aubergine: wifi: unhide SSID

[julm/julm-nix.git] / nixos / profiles / networking / nftables.txt

diff --git a/nixos/profiles/networking/nftables.txt b/nixos/profiles/networking/nftables.txt
index 4ab07383c817f0caeba024b3187d2732de160830..d9bb6135e25a431bd5f6253abd067878a6c09197 100644 (file)
--- a/nixos/profiles/networking/nftables.txt
+++ b/nixos/profiles/networking/nftables.txt
@@ -64,39 +64,48 @@ table inet filter {
     log level warn prefix "non-public: " counter drop
   }
   chain check-public {
-    ip saddr 0.0.0.0/8            counter goto non-public
-    ip saddr 10.0.0.0/8           counter goto non-public
-    ip saddr 127.0.0.0/8          counter goto non-public
-    ip saddr 169.254.0.0/16       counter goto non-public
-    ip saddr 172.16.0.0/12        counter goto non-public
-    ip saddr 192.0.2.0/24         counter goto non-public
-    ip saddr 192.168.0.0/16       counter goto non-public
-    ip saddr 224.0.0.0/3          counter goto non-public
-    ip saddr 240.0.0.0/5          counter goto non-public
-    ip6 saddr ::/0                counter goto non-public
-    ip6 saddr ::/96               counter goto non-public
-    ip6 saddr ::/128              counter goto non-public
-    ip6 saddr ::1/128             counter goto non-public
-    ip6 saddr ::ffff:0.0.0.0/96   counter goto non-public
-    ip6 saddr ::224.0.0.0/100     counter goto non-public
-    ip6 saddr ::127.0.0.0/104     counter goto non-public
-    ip6 saddr ::0.0.0.0/104       counter goto non-public
-    ip6 saddr ::255.0.0.0/104     counter goto non-public
-    ip6 saddr 0000::/8            counter goto non-public
-    ip6 saddr 0200::/7            counter goto non-public
-    ip6 saddr 3ffe::/16           counter goto non-public
-    ip6 saddr 2001:db8::/32       counter goto non-public
-    ip6 saddr 2002:e000::/20      counter goto non-public
-    ip6 saddr 2002:7f00::/24      counter goto non-public
-    ip6 saddr 2002:0000::/24      counter goto non-public
-    ip6 saddr 2002:ff00::/24      counter goto non-public
-    ip6 saddr 2002:0a00::/24      counter goto non-public
-    ip6 saddr 2002:ac10::/28      counter goto non-public
-    ip6 saddr 2002:c0a8::/32      counter goto non-public
-    ip6 saddr fc00::/7            counter goto non-public
-    ip6 saddr fe80::/10           counter goto non-public
-    ip6 saddr fec0::/10           counter goto non-public
-    ip6 saddr ff00::/8            counter goto non-public
+    ip saddr 0.0.0.0/8            counter goto non-public comment "Self identification"
+    ip saddr 0.0.0.0/32           counter goto non-public comment "Broadcast"
+    ip saddr 10.0.0.0/8           counter goto non-public comment "Private Networks (rfc1918)"
+    ip saddr 127.0.0.0/8          counter goto non-public comment "Loopback"
+    ip saddr 128.0.0.0/16         counter goto non-public comment "IANA Reserved (rfc3330)"
+    ip saddr 169.254.0.0/16       counter goto non-public comment "Local"
+    ip saddr 172.16.0.0/12        counter goto non-public comment "Private Networks (rfc1918)"
+    ip saddr 192.0.2.0/24         counter goto non-public comment "TEST-NET-1 (rfc5737)"
+    ip saddr 192.168.0.0/16       counter goto non-public comment "Networks (rfc1918)"
+    ip saddr 198.51.100.0/24      counter goto non-public comment "TEST-NET-2 (rfc5737)"
+    ip saddr 203.0.113.0/24       counter goto non-public comment "TEST-NET-3 (rfc5737)"
+    ip saddr 224.0.0.0/3          counter goto non-public comment "Multicast"
+    ip saddr 240.0.0.0/5          counter goto non-public comment "Class E Reserved"
+    ip saddr 191.255.0.0/16       counter goto non-public comment "Reserved (rfc3330)"
+    ip saddr 192.0.0.0/24         counter goto non-public comment "IANA Reserved (rfc3330)"
+    ip saddr 198.18.0.0/15        counter goto non-public comment "Network Interconnect Device Benchmark Testing"
