)" ; }
|
|
# ^ string.unquoted.quota-unit.nftables
|
|
# ^ punctuation.terminator.semi-colon.nftables
|
|
# ^ storage.type.quota-comments.nftables
|
|
# ^ string.quoted.double.nftables
|
|
|
|
limit lim_400ppm { rate 400/minute }
|
|
# <- storage.type.limit.nftables keyword.declaration.limit.nftables
|
|
# ^ entity.name.limit.nftables
|
|
# ^^^^^^^^^^^^^^^^^^^ meta.object.limit.nftables
|
|
# ^ storage.type.limit-rate.nftables
|
|
# ^^^ constant.numeric.integer.decimal.nftables
|
|
# ^ punctuation.separator.limit-rate.nftables
|
|
# ^ string.unquoted.time-string.nftables
|
|
limit lim_1kbps { rate over 1024 bytes/second burst 512 bytes ; comment "use to limit incoming smtp" ; }
|
|
# ^ constant.language.limit-mode.nftables
|
|
# ^ string.unquoted.limit-unit.nftables
|
|
# ^ constant.language.limit-burst.nftables
|
|
# ^^^ constant.numeric.integer.decimal.nftables
|
|
# ^ punctuation.terminator.semi-colon.nftables
|
|
# ^ storage.type.limit-comments.nftables
|
|
# ^ string.quoted.double.nftables
|
|
|
|
ct helper sip-5060 {
|
|
# <- - storage.type.nftables
|
|
# ^ storage.type.ct-helper.nftables keyword.declaration.ct-helper.nftables
|
|
# ^^^^^^^^ entity.name.ct-helper.nftables
|
|
# ^ punctuation.section.braces.begin.ct-helper.nftables
|
|
|
|
type "sip" protocol udp;
|
|
# <- storage.type.ct-helper-type.nftables
|
|
# ^^^^^ meta.string.nftables
|
|
# ^ storage.type.ct-helper-protocol.nftables
|
|
# ^ constant.language.l4-proto.nftables
|
|
|
|
# <- meta.object.ct-helper.nftables
|
|
|
|
l3proto inet;
|
|
# <- storage.type.ct-helper-l3proto.nftables
|
|
# ^ constant.language.family-type.nftables
|
|
|
|
# <- meta.object.ct-helper.nftables
|
|
}
|
|
# <- punctuation.section.braces.end.ct-helper.nftables
|
|
|
|
ct expectation e_pgsql {
|
|
# ^ storage.type.ct-expectation.nftables keyword.declaration.ct-expectation.nftables
|
|
protocol tcp
|
|
dport 5432
|
|
timeout 1h
|
|
# <- storage.type.ct-expectation-timeout.nftables
|
|
# ^ string.unquoted.time-string.nftables
|
|
size 12
|
|
l3proto ip
|
|
# <- storage.type.ct-expectation-l3proto.nftables
|
|
# ^ constant.language.family-type.nftables
|
|
}
|
|
|
|
ct timeout agressive-tcp {
|
|
# ^ storage.type.ct-timeout.nftables keyword.declaration.ct-timeout.nftables
|
|
protocol tcp;
|
|
# <- storage.type.ct-timeout-protocol.nftables
|
|
# ^ constant.language.l4-proto.nftables
|
|
# ^ punctuation.terminator.semi-colon.nftables
|
|
l3proto ip;
|
|
policy = { established: 100, close_wait: 4, close: 4 }
|
|
# <- storage.type.ct-timeout-policy.nftables
|
|
# ^ keyword.operator.assignment.nftables
|
|
# ^ meta.object.anonymous-set.nftables
|
|
}
|
|
|
|
set filter {
|
|
# <- storage.type.set.nftables keyword.declaration.set.nftables
|
|
# ^ entity.name.set.nftables
|
|
|
|
# <- meta.object.named-set.nftables
|
|
|
|
type inet_service; flags constant, interval;
|
|
# <- storage.type.set-type.nftables
|
|
# ^ constant.language.data-type.nftables
|
|
# ^ punctuation.terminator.semi-colon.nftables
|
|
# ^ storage.type.set-flags.nftables
|
|
# ^ constant.language.set-flag.nftables
|
|
# ^ punctuation.separator.comma.nftables
|
|
# ^ constant.language.set-flag.nftables
|
|
# ^ punctuation.terminator.semi-colon.nftables
|
|
auto-merge
|
|
# <- storage.type.set-automerge.nftables
|
|
size 65535
|
|
# <- storage.type.set-size.nftables
|
|
# ^ constant.numeric.integer.decimal.nftables
|
|
timeout 3d45m1s;
|
|
# <- storage.type.set-timeout.nftables
|
|
# ^^^^^^^ string.unquoted.time-string.nftables
|
|
# ^ punctuation.terminator.semi-colon.nftables
|
|
gc-interval 60s;
|
|
# <- storage.type.set-gcinterval.nftables
|
|
# ^^^ string.unquoted.time-string.nftables
|
|
