Revert "Remove problematic vmaps"

This reverts commit 17cc8d55e2. The bug was due to a rule not declared in the scope.
4 years ago · b94482b617
1 changed files with 22 additions and 18 deletions
--- a/nftables.conf
+++ b/nftables.conf
@ -71,27 +71,31 @@ table inet firewall {
 		# Filters on input interfaces. The final decision is not taken in the from_* chain,
 		# but instead packets return here for further processing. This is why `jump` is used here.
-		meta iif $if_users jump from_users
+		meta iif vmap {
-		meta iif $if_deco jump from_deco
+		    $if_users:         jump from_users,
-		meta iif $if_prod jump from_prod
+		    $if_deco:          jump from_deco,
-		meta iif $if_dmz jump from_dmz
+		    $if_prod:          jump from_prod,
-		meta iif $if_switchs jump from_switchs
+		    $if_dmz:           jump from_dmz,
-		meta iif $if_federez jump from_federez
+		    $if_switchs:       jump from_switchs,
-		meta iif $if_renater jump from_renater
+		    $if_federez:       jump from_federez,
-		meta iif $if_dmz_wireguard jump from_dmz_wireguard
+		    $if_renater:       jump from_renater,
-		meta iif $if_nerim jump from_nerim
+		    $if_dmz_wireguard: jump from_dmz_wireguard,
 		    $if_nerim:         jump from_nerim,
 		}
 		# Filters on output interfaces. Do not return: either drop or accept
 		# We use goto so we don't return to the calling chain after packets have been processed
-		meta oif $if_users goto to_users
+		meta oif vmap {
-		meta oif $if_deco goto to_deco
+		    $if_users:         goto to_users,
-		meta oif $if_prod goto to_prod
+		    $if_deco:          goto to_deco,
-		meta oif $if_dmz goto to_dmz
+		    $if_prod:          goto to_prod,
-		meta oif $if_switchs goto to_switchs
+		    $if_dmz:           goto to_dmz,
-		meta oif $if_federez goto to_federez
+		    $if_switchs:       goto to_switchs,
-		meta oif $if_renater goto to_renater
+		    $if_federez:       goto to_federez,
-		meta oif $if_dmz_wireguard goto to_dmz_wireguard
+		    $if_renater:       goto to_renater,
-		meta oif $if_nerim jump from_nerim
+		    $if_dmz_wireguard: goto to_dmz_wireguard,
 		    $if_nerim:         jump from_nerim
 		}
 		counter log prefix "Uncaught traffic:"
 	}