fix

flake.lock

@@ -0,0 +1,100 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1704538339,
+        "narHash": "sha256-1734d3mQuux9ySvwf6axRWZRBhtcZA9Q8eftD6EZg6U=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "46ae0210ce163b3cba6c7da08840c1d63de9c701",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs",
+        "scripts": "scripts",
+        "utils": "utils"
+      }
+    },
+    "scripts": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700982199,
+        "narHash": "sha256-hrtf/Uab/gBqxdyfWXMO1LwBy0YocnprAmLPzqrQpUg=",
+        "owner": "jerrita",
+        "repo": "scripts",
+        "rev": "ca3290dd2b2b9681dc60949855db8976b7c19ffa",
+        "type": "github"
+      },
+      "original": {
+        "owner": "jerrita",
+        "repo": "scripts",
+        "type": "github"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "utils": {
+      "inputs": {
+        "flake-utils": "flake-utils"
+      },
+      "locked": {
+        "lastModified": 1696331477,
+        "narHash": "sha256-YkbRa/1wQWdWkVJ01JvV+75KIdM37UErqKgTf0L54Fk=",
+        "owner": "gytis-ivaskevicius",
+        "repo": "flake-utils-plus",
+        "rev": "bfc53579db89de750b25b0c5e7af299e0c06d7d3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "gytis-ivaskevicius",
+        "repo": "flake-utils-plus",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

networking/firewall.nft

@@ -0,0 +1,62 @@
+#!/usr/sbin/nft -f
+
+table inet global {
+    flowtable f {
+        hook ingress priority 0;
+        devices = { ppp0, lan };
+    }
+
+    chain input {
+        type filter hook input priority filter; policy drop;
+
+        iifname lo accept
+        iifname lan counter accept
+
+        # iifname ppp0 udp dport { 546, 547 } accept  # IPv6 PD
+        ip6 nexthdr icmpv6 icmpv6 type nd-router-solicit counter accept
+        ip6 nexthdr icmpv6 icmpv6 type nd-router-advert counter accept
+        udp dport dhcpv6-client udp sport dhcpv6-server counter accept comment "IPv6 DHCP"
+        ct state { established, related } counter accept
+        iifname ppp0 counter drop
+    }
+
+    chain forward {
+        type filter hook forward priority filter; policy drop;
+        # clamp MSS to PMTU
+        ip6 nexthdr tcp tcp flags syn tcp option maxseg size set rt mtu
+
+        ip protocol { tcp, udp } flow offload @f
+        ip6 nexthdr { tcp, udp } flow offload @f
+
+        iifname lan counter accept comment "Allow lan -> *"
+        iifname ppp0 oifname lan ct state { established, related } counter accept comment "Allow established back to lan"
+        iifname ppp0 oifname lan counter drop
+    }
+
+    chain postrouting {
+        type nat hook postrouting priority filter; policy accept;
+        ip saddr 192.168.5.0/24 oifname ppp0 counter masquerade
+    }
+}
+
+
+table ip clash {
+    chain prerouting {
+        type nat hook prerouting priority filter; policy accept;
+        meta skuid clash counter return
+        ip daddr 198.18.0.0/16 tcp dport 1-65535 counter redirect to :7893 comment "!chnroute -> clash (tcp)"
+        ip daddr 198.18.0.0/16 udp dport 1-65535 meta mark set 0x233 tproxy to :7894 counter accept comment "!chnroute -> clash (udp)"
+    }
+
+    chain output {
+        type nat hook output priority mangle; policy accept;
+        meta skuid clash counter return
+        ip daddr 198.18.0.0/16 tcp dport 1-65535 counter redirect to :7893 comment "!chnroute -> clash (tcp) [local]"
+        ip daddr 198.18.0.0/16 udp dport 1-65535 meta mark set 0x233 counter comment "!chnroute -> clash (udp) [local]"
+    }
+
+    chain divert {
+        type filter hook prerouting priority mangle; policy accept;
+        ip protocol tcp socket transparent 1 meta mark set 0x233 accept
+    }
+}