comment "list of unwanted traffic by IP address"
|
|
# <- storage.type.set-comments.nftables
|
|
# ^ string.quoted.double.nftables
|
|
counter
|
|
# <- storage.type.set-counter.nftables
|
|
elements = { domain, ntp timeout 30s }
|
|
# <- storage.type.set-elements.nftables
|
|
# ^ keyword.operator.assignment.nftables
|
|
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^ meta.object.anonymous-set.nftables
|
|
# ^ storage.type.set-element-timeout.nftables
|
|
# ^ string.unquoted.time-string.nftables
|
|
|
|
# <- meta.object.named-set.nftables
|
|
}
|
|
# <- punctuation.section.braces.end.named-set.nftables
|
|
|
|
set myset {
|
|
typeof ip daddr . tcp dport
|
|
# <- storage.type.set-typeof.nftables
|
|
# ^ keyword.operator.concatenation.nftables
|
|
counter
|
|
elements = { \
|
|
1.1.1.4 . 22 counter packets 0 bytes 0, \
|
|
# ^ storage.type.set-element-counter.nftables
|
|
# ^ string.unquoted.counter-unit.nftables
|
|
# ^ constant.numeric.integer.decimal.nftables
|
|
# ^ string.unquoted.counter-unit.nftables
|
|
# ^ constant.numeric.integer.decimal.nftables
|
|
1.1.1.5 . 23 counter packets 0 bytes 0, \
|
|
1.1.1.6 . 24 counter packets 0 bytes 0, \
|
|
}
|
|
}
|
|
|
|
map addr2mark {
|
|
typeof ip saddr . tcp dport : verdict
|
|
# <- storage.type.set-typeof.nftables
|
|
# ^ keyword.operator.concatenation.nftables
|
|
# ^ punctuation.separator.colon.nftables
|
|
# ^ constant.language.verdict.nftables
|
|
elements = { 192.168.10.35 . 80 : 0x00000001, 192.168.10.135 . 80 : 0x00000002 }
|
|
}
|
|
|
|
flowtable f {
|
|
# <- storage.type.flowtable.nftables keyword.declaration.flowtable.nftables
|
|
# ^ entity.name.flowtable.nftables
|
|
hook ingress priority 0;
|
|
# <- storage.type.flowtable-hook.nftables
|
|
# ^ constant.language.hook.nftables
|
|
# ^ storage.type.flowtable-priority.nftables
|
|
# ^ constant.numeric.integer.decimal.nftables
|
|
devices = { eth0, eth1 }
|
|
# <- storage.type.flowtable-devices.nftables
|
|
# ^ keyword.operator.assignment.nftables
|
|
# ^^^^^^^^^^^^^^ meta.object.anonymous-set.nftables
|
|
flags offload
|
|
# <- storage.type.flowtable-flags.nftables
|
|
# ^ constant.language.flowtable-flag.nftables
|
|
counter
|
|
# <- storage.type.flowtable-counter.nftables
|
|
}
|
|
}
|
|
|
|
chain a-strang3_Name c {
|
|
# <- storage.type.chain.nftables keyword.declaration.chain.nftables
|
|
# ^^^^^^^^^^^^^^ variable.other.readwrite.table.nftables
|
|
# ^ entity.name.chain.nftables
|
|
# ^ punctuation.section.block.begin.chain.nftables
|
|
|
|
ct state established,related counter accept
|
|
# ^ punctuation.separator.comma.nftables
|
|
# ^ keyword.control.rule-statement.nftables
|
|
# ^ keyword.control.rule-statement.verdict.nftables
|
|
|
|
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
|
|
# ^ keyword.operator.bitwise.nftables
|
|
# ^ keyword.operator.bitwise.nftables
|
|
# ^^ keyword.operator.arithmetic.nftables
|
|
# ^^^ constant.numeric.integer.hexadecimal.nftables
|
|
|
|
tcp flags syn tcp option maxseg size 1-535 counter drop comment "TCP Maximum Segment Size"
|
|
# ^ punctuation.separator.dash.nftables
|
|
# ^^^^^^^ keyword.control.rule-statement.nftables
|
|
|
|
ip daddr . tcp dport { 10.0.0.0/8 . 10-23, 192.168.1.1-192.168.3.8 . 80-443, * . 53 } accept
|
|
# ^^^^^^^^^^^ constant.numeric.ipv4-address.nftables
|
|
# ^ punctuation.separator.dash.nftables
|
|
# ^^^^^^^^^^^ constant.numeric.ipv4-address.nftables
|
|
# ^ keyword.operator.wildcard.nftables
|
|
|
|
limit rate over 1023/second burst 10 packets log prefix "LIMITED"
|
|
# <- keyword.control.rule-statement.nftables
|
|
# ^ storage.type.limit-rate.nftables
|
|
# ^ constant.language.limit-mode.nftables
|
|
# ^ punctuation.separator.limit-rate.nftables
|
