1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
@def $TRUSTED_HOSTS = (192.168.0.40 2001:abcd:ef::40);
domain (ip ip6) chain INPUT {
saddr @ipfilter($TRUSTED_HOSTS) proto tcp dport ssh ACCEPT;
}
# do the @ipfilter invocation in a variable declaration
@def $FILTERED_HOSTS = @ipfilter($TRUSTED_HOSTS);
domain (ip ip6) chain OUTPUT {
daddr $FILTERED_HOSTS proto tcp dport ssh ACCEPT;
}
@def &accept_range($srange) = {
domain (ip ip6) chain INPUT {
saddr $srange ACCEPT;
}
}
&accept_range(@ipfilter($TRUSTED_HOSTS));
# negation
domain (ip ip6) chain FORWARD {
daddr !$FILTERED_HOSTS DROP;
}
# also try @ipfilter as an "m" target; see issue #63 for a real-world example
@def $NATTED_NETS = (192.168.0.0/24 2001:abcd:ef::/64);
@def $SNAT_ADDR = (10.0.0.1 2001:efff::1);
domain (ip ip6) chain INPUT {
saddr @ipfilter($NATTED_NETS) outerface eth0 SNAT to-source @ipfilter($SNAT_ADDR);
}
|
