Skip to content

Instantly share code, notes, and snippets.

@paigeadelethompson

paigeadelethompson/nftables.nft

Last active November 5, 2023 11:52
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save paigeadelethompson/01ca6cc9f5bdfcaa97aaa21b89be8f3f to your computer and use it in GitHub Desktop.
Save paigeadelethompson/01ca6cc9f5bdfcaa97aaa21b89be8f3f to your computer and use it in GitHub Desktop.
Download ZIP
nftables jul 19 2023
Raw
nftables.nft
flush ruleset
table inet filter { # handle 127
synproxy default-synproxy { # handle 37
mss 1460
wscale 7
timestamp sack-perm
}
synproxy identd-synproxy { # handle 38
mss 1460
wscale 9
timestamp sack-perm
}
synproxy ircd-synproxy { # handle 39
mss 1460
wscale 10
timestamp sack-perm
}
synproxy ssh-synproxy { # handle 40
mss 1460
wscale 10
timestamp
}
limit udp_in_log_lim { # handle 41
rate 32/minute
}
limit udp_forward_log_lim { # handle 42
rate 32/minute
}
limit udp_out_log_lim { # handle 43
rate 32/minute
}
limit tcp_in_log_lim { # handle 44
rate 32/minute
}
limit tcp_forward_log_lim { # handle 45
rate 32/minute
}
limit tcp_out_log_lim { # handle 46
rate 32/minute
}
limit tcp_rst_out_log_lim { # handle 47
rate 32/minute
}
limit igmp_in_log_lim { # handle 48
rate 32/minute
}
limit igmp_out_log_lim { # handle 49
rate 32/minute
}
limit icmp_in_log_lim { # handle 50
rate 32/minute
}
limit icmp_out_log_lim { # handle 51
rate 32/minute
}
limit icmp_forward_log_lim { # handle 52
rate 32/minute
}
limit wont_forward_log_lim { # handle 53
rate 32/minute
}
limit dropped_host_log_lim { # handle 54
rate 32/minute
}
limit bogon_log_lim { # handle 55
rate 32/minute
}
map synproxy_in_ports { # handle 56
type inet_service : synproxy
flags interval
elements = { "ssh" : "default-synproxy", "auth" : "identd-synproxy", "ircs-u" : "ircd-synproxy" }
}
map synproxy_forward_ports { # handle 57
type inet_service : synproxy
flags interval
}
map unrestrict_out_by_user_id4 { # handle 58
typeof ip saddr . ip daddr . meta skuid : verdict
flags interval
elements = { 0.0.0.0/0 . 0.0.0.0/0 . "debian-tor" : accept }
}
map unrestrict_out_by_user_id6 { # handle 59
typeof ip6 saddr . ip6 daddr . meta skuid : verdict
flags interval
}
map unrestrict_out_by_src_dest_network4 { # handle 60
type ipv4_addr . ipv4_addr : verdict
flags interval
elements = { 192.168.0.0/16 . 127.0.0.0/8 : accept }
}
map igmp_in4 { # handle 61
typeof ip saddr . ip daddr . igmp type : verdict
flags interval
elements = { 169.254.0.0/16 . 224.0.0.0/4 . membership-query : accept,
10.0.0.0/8 . 224.0.0.0/4 . membership-query : accept,
172.16.0.0/12 . 224.0.0.0/4 . membership-query : accept,
192.168.0.0/16 . 224.0.0.0/4 . membership-query : accept,
169.254.0.0/16 . 224.0.0.0/4 . membership-report-v2 : accept,
