add basic packet filtering focused on ipv4

3 files changed, 72 insertions, 6 deletions

diff --git a/Cargo.lock b/Cargo.lock
index 30409cb..674ad25 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -402,8 +402,8 @@ dependencies = [
 
 [[package]]
 name = "rustables"
-version = "0.8.1"
-source = "git+https://github.com/rsdsl/rustables.git#47bbbefb4a97d93981bb234f43d8939025c1db40"
+version = "0.9.0"
+source = "git+https://github.com/rsdsl/rustables.git#674db7775393f9ae800c936f920977d0fa5ef4b7"
 dependencies = [
  "bindgen",
  "bitflags",
@@ -419,7 +419,7 @@ dependencies = [
 [[package]]
 name = "rustables-macros"
 version = "0.1.1"
-source = "git+https://github.com/rsdsl/rustables.git#47bbbefb4a97d93981bb234f43d8939025c1db40"
+source = "git+https://github.com/rsdsl/rustables.git#674db7775393f9ae800c936f920977d0fa5ef4b7"
 dependencies = [
  "once_cell",
  "proc-macro-error",
diff --git a/Cargo.toml b/Cargo.toml
index 0b02f8b..7a84890 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -7,5 +7,5 @@ edition = "2021"
 
 [dependencies]
 failure = "0.1.8"
-rustables = { git = "https://github.com/rsdsl/rustables.git", version = "0.8.1" }
+rustables = { git = "https://github.com/rsdsl/rustables.git", version = "0.9.0" }
 thiserror = "1.0"
diff --git a/src/main.rs b/src/main.rs
index 4135c63..cf4b4f4 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -4,7 +4,7 @@ use rustables::{
     Batch, Chain, ChainPolicy, ChainType, Hook, HookClass, MsgType, ProtocolFamily, Rule, Table,
 };
 
-fn main() -> Result<()> {
+fn nat() -> Result<()> {
     let mut batch = Batch::new();
 
     let nat = Table::new(ProtocolFamily::Ipv4).with_name("nat");
@@ -22,7 +22,73 @@ fn main() -> Result<()> {
     batch.add(&rule, MsgType::Add);
 
     batch.send()?;
+    Ok(())
+}
+
+fn filter() -> Result<()> {
+    let mut batch = Batch::new();
+
+    let filter = Table::new(ProtocolFamily::Inet).with_name("filter");
+    batch.add(&filter, MsgType::Add);
+
+    let mut forward = Chain::new(&filter).with_name("FORWARD");
+
+    forward.set_type(ChainType::Filter);
+    forward.set_hook(Hook::new(HookClass::Forward, 0));
+    forward.set_policy(ChainPolicy::Drop);
+
+    batch.add(&forward, MsgType::Add);
+
+    let allow_established = Rule::new(&forward)?.established()?.accept();
+    batch.add(&allow_established, MsgType::Add);
+
+    let allow_trusted_to_wan4 = Rule::new(&forward)?
+        .iface("eth0.10")?
+        .oface("rsppp0")?
+        .accept();
+    batch.add(&allow_trusted_to_wan4, MsgType::Add);
+
+    let allow_untrusted_to_wan4 = Rule::new(&forward)?
+        .iface("eth0.20")?
+        .oface("rsppp0")?
+        .accept();
+    batch.add(&allow_untrusted_to_wan4, MsgType::Add);
+
+    let allow_exposed_to_wan4 = Rule::new(&forward)?
+        .iface("eth0.40")?
+        .oface("rsppp0")?
+        .accept();
+    batch.add(&allow_exposed_to_wan4, MsgType::Add);
+
+    let allow_any_to_exposed = Rule::new(&forward)?.oface("eth0.40")?.accept();
+    batch.add(&allow_any_to_exposed, MsgType::Add);
+
+    let allow_icmp4 = Rule::new(&forward)?.icmp().accept();
+    batch.add(&allow_icmp4, MsgType::Add);
+
+    let allow_icmp6 = Rule::new(&forward)?.icmpv6().accept();
+    batch.add(&allow_icmp6, MsgType::Add);
+
+    batch.send()?;
+    Ok(())
+}
+
+fn main() -> Result<()> {
+    match nat() {
+        Ok(_) => println!("[netfilterd] enable nat"),
+        Err(e) => {
+            println!("[netfilterd] can't enable nat: {}", e);
+            return Err(e);
+        }
+    }
+
+    match filter() {
+        Ok(_) => println!("[netfilterd] activate acl"),
+        Err(e) => {
+            println!("[netfilterd] can't activate acl: {}", e);
+            return Err(e);
+        }
+    }
 
-    println!("[netfilterd] enable nat");
     Ok(())
 }