Borromini/nftables.diff Secret

## nftables.diff
--- nft-pre	2022-05-29 20:10:06.712756621 +0200
+++ nft-post	2022-05-29 20:10:06.708756589 +0200
@@ -5,8 +5,10 @@
 		ct state established,related accept comment "!fw4: Allow inbound established and related flows"
 		ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
 		tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
-		udp dport 8192 counter packets 0 bytes 0 accept comment "!fw4: Allow-Wireguard-Inbound"
+		udp dport 8192 counter packets 91 bytes 15464 accept comment "!fw4: Allow-Wireguard-Inbound"
 		iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
+		iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
+		iifname "wg0" jump input_wg comment "!fw4: Handle wg IPv4/IPv6 input traffic"
 	}

 	chain forward {
@@ -14,6 +16,8 @@
 		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
 		ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
 		iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
+		iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
+		iifname "wg0" jump forward_wg comment "!fw4: Handle wg IPv4/IPv6 forward traffic"
 		jump handle_reject
 	}

@@ -23,6 +27,8 @@
 		ct state established,related accept comment "!fw4: Allow outbound established and related flows"
 		ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
 		oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
+		oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
+		oifname "wg0" jump output_wg comment "!fw4: Handle wg IPv4/IPv6 output traffic"
 	}

 	chain handle_reject {
@@ -52,11 +58,11 @@
 	}

 	chain accept_from_lan {
-		iifname "br-lan" counter packets 948 bytes 696395 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
+		iifname "br-lan" counter packets 698 bytes 473189 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
 	}

 	chain accept_to_lan {
-		oifname "br-lan" counter packets 138 bytes 14004 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
+		oifname "br-lan" counter packets 103 bytes 16576 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
 	}

 	chain input_wan {
@@ -85,12 +91,15 @@
 	}

 	chain accept_to_wan {
+		oifname "pppoe-wan" counter packets 103 bytes 10698 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
 	}

 	chain reject_from_wan {
+		iifname "pppoe-wan" counter packets 72 bytes 4479 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
 	}

 	chain reject_to_wan {
+		oifname "pppoe-wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
 	}

 	chain input_wg {
@@ -107,30 +116,39 @@
 	}

 	chain accept_from_wg {
+		iifname "wg0" counter packets 2 bytes 120 accept comment "!fw4: accept wg IPv4/IPv6 traffic"
 	}

 	chain accept_to_wg {
+		oifname "wg0" counter packets 0 bytes 0 accept comment "!fw4: accept wg IPv4/IPv6 traffic"
 	}

 	chain dstnat {
 		type nat hook prerouting priority dstnat; policy accept;
 		iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
+		iifname "pppoe-wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
 	}

 	chain srcnat {
 		type nat hook postrouting priority srcnat; policy accept;
 		oifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
+		oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
+		oifname "wg0" jump srcnat_wg comment "!fw4: Handle wg IPv4/IPv6 srcnat traffic"
 	}

 	chain dstnat_lan {
+		ip saddr 10.0.0.0/24 ip daddr 213.219.163.106 tcp dport 4505 dnat ip to 10.0.0.5:4505 comment "!fw4: Salt 1 (reflection)"
+		ip saddr 10.0.0.0/24 ip daddr 213.219.163.106 tcp dport 4506 dnat ip to 10.0.0.5:4506 comment "!fw4: Salt 2 (reflection)"
 	}

 	chain srcnat_lan {
+		ip saddr 10.0.0.0/24 ip daddr 10.0.0.5 tcp dport 4505 snat ip to 10.0.0.1 comment "!fw4: Salt 1 (reflection)"
+		ip saddr 10.0.0.0/24 ip daddr 10.0.0.5 tcp dport 4506 snat ip to 10.0.0.1 comment "!fw4: Salt 2 (reflection)"
 	}

 	chain dstnat_wan {
 		meta nfproto ipv4 tcp dport 4505 counter packets 0 bytes 0 dnat ip to 10.0.0.5:4505 comment "!fw4: Salt 1"
-		meta nfproto ipv4 tcp dport 4506 counter packets 0 bytes 0 dnat ip to 10.0.0.5:4506 comment "!fw4: Salt 2"
+		meta nfproto ipv4 tcp dport 4506 counter packets 120 bytes 7200 dnat ip to 10.0.0.5:4506 comment "!fw4: Salt 2"
 	}