10.0.0.0/8 . 224.0.0.0/4 . membership-report-v2 : accept,
172.16.0.0/12 . 224.0.0.0/4 . membership-report-v2 : accept,
192.168.0.0/16 . 224.0.0.0/4 . membership-report-v2 : accept }
}
map igmp_out4 { # handle 62
typeof ip saddr . ip daddr . igmp type : verdict
flags interval
elements = { 169.254.0.0/16 . 224.0.0.0/4 . membership-report-v2 : accept,
10.0.0.0/8 . 224.0.0.0/4 . membership-report-v2 : accept,
172.16.0.0/12 . 224.0.0.0/4 . membership-report-v2 : accept,
192.168.0.0/16 . 224.0.0.0/4 . membership-report-v2 : accept }
}
map udp_broadcast_out { # handle 63
type ipv4_addr . ipv4_addr . inet_service : verdict
flags interval
elements = { 169.254.0.0/16 . 169.254.0.0/16 . "netbios-dgm" : accept,
10.0.0.0/8 . 10.0.0.0/8 . "netbios-dgm" : accept,
192.168.0.0/16 . 192.168.0.0/16 . "netbios-dgm" : accept,
172.16.0.0/12 . 172.16.0.0/12 . "netbios-dgm" : accept }
}
map udp_broadcast_in { # handle 64
type ipv4_addr . ipv4_addr . inet_service : verdict
flags interval
elements = { 169.254.0.0/16 . 240.0.0.0/4 . 1900 : accept,
0.0.0.0/8 . 240.0.0.0/4 . "bootps" : accept,
10.0.0.0/8 . 240.0.0.0/4 . 1900 : accept,
192.168.0.0/16 . 240.0.0.0/4 . 1900 : accept,
172.16.0.0/12 . 240.0.0.0/4 . 1900 : accept,
169.254.0.0/16 . 169.254.0.0/16 . "netbios-ns" : accept,
10.0.0.0/8 . 10.0.0.0/8 . "netbios-ns" : accept,
192.168.0.0/16 . 192.168.0.0/16 . "netbios-ns" : accept,
172.16.0.0/12 . 172.16.0.0/12 . "netbios-ns" : accept,
169.254.0.0/16 . 169.254.0.0/16 . "netbios-dgm" : accept,
10.0.0.0/8 . 10.0.0.0/8 . "netbios-dgm" : accept,
192.168.0.0/16 . 192.168.0.0/16 . "netbios-dgm" : accept,
172.16.0.0/12 . 172.16.0.0/12 . "netbios-dgm" : accept }
}
map udp_multicast_out4 { # handle 65
type ipv4_addr . ipv4_addr . inet_service : verdict
flags interval
elements = { 192.168.0.0/16 . 224.0.0.0/4 . "mdns" : accept,
10.0.0.0/8 . 224.0.0.0/4 . "mdns" : accept,
172.16.0.0/12 . 224.0.0.0/4 . "mdns" : accept }
}
map udp_multicast_in4 { # handle 66
type ipv4_addr . ipv4_addr . inet_service : verdict
flags interval
elements = { 169.254.0.0/16 . 224.0.0.0/4 . "mdns" : accept,
192.168.0.0/16 . 224.0.0.0/4 . "mdns" : accept,
10.0.0.0/8 . 224.0.0.0/4 . "mdns" : accept,
172.16.0.0/12 . 224.0.0.0/4 . "mdns" : accept,
192.168.0.0/16 . 224.0.0.0/4 . 1900 : accept,
10.0.0.0/8 . 224.0.0.0/4 . 1900 : accept,
172.16.0.0/12 . 224.0.0.0/4 . 1900 : accept,
192.168.0.0/16 . 224.0.0.0/4 . 1902 : accept,
10.0.0.0/8 . 224.0.0.0/4 . 1902 : accept,
172.16.0.0/12 . 224.0.0.0/4 . 1902 : accept,
192.168.0.0/16 . 240.0.0.0/4 . 1900 : accept,
10.0.0.0/8 . 240.0.0.0/4 . 1900 : accept,
172.16.0.0/12 . 240.0.0.0/4 . 1900 : accept }
}
map udp_multicast_out6 { # handle 67
type ipv6_addr . ipv6_addr . inet_service : verdict
