]> Git — Sourcephile - julm/julm-nix.git/blob - nixos/profiles/networking/nftables.nix
xmonad: tabbed layout by default
[julm/julm-nix.git] / nixos / profiles / networking / nftables.nix
1 { lib, ... }:
2 {
3 /*
4 0.0.0.0/0 Default (can be advertised in BGP if desired)
5 0.0.0.0/8 Self identification
6 0.0.0.0/32 Broadcast
7 10.0.0.0/8 Private Networks (RFC 1918)
8 127.0.0.0/8 Loopback
9 128.0.0.0/16 IANA Reserved (RFC 3330)
10 172.16.0.0/12 Private Networks (RFC 1918)
11 169.254.0.0/16 Local
12 191.255.0.0/16 Reserved (RFC 3330)
13 192.0.0.0/24 IANA Reserved (RFC 3330)
14 192.0.2.0/24 Test-Net (RFC 3330)
15 192.168.0.0/16 Networks (RFC 1918)
16 198.18.0.0/15 Network Interconnect Device Benchmark Testing
17 223.255.255.0/24 Special Use Networks (RFC 3330)
18 224.0.0.0/4 Multicast
19 240.0.0.0/4 Class E Reserved
20
21
22 ::/0 Default (can be advertised as a route in BGP to peers if desired)
23 ::/96 IPv4-compatible IPv6 address – deprecated by RFC4291
24 ::/128 Unspecified address
25 ::1 /128 Local host loopback address
26 ::ffff:0.0.0.0 /96 IPv4-mapped addresses
27 ::224.0.0.0 /100 Compatible address (IPv4 format)
28 ::127.0.0.0 /104 Compatible address (IPv4 format)
29 ::0.0.0.0 /104 Compatible address (IPv4 format)
30 ::255.0.0.0 /104 Compatible address (IPv4 format)
31 0000:: /8 Pool used for unspecified, loopback and embedded IPv4 addresses
32 0200:: /7 OSI NSAP-mapped prefix set (RFC4548) – deprecated by RFC4048
33 3ffe::/16 Former 6bone, now decommissioned
34 2001:db8::/32 Reserved by IANA for special purposes and documentation
35 2002:e000:: /20 Invalid 6to4 packets (IPv4 multicast)
36 2002:7f00:: /24 Invalid 6to4 packets (IPv4 loopback)
37 2002:0000:: /24 Invalid 6to4 packets (IPv4 default)
38 2002:ff00:: /24 Invalid 6to4 packets
39 2002:0a00:: /24 Invalid 6to4 packets (IPv4 private 10.0.0.0/8 network)
40 2002:ac10:: /28 Invalid 6to4 packets (IPv4 private 172.16.0.0/12 network)
41 2002:c0a8:: /32 Invalid 6to4 packets (IPv4 private 192.168.0.0/16 network)
42 fc00:: /7 Unicast Unique Local Addresses (ULA) – RFC 4193
43 fe80:: /10 Link-local Unicast
44 fec0:: /10 Site-local Unicast – deprecated by RFC 3879 (replaced by ULA)
45 ff00:: /8 Multicast
46
47 https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
48 */
49 networking.nftables = {
50 preCheckRuleset = ''
51 sed -i ruleset.conf \
52 -e 's/skuid *[^ ]*/skuid nobody/g' \
53 -e 's/skgid *[^ ]*/skgid nogroup/g'
54 '';
55 ruleset = lib.mkBefore (lib.readFile ./nftables.txt);
56 };
57 }