|
# ^ string.unquoted.time-string.nftables
|
|
# ^ constant.language.limit-burst.nftables
|
|
# ^ string.unquoted.limit-unit.nftables
|
|
# ^ keyword.control.rule-statement.nftables
|
|
|
|
tcp dport 8888 ct state invalid,untracked synproxy mss 1460 wscale 7 timestamp sack-perm
|
|
# ^ storage.type.synproxy.nftables
|
|
|
|
tcp dport 22 jump {
|
|
# ^ punctuation.section.braces.begin.implicit-chain.nftables
|
|
|
|
# <- meta.block.implicit-chain.nftables
|
|
|
|
ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept
|
|
# ^ punctuation.section.braces.begin.anonymous-set.nftables
|
|
ip6 saddr ::1/128 accept;
|
|
# ^ constant.numeric.ipv6-subnet.nftables
|
|
# ^ keyword.control.rule-statement.verdict.nftables
|
|
ip6 saddr { fE80::dead:beef:beef:dead, 1::3:4:5:6:7:8, ::ffFF:0:255.255.255.255 } accept
|
|
# ^^^^^^^^^^^^^^^^^^^^^^^^^ constant.numeric.ipv6-address.nftables
|
|
# ^^^^^^^^^^^^^^ constant.numeric.ipv6-address.nftables
|
|
# ^^^^^^^^^^^^^^^^^^^^^^^^ constant.numeric.ipv6-address.nftables
|
|
|
|
# <- meta.block.implicit-chain.nftables
|
|
}
|
|
# <- punctuation.section.braces.end.implicit-chain.nftables
|
|
}
|
|
|
|
quota filter example over 100 mbytes used 0 bytes ;
|
|
# <- storage.type.quota.nftables keyword.declaration.quota.nftables
|
|
# ^ variable.other.readwrite.table.nftables
|
|
# ^ entity.name.quota.nftables
|
|
# ^ constant.language.quota-mode.nftables
|
|
# ^^^ constant.numeric.integer.decimal.nftables
|
|
# ^ string.unquoted.quota-unit.nftables
|
|
# ^ constant.language.quota-used.nftables
|
|
# ^ constant.numeric.integer.decimal.nftables
|
|
# ^ punctuation.terminator.semi-colon.nftables
|
|
|
|
table ip filter {
|
|
chain prerouting {
|
|
type nat hook prerouting priority dstnat - 100;
|
|
# ^ constant.language.chain-priority.nftables
|
|
# ^ keyword.operator.arithmetic.nftables
|
|
# ^^^ constant.numeric.integer.decimal.nftables
|
|
|
|
mark set numgen inc mod 4 offset 3 jump prerouting
|
|
# ^ keyword.operator.arithmetic.nftables
|
|
# ^ keyword.control.rule-statement.verdict.nftables
|
|
# ^ variable.other.readwrite.chain.nftables
|
|
|
|
mark set jhash ip saddr . tcp dport . iiftype mod 2
|
|
# ^ keyword.control.rule-statement.nftables
|
|
# ^ keyword.operator.arithmetic.nftables
|
|
# ^ keyword.operator.concatenation.nftables
|
|
|
|
meta mark set meta mark lshift 1 or 0x1
|
|
# ^ keyword.operator.word.nftables
|
|
# ^ keyword.operator.word.nftables
|
|
|
|
tcp dport 80 tproxy to :8080
|
|
# ^ keyword.control.rule-statement.verdict.nftables
|
|
}
|
|
}
|
|
|
|
table netdev filter {
|
|
chain ingress {
|
|
type filter hook ingress device enp0s20f0 priority -455;
|
|
# ^ constant.language.hook.nftables
|
|
# ^ storage.type.chain-device.nftables
|
|
# ^ string.unquoted.nftables
|
|
# ^ storage.type.chain-priority.nftables
|
|
# ^ keyword.operator.arithmetic.nftables
|
|
# ^ constant.numeric.integer.decimal.nftables
|
|
}
|
|
|
|
chain ingress_2 { type filter hook ingress device "enp0s20f0" priority 0; }
|
|
# ^^^^^^^^^^^ string.quoted.double.nftables
|
|
|
|
chain ingress_3 { type filter hook ingress device $_ priority 0; }
|
|
# ^ punctuation.definition.variable.nftables
|
|
# ^ variable.other.constant.nftables
|
|
|
|
define devices = { eth0, eth1 }
|
|
|
|
chain egress {
|
|
type filter hook egress devices = $devices priority 0;
|
|
# ^ constant.language.hook.nftables
|
|
# ^ storage.type.chain-devices.nftables
|
|
# ^ keyword.operator.assignment.nftables
|
|
# ^ punctuation.definition.variable.nftables
|
|
# ^ variable.other.constant.nftables
|
|
# ^ storage.type.chain-priority.nftables
|
|
# ^ constant.numeric.integer.decimal.nftables
|
|
}
|
|
}
|