flags interval
elements = { fe80::/10 . ff00::/8 . "mdns" : accept,
fc00::/7 . ff00::/8 . "mdns" : accept }
}
map udp_multicast_in6 { # handle 68
type ipv6_addr . ipv6_addr . inet_service : verdict
flags interval
elements = { fe80::/10 . ff00::/8 . "mdns" : accept,
fc00::/7 . ff00::/8 . "mdns" : accept }
}
map drop_hosts4 { # handle 69
type ipv4_addr : verdict
flags interval
}
map drop_hosts6 { # handle 70
type ipv6_addr : verdict
flags interval
}
set tcp_syn_quarantine_meter4 {
type ipv4_addr
size 1024
flags dynamic,timeout
}
set tcp_syn_quarantine_meter6 {
type ipv6_addr
size 1024
flags dynamic,timeout
}
set tcp_syn_ingress_meter4 {
type ipv4_addr . inet_service
size 8
flags dynamic,timeout
}
set tcp_syn_ingress_meter6 {
type ipv6_addr . inet_service
size 8
flags dynamic,timeout
}
set tcp_rst_egress_meter4 { # handle 71
type ipv4_addr
size 8
flags dynamic,timeout
}
set tcp_rst_egress_meter6 { # handle 71
type ipv6_addr
size 8
flags dynamic,timeout
}
set icmp_egress_meter4 { # handle 72
type ipv4_addr
size 8
flags dynamic,timeout
}
set icmp_egress_meter6 { # handle 73
type ipv6_addr
size 8
flags dynamic,timeout
}
map drop_bogons4 { # handle 74
type ipv4_addr : verdict
flags interval
elements = { 0.0.0.0/8 : continue, 10.0.0.0/8 : continue,
100.64.0.0/17 : continue, 100.64.128.0/17 : jump bogon,
100.65.0.0/16 : jump bogon, 100.66.0.0/15 : jump bogon,
100.68.0.0/15 : jump bogon, 100.70.0.0/15 : jump bogon,
100.72.0.0/15 : jump bogon, 100.74.0.0/15 : jump bogon,
100.76.0.0/15 : jump bogon, 100.78.0.0/15 : jump bogon,
100.80.0.0/15 : jump bogon, 100.82.0.0/15 : jump bogon,
100.84.0.0/15 : jump bogon, 100.86.0.0/15 : jump bogon,
100.88.0.0/15 : jump bogon, 100.90.0.0/15 : jump bogon,
100.92.0.0/15 : jump bogon, 100.94.0.0/15 : jump bogon,
100.96.0.0/11 : jump bogon, 127.0.0.0/8 : continue,
169.254.0.0/16 : continue, 172.16.0.0/12 : continue,
192.0.0.0/24 : jump bogon, 192.0.2.0/24 : jump bogon,
192.168.0.0/16 : continue, 198.18.0.0/15 : jump bogon,
198.51.100.0/24 : jump bogon, 203.0.113.0/24 : jump bogon,
224.0.0.0/4 : continue, 240.0.0.0/4 : continue }
}
set invalid_nat_destinations { # handle 75
type ipv4_addr
flags interval
elements = { 169.254.0.0/16 }
}
map drop_bogons6 { # handle 76
type ipv6_addr : verdict
flags interval
elements = { ::/96 : jump bogon,
::ffff:0.0.0.0/96 : jump bogon,
100::/64 : jump bogon,
2001::/40 : jump bogon,
2001:0:a00::/40 : jump bogon,
2001:0:7f00::/40 : jump bogon,
2001:0:a9fe::/48 : jump bogon,
2001:0:ac10::/44 : jump bogon,
2001:0:c000::/56 : jump bogon,
2001:0:c000:200::/56 : jump bogon,
2001:0:c0a8::/48 : jump bogon,
2001:0:c612::/47 : jump bogon,
2001:0:c633:6400::/56 : jump bogon,
2001:0:cb00:7100::/56 : jump bogon,