+    ip saddr 223.255.255.0/24     counter goto non-public comment "Special Use Networks (rfc3330)"
+
+    ip6 saddr ::/0                counter goto non-public comment "Default (can be advertised as a route in BGP to peers if desired)"
+    ip6 saddr ::/96               counter goto non-public comment "IPv4-compatible IPv6 address – deprecated by rfc4291"
+    ip6 saddr ::/128              counter goto non-public comment "Unspecified address"
+    ip6 saddr ::1 /128            counter goto non-public comment "Local host loopback address"
+    ip6 saddr ::ffff:0.0.0.0 /96  counter goto non-public comment "IPv4-mapped addresses"
+    ip6 saddr ::224.0.0.0 /100    counter goto non-public comment "Compatible address (IPv4 format)"
+    ip6 saddr ::127.0.0.0 /104    counter goto non-public comment "Compatible address (IPv4 format)"
+    ip6 saddr ::0.0.0.0 /104      counter goto non-public comment "Compatible address (IPv4 format)"
+    ip6 saddr ::255.0.0.0 /104    counter goto non-public comment "Compatible address (IPv4 format)"
+    ip6 saddr 0000:: /8           counter goto non-public comment "Pool used for unspecified, loopback and embedded IPv4 addresses"
+    ip6 saddr 0200:: /7           counter goto non-public comment "OSI NSAP-mapped prefix set (rfc4548) – deprecated by rfc4048"
+    ip6 saddr 3ffe::/16           counter goto non-public comment "Former 6bone, now decommissioned"
+    ip6 saddr 2001:db8::/32       counter goto non-public comment "Reserved by IANA for special purposes and documentation"
+    ip6 saddr 2002:e000:: /20     counter goto non-public comment "Invalid 6to4 packets (IPv4 multicast)"
+    ip6 saddr 2002:7f00:: /24     counter goto non-public comment "Invalid 6to4 packets (IPv4 loopback)"
+    ip6 saddr 2002:0000:: /24     counter goto non-public comment "Invalid 6to4 packets (IPv4 default)"
+    ip6 saddr 2002:ff00:: /24     counter goto non-public comment "Invalid 6to4 packets"
+    ip6 saddr 2002:0a00:: /24     counter goto non-public comment "Invalid 6to4 packets (IPv4 private 10.0.0.0/8 network)"
+    ip6 saddr 2002:ac10:: /28     counter goto non-public comment "Invalid 6to4 packets (IPv4 private 172.16.0.0/12 network)"
+    ip6 saddr 2002:c0a8:: /32     counter goto non-public comment "Invalid 6to4 packets (IPv4 private 192.168.0.0/16 network)"
+    ip6 saddr fc00:: /7           counter goto non-public comment "Unicast Unique Local Addresses (ULA) – rfc4193"
+    ip6 saddr fe80:: /10          counter goto non-public comment "Link-local Unicast"
+    ip6 saddr fec0:: /10          counter goto non-public comment "Site-local Unicast – deprecated by rfc3879 (replaced by ULA)"
+    ip6 saddr ff00:: /8           counter goto non-public comment "Multicast"
   }
   chain accept-icmpv6 {
     # Traffic That Must Not Be Dropped
@@ -170,14 +179,15 @@ table inet filter {
     iifname lo accept
     jump check-tcp
     jump limit-ping
-    ct state { established, related } accept
+    ct state established accept
+    ct state related counter accept
     jump input-connectivity
     ct state invalid counter drop
   }
 
   chain output-connectivity {
     ip protocol icmp counter accept
-    meta skuid 0 udp dport 33434-33523 counter accept comment "traceroute"
+    skuid root udp dport 33434-33523 counter accept comment "traceroute"
 
     meta nfproto ipv6 meta l4proto ipv6-icmp jump accept-icmpv6
 
@@ -190,7 +200,8 @@ table inet filter {
     policy drop
     oifname lo accept
     tcp flags syn tcp option maxseg size set rt mtu
-    ct state { established, related } accept
+    ct state established accept
+    ct state related counter accept
     jump output-connectivity
   }
 
@@ -222,6 +233,11 @@ table inet filter {
     type filter hook forward priority 0
     policy drop
   }
+
+  chain prerouting {
+    type filter hook prerouting priority filter
+    policy accept
+  }
 }
 table inet nat {
   chain prerouting {