Development

routlin/mod_nftables.py

@@ -404,19 +404,41 @@ def build_nft_config(data, dry_run=False):
         "",
     ]
 
+    L += ["        # Anti-spoofing: drop packets arriving on a VLAN interface with a source IP outside that VLAN's subnet", ""]
+    for vlan in vlans:
+        if validation.is_wg(vlan):
+            continue
+        iface  = validation.derive_interface(vlan, data)
+        subnet = vlan.get('subnet', '')
+        mask   = vlan.get('subnet_mask', 24)
+        if subnet:
+            L.append(f"        iif \"{iface}\" ip saddr != {subnet}/{mask} drop  # {vlan['name']} anti-spoof")
+    L.append("")
+
     L.append("        # Allow each VLAN -> WAN (outbound internet)")
     for vlan in vlans:
+        if vlan.get('restricted_vlan'):
+            continue
         L.append(f"        iif \"{validation.derive_interface(vlan, data)}\" oif \"{wan}\" accept  # {vlan['name']} -> WAN")
     L.append("")
 
     if container_bridges:
         L.append("        # Allow VLAN -> Docker bridge forwarding")
         for vlan in vlans:
+            if vlan.get('restricted_vlan'):
+                continue
             for bridge in container_bridges:
                 L.append(f"        iif \"{validation.derive_interface(vlan, data)}\" oif \"{bridge}\" ct state new accept"
                          f"  # {vlan['name']} -> {bridge}")
         L.append("")
 
+    restricted = [v for v in vlans if v.get('restricted_vlan')]
+    if restricted:
+        L.append("        # Block restricted VLANs -> WAN")
+        for vlan in restricted:
+            L.append(f"        iif \"{validation.derive_interface(vlan, data)}\" oif \"{wan}\" drop  # {vlan['name']} -> WAN (restricted)")
+        L.append("")
+
     L += [
         "        # Allow Docker containers -> WAN (outbound internet access)",
         f"        iif != \"{wan}\" oif \"{wan}\" ct state new accept",