1 files changed, 18 insertions, 14 deletions

diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf
index 30cda74..4930f2e 100644
--- a/roles/space_server/files/nftables.conf
+++ b/roles/space_server/files/nftables.conf
@@ -47,22 +47,18 @@ define nat64_if   = nat64
 define nat64_net4 = 10.42.128.0/17
 
 define colo_if   = lan20
-define colo_ip4  = 185.38.175.65
-define colo_net4 = {
-	185.38.175.64/26,
-	44.145.128.0/24,  # graffen
-}
-define colo_net6 = {
-	2a01:4262:1ab:20::/64,
-	2a01:4262:1ab:1100::/60, # Asbjorn
-	2a01:4262:1ab:1110::/60, # Esmil
-	2001:678:15c::/48, # graffen
-	2a0e:8f02:f034::/48 # Hafnium
-}
 
 define avahi_ifs = { $wire_if, $priv_if, $pass_if }
 
 table ip filter {
+	chain prerouting {
+		type filter hook prerouting priority 0;
+
+		# colo reverse path filtering
+		# find route to saddr on iif, get oif, drop if route is missing
+		iif $colo_if fib saddr . iif oif missing drop;
+	}
+
 	chain input {
 		type filter hook input priority 0;
 
@@ -139,7 +135,7 @@ table ip filter {
 		iif $free_if ip saddr $free_net4 ip daddr != $int_net4 accept
 		iif $pass_if ip saddr $pass_net4 accept
 		iif $nat64_if ip saddr $nat64_net4 accept
-		iif $colo_if ip saddr $colo_net4 ip daddr != $int_net4 accept
+		iif $colo_if ip daddr != $int_net4 accept
 		oif $colo_if accept
 
 		## debugging
@@ -150,6 +146,14 @@ table ip filter {
 }
 
 table ip6 filter {
+	chain prerouting {
+		type filter hook prerouting priority 0;
+
+		# colo reverse path filtering
+		# find route to saddr on iif, get oif, drop if route is missing
+		iif $colo_if fib saddr . iif oif missing drop;
+	}
+
 	chain input {
 		type filter hook input priority 0;
 
@@ -211,7 +215,7 @@ table ip6 filter {
 		iif $free_if ip6 saddr $free_net6 ip6 daddr != $ext_net6 accept
 		iif $pass_if ip6 saddr $pass_net6 accept
 		iif $futu_if ip6 saddr $futu_net6 accept
-		iif $colo_if ip6 saddr $colo_net6 ip6 daddr != $ext_net6 accept
+		iif $colo_if ip6 daddr != $ext_net6 accept
 		oif $colo_if accept
 
 		## debugging