 	chain srcnat_wan {
@@ -171,5 +189,7 @@

 	chain mangle_forward {
 		type filter hook forward priority mangle; policy accept;
+		iifname "pppoe-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
+		oifname "pppoe-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
 	}
 }
	--- nft-pre 2022-05-29 20:10:06.712756621 +0200
	+++ nft-post 2022-05-29 20:10:06.708756589 +0200
	@@ -5,8 +5,10 @@
	ct state established,related accept comment "!fw4: Allow inbound established and related flows"
	ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
	tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
	- udp dport 8192 counter packets 0 bytes 0 accept comment "!fw4: Allow-Wireguard-Inbound"
	+ udp dport 8192 counter packets 91 bytes 15464 accept comment "!fw4: Allow-Wireguard-Inbound"
	iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
	+ iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
	+ iifname "wg0" jump input_wg comment "!fw4: Handle wg IPv4/IPv6 input traffic"
	}

	chain forward {
	@@ -14,6 +16,8 @@
	ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
	ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
	iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
	+ iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
	+ iifname "wg0" jump forward_wg comment "!fw4: Handle wg IPv4/IPv6 forward traffic"
	jump handle_reject
	}

	@@ -23,6 +27,8 @@
	ct state established,related accept comment "!fw4: Allow outbound established and related flows"
	ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
	oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
	+ oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
	+ oifname "wg0" jump output_wg comment "!fw4: Handle wg IPv4/IPv6 output traffic"
	}

	chain handle_reject {
	@@ -52,11 +58,11 @@
	}

	chain accept_from_lan {
	- iifname "br-lan" counter packets 948 bytes 696395 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	+ iifname "br-lan" counter packets 698 bytes 473189 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain accept_to_lan {
	- oifname "br-lan" counter packets 138 bytes 14004 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	+ oifname "br-lan" counter packets 103 bytes 16576 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain input_wan {
	@@ -85,12 +91,15 @@
	}

	chain accept_to_wan {
	+ oifname "pppoe-wan" counter packets 103 bytes 10698 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
	}

	chain reject_from_wan {
	+ iifname "pppoe-wan" counter packets 72 bytes 4479 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain reject_to_wan {
	+ oifname "pppoe-wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain input_wg {
	@@ -107,30 +116,39 @@
	}

	chain accept_from_wg {
	+ iifname "wg0" counter packets 2 bytes 120 accept comment "!fw4: accept wg IPv4/IPv6 traffic"
	}

	chain accept_to_wg {
	+ oifname "wg0" counter packets 0 bytes 0 accept comment "!fw4: accept wg IPv4/IPv6 traffic"
	}

	chain dstnat {
	type nat hook prerouting priority dstnat; policy accept;
	iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
	+ iifname "pppoe-wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
	}

	chain srcnat {
	type nat hook postrouting priority srcnat; policy accept;
	oifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
	+ oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
	+ oifname "wg0" jump srcnat_wg comment "!fw4: Handle wg IPv4/IPv6 srcnat traffic"
	}

	chain dstnat_lan {
	+ ip saddr 10.0.0.0/24 ip daddr 213.219.163.106 tcp dport 4505 dnat ip to 10.0.0.5:4505 comment "!fw4: Salt 1 (reflection)"
	+ ip saddr 10.0.0.0/24 ip daddr 213.219.163.106 tcp dport 4506 dnat ip to 10.0.0.5:4506 comment "!fw4: Salt 2 (reflection)"
	}

	chain srcnat_lan {
	+ ip saddr 10.0.0.0/24 ip daddr 10.0.0.5 tcp dport 4505 snat ip to 10.0.0.1 comment "!fw4: Salt 1 (reflection)"
	+ ip saddr 10.0.0.0/24 ip daddr 10.0.0.5 tcp dport 4506 snat ip to 10.0.0.1 comment "!fw4: Salt 2 (reflection)"
	}

	chain dstnat_wan {
	meta nfproto ipv4 tcp dport 4505 counter packets 0 bytes 0 dnat ip to 10.0.0.5:4505 comment "!fw4: Salt 1"
	- meta nfproto ipv4 tcp dport 4506 counter packets 0 bytes 0 dnat ip to 10.0.0.5:4506 comment "!fw4: Salt 2"
	+ meta nfproto ipv4 tcp dport 4506 counter packets 120 bytes 7200 dnat ip to 10.0.0.5:4506 comment "!fw4: Salt 2"
	}

	chain srcnat_wan {
	@@ -171,5 +189,7 @@

	chain mangle_forward {
	type filter hook forward priority mangle; policy accept;
	+ iifname "pppoe-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
	+ oifname "pppoe-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
	}
	}