2001:0:e000::/36 : jump bogon,
2001:0:f000::/36 : jump bogon,
2001:10::/28 : jump bogon,
2001:db8::/32 : jump bogon,
2002::/24 : jump bogon,
2002:a00::/24 : jump bogon,
2002:7f00::/24 : jump bogon,
2002:a9fe::/32 : jump bogon,
2002:ac10::/28 : jump bogon,
2002:c000::/40 : jump bogon,
2002:c000:200::/40 : jump bogon,
2002:c0a8::/32 : jump bogon,
2002:c612::/31 : jump bogon,
2002:c633:6400::/40 : jump bogon,
2002:cb00:7100::/40 : jump bogon,
2002:e000::/20 : jump bogon,
2002:f000::/20 : jump bogon,
fc00::/7 : continue,
fe80::/10 : continue,
fec0::/10 : jump bogon,
ff00::/8 : continue }
}
map reject_or_drop_port4 { # handle 77
type ipv4_addr . ipv4_addr : verdict
flags interval
elements = { 10.0.0.0/8 . 10.0.0.0/8 : jump reject_with_icmp_port_unreachable,
172.16.0.0/12 . 172.16.0.0/12 : jump reject_with_icmp_port_unreachable,
192.168.0.0/16 . 192.168.0.0/16 : jump reject_with_icmp_port_unreachable,
169.254.0.0/16 . 169.254.0.0/16 : jump reject_with_icmp_port_unreachable,
0.0.0.0/0 . 0.0.0.0/0 : jump reject_with_icmp_port_unreachable_metered }
}
map reject_or_drop_port6 { # handle 78
type ipv6_addr . ipv6_addr : verdict
flags interval
elements = { fe80::/10 . fe80::/10 : jump reject_with_icmp_port_unreachable,
fc00::/7 . fc00::/7 : jump reject_with_icmp_port_unreachable,
::/0 . ::/0 : jump reject_with_icmp_port_unreachable_metered }
}
map icmp_types_in4 { # handle 79
typeof ip saddr . ip daddr . icmp type : verdict
flags interval
elements = { 0.0.0.0/0 . 0.0.0.0/0 . echo-request : accept,
0.0.0.0/0 . 0.0.0.0/0 . echo-reply : accept,
0.0.0.0/0 . 0.0.0.0/0 . destination-unreachable : accept }
}
map icmp_types_in6 { # handle 80
typeof ip6 saddr . ip6 daddr . icmpv6 type : verdict
flags interval
elements = { fe80::/10 . fe80::/10 . echo-request : accept,
fe80::/10 . ff00::/8 . echo-request : accept,
fc00::/7 . fc00::/7 . echo-request : accept,
fe80::/10 . fe80::/10 . echo-reply : accept,
fe80::/10 . ff00::/8 . echo-reply : accept,
fc00::/7 . fc00::/7 . echo-reply : accept,
2000::/3 . 2000::/3 . echo-request : accept,
2000::/3 . 2000::/3 . echo-reply : accept,
2a0a:3840::/29 . 2a0a:3840::/29 . nd-neighbor-advert : accept,
2a0a:3840::/29 . fe80::/10 . nd-neighbor-advert : accept,
2a0a:3840::/29 . fe80::/10 . nd-neighbor-solicit : accept,
fe80::/10 . 2a0a:3840::/29 . nd-neighbor-solicit : accept,
fe80::/10 . fe80::/10 . nd-neighbor-solicit : accept,
fc00::/7 . ff00::/8 . nd-neighbor-solicit : accept,
fc00::/7 . fc00::/7 . nd-neighbor-solicit : accept,
fe80::/10 . ff00::/8 . nd-neighbor-solicit : accept,
fc00::/7 . fc00::/7 . nd-neighbor-advert : accept,
fe80::/10 . fe80::/10 . nd-neighbor-advert : accept,
fe80::/10 . ff00::/8 . nd-router-advert : accept,
