table inet redxenfirewall { set blackhole4 { type ipv4_addr; flags dynamic, timeout; } set blackhole6 { type ipv6_addr; flags dynamic, timeout; } chain rxfi { type filter hook input priority 0; policy drop; ct state invalid counter drop; ip saddr @blackhole4 update @blackhole4 { ip saddr timeout 1h } counter reject with icmpx type admin-prohibited; ip6 saddr @blackhole6 update @blackhole6 { ip6 saddr timeout 1h } counter reject with icmpx type admin-prohibited; icmp type { echo-request } counter accept; icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } counter accept; ct state related,established counter accept; iifname {"lo", "eth1"} counter accept; jump rxfi-extern; } chain rxfi-extern { include "inet/redxenfirewall/filter/input/stateful/*"; include "inet/redxenfirewall/filter/input/allowed/*"; counter reject with icmpx type admin-prohibited; } chain fwfi { type filter hook forward priority 0; policy drop; include "inet/redxenfirewall/filter/forward/*"; counter reject with icmpx type no-route; } chain txfi { type filter hook output priority 0; policy accept; include "inet/redxenfirewall/filter/output/*"; } chain prenat { type nat hook prerouting priority -100; policy accept; include "inet/redxenfirewall/nat/prerouting/*"; } chain rxnat { type nat hook input priority 100; policy accept; include "inet/redxenfirewall/nat/input/*"; } chain txnat { type nat hook output priority -100; policy accept; include "inet/redxenfirewall/nat/output/*"; } chain postnat { type nat hook postrouting priority 100; policy accept; include "inet/redxenfirewall/nat/postrouting/*"; } }