41 lines
970 B
Django/Jinja
41 lines
970 B
Django/Jinja
#!/usr/bin/bash
|
|
|
|
set -eu
|
|
|
|
interfaces=$(/usr/bin/ip link | /usr/bin/sed -En 's/.*(macvtap-.*)@.*/\1/p')
|
|
gateway=$(/usr/bin/ip route list default | /usr/bin/head -1 | /usr/bin/cut -f 3 -d " ")
|
|
|
|
filterchain=""
|
|
for interface in ${interfaces}; do
|
|
filterchain=$(cat <<- EOF
|
|
${filterchain}
|
|
|
|
chain filterin_${interface} {
|
|
type filter hook ingress device ${interface} priority filter; policy drop;
|
|
ip saddr \$allowed_ipv4 accept
|
|
ip saddr ${gateway} accept;
|
|
ip saddr 255.255.255.255 accept;
|
|
}
|
|
|
|
chain filterout_${interface} {
|
|
type filter hook egress device ${interface} priority filter; policy drop;
|
|
ip daddr \$allowed_ipv4 accept
|
|
ip daddr ${gateway} accept;
|
|
ip daddr 255.255.255.255 accept;
|
|
}
|
|
EOF
|
|
)
|
|
done
|
|
|
|
|
|
|
|
nft_table=$(cat <<- EOF
|
|
define allowed_ipv4 = { {{ exam_destination_allowed_ipv4 | join(",") }} }
|
|
|
|
table netdev filtermacvtap {
|
|
${filterchain}
|
|
}
|
|
EOF
|
|
)
|
|
|
|
echo "$nft_table" | /usr/sbin/nft -f -
|