fe80::/10 . fe80::/10 . nd-router-advert : accept }
}
map tcp_unicast_in4 { # handle 81
type ipv4_addr . ipv4_addr . inet_service : verdict
flags interval
elements = { 0.0.0.0/0 . 0.0.0.0/0 . "ssh" : accept,
0.0.0.0/0 . 0.0.0.0/0 . "ircs-u" : accept,
0.0.0.0/0 . 0.0.0.0/0 . "auth" : accept }
}
map tcp_unicast_in6 { # handle 82
type ipv6_addr . ipv6_addr . inet_service : verdict
flags interval
elements = { ::/0 . ::/0 . "ircs-u" : accept,
::/0 . ::/0 . "auth" : accept,
::/0 . ::/0 . "ssh" : accept }
}
map udp_unicast_in4 { # handle 83
type ipv4_addr . ipv4_addr . inet_service : verdict
flags interval
elements = { 169.254.0.0/16 . 169.254.0.0/16 . "bootpc" : accept,
10.0.0.0/8 . 10.0.0.0/8 . "bootpc" : accept,
172.16.0.0/12 . 172.16.0.0/12 . "bootpc" : accept,
192.168.0.0/16 . 192.168.0.0/16 . "bootpc" : accept,
169.254.0.0/16 . 169.254.0.0/16 . "netbios-ns" : accept,
10.0.0.0/8 . 10.0.0.0/8 . "netbios-ns" : accept,
172.16.0.0/12 . 172.16.0.0/12 . "netbios-ns" : accept,
192.168.0.0/16 . 192.168.0.0/16 . "netbios-ns" : accept }
}
map udp_unicast_in6 { # handle 84
type ipv6_addr . ipv6_addr . inet_service : verdict
flags interval
elements = { fe80::/10 . ff00::/8 . "dhcpv6-client" : accept }
}
map default_forward4 { # handle 85
typeof ip saddr . ip daddr . ct state : verdict
flags interval
elements = { 169.254.0.0/16 . 0.0.0.0/0 . new : jump wont_forward,
0.0.0.0/0 . 169.254.0.0/16 . new : jump wont_forward,
10.0.0.0/8 . 172.16.0.0/12 . new : jump reject_with_icmp_no_route,
10.0.0.0/8 . 192.168.0.0/16 . new : jump reject_with_icmp_no_route,
172.16.0.0/12 . 10.0.0.0/8 . new : jump reject_with_icmp_no_route,
172.16.0.0/12 . 192.168.0.0/16 . new : jump reject_with_icmp_no_route,
192.168.0.0/16 . 10.0.0.0/8 . new : jump reject_with_icmp_no_route,
192.168.0.0/16 . 172.16.0.0/12 . new : jump reject_with_icmp_no_route,
10.0.0.0/8 . 10.0.0.0/8 . new : continue,
10.0.0.0/8 . 10.0.0.0/8 . established : accept,
172.16.0.0/12 . 172.16.0.0/12 . new : continue,
172.16.0.0/12 . 172.16.0.0/12 . established : accept,
192.168.0.0/16 . 192.168.0.0/16 . new : continue,
192.168.0.0/16 . 192.168.0.0/16 . established : accept,
10.0.0.0/8 . 0.0.0.0/0 . new : continue,
172.16.0.0/12 . 0.0.0.0/0 . new : continue,
192.168.0.0/16 . 0.0.0.0/0 . new : continue,
0.0.0.0/0 . 10.0.0.0/8 . established : accept,
0.0.0.0/0 . 172.16.0.0/12 . established : accept,
0.0.0.0/0 . 192.168.0.0/16 . established : accept,
100.64.0.0/20 . 0.0.0.0/0 . new : jump reject_with_icmp_no_route,
100.64.16.0/20 . 100.64.32.0/20 . new : continue,
100.64.32.0/20 . 100.64.16.0/20 . established : accept,
100.64.48.0/20 . 100.64.0.0/17 . new : continue,
100.64.80.0/20 . 100.64.0.0/17 . new : continue,
100.64.48.0/20 . 0.0.0.0/0 . new : continue,
