From 5397b6af065af2f5e26dd84051344e7b692373ce Mon Sep 17 00:00:00 2001
From: Ilya Verbitskiy <ilya@verbit.io>
Date: Mon, 12 Aug 2024 23:07:48 +0200
Subject: [PATCH] net: clean up nft rules

---
 apps/virtuerl/src/virtuerl_net.erl | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/apps/virtuerl/src/virtuerl_net.erl b/apps/virtuerl/src/virtuerl_net.erl
index d59e38f..d3163fe 100644
--- a/apps/virtuerl/src/virtuerl_net.erl
+++ b/apps/virtuerl/src/virtuerl_net.erl
@@ -164,17 +164,21 @@ update_nftables(Domains) ->
          "table inet virtuerl {\n",
          "    chain input {\n",
          "        type filter hook input priority filter; policy accept;\n",
+         "    }\n",
+         "\n",
+         "    chain virtuerl_forward {\n",
          "        ct state established,related accept\n",
+         "        iifname \"wg*\" accept\n",  % TODO: temp workaround, replace that with generic fwmark / saddr setting
+         "        icmpv6 type echo-request limit rate 5/second accept\n",
+         "        icmp type echo-request limit rate 5/second accept\n",
          ForwardRules,
-         "        oifname \"verlbr*\" reject\n",
+         "        reject\n",
          "    }\n",
          "\n",
          "    chain forward {\n",
          "        type filter hook forward priority filter; policy accept;\n",
          "        iifname \"verlbr*\" accept\n",
-         "        ct state established,related accept\n",
-         ForwardRules,
-         "        oifname \"verlbr*\" reject\n",
+         "        oifname \"verlbr*\" jump virtuerl_forward\n",
          "    }\n",
          "\n",
          "\n",
@@ -184,13 +188,13 @@ update_nftables(Domains) ->
          "        type nat hook output priority -105; policy accept;\n",
          DnsRules,
          "    }\n",
-
+         "\n",
          "    chain prerouting {\n",
          "        type nat hook prerouting priority dstnat - 5; policy accept;\n",
          DnsRules,
          PortFwdRules,
          "    }\n",
-
+         "\n",
          "    chain postrouting {\n",
          "        type nat hook postrouting priority -5; policy accept;\n",
          "        iifname \"verlbr*\" ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } ip daddr != { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } masquerade\n",