100.64.80.0/20 . 0.0.0.0/0 . new : continue,
100.64.48.0/20 . 0.0.0.0/0 . established : accept,
100.64.80.0/20 . 0.0.0.0/0 . established : accept,
0.0.0.0/0 . 100.64.48.0/20 . established : accept,
0.0.0.0/0 . 100.64.80.0/20 . established : accept,
100.64.64.0/20 . 100.64.64.0/20 . new : continue,
100.64.96.0/20 . 100.64.96.0/20 . new : continue,
100.64.64.0/20 . 100.64.64.0/20 . established : accept,
100.64.96.0/20 . 100.64.96.0/20 . established : accept }
}
map default_forward6 { # handle 86
typeof ip6 saddr . ip6 daddr . ct state : verdict
flags interval
elements = { fe80::/10 . ::/0 . new : jump wont_forward,
::/0 . fe80::/10 . new : jump wont_forward,
fc00::/7 . fc00::/7 . new : continue,
fc00::/7 . fc00::/7 . established : accept }
}
map icmp_types_out4 { # handle 87
typeof ip saddr . ip daddr . icmp type : verdict
flags interval
elements = { 0.0.0.0/0 . 0.0.0.0/0 . destination-unreachable : accept,
10.0.0.0/8 . 0.0.0.0/0 . echo-request : accept,
172.16.0.0/12 . 0.0.0.0/0 . echo-request : accept,
192.168.0.0/16 . 0.0.0.0/0 . echo-request : accept,
10.0.0.0/8 . 10.0.0.0/8 . echo-reply : accept,
172.16.0.0/12 . 172.16.0.0/12 . echo-reply : accept,
192.168.0.0/16 . 192.168.0.0/16 . echo-reply : accept,
0.0.0.0/0 . 0.0.0.0/0 . echo-reply : jump icmp_echo_reply_rate_limit,
80.78.23.0/24 . 0.0.0.0/0 . echo-request : accept }
}
map icmp_types_out6 { # handle 88
typeof ip6 saddr . ip6 daddr . icmpv6 type : verdict
flags interval
elements = { fe80::/10 . ff00::/8 . echo-request : accept,
fc00::/7 . fc00::/7 . echo-reply : accept,
2000::/3 . ::/0 . echo-request : accept,
2000::/3 . ::/0 . echo-reply : jump icmp_echo_reply_rate_limit,
fc00::/7 . fc00::/7 . nd-neighbor-advert : accept,
fe80::/10 . fe80::/10 . nd-neighbor-advert : accept,
fc00::/7 . ff00::/8 . nd-neighbor-solicit : accept,
::/0 . ::/0 . destination-unreachable : accept,
2000::/3 . ff00::/8 . nd-neighbor-solicit : accept,
2000::/3 . fe80::/10 . nd-neighbor-advert : accept,
fe80::/10 . fc00::/7 . nd-neighbor-solicit : accept,
fe80::/10 . fe80::/10 . nd-neighbor-solicit : accept,
fe80::/10 . ff00::/8 . nd-router-solicit : accept,
fe80::/10 . 2000::/3 . nd-neighbor-solicit : accept }
}
map tcp_unicast_out4 { # handle 89
type ipv4_addr . ipv4_addr . inet_service : verdict
flags interval
elements = { 80.78.23.0/24 . 127.0.0.0/8 . 3128 : accept,
10.0.0.0/8 . 0.0.0.0/0 . "ssh" : accept,
172.16.0.0/12 . 0.0.0.0/0 . "ssh" : accept,
192.168.0.0/16 . 0.0.0.0/0 . "ssh" : accept,
10.0.0.0/8 . 10.0.0.0/8 . "domain" : accept,
172.16.0.0/12 . 172.16.0.0/12 . "domain" : accept,
192.168.0.0/16 . 192.168.0.0/16 . "domain" : accept,
10.0.0.0/8 . 0.0.0.0/0 . "https" : accept,
172.16.0.0/12 . 0.0.0.0/0 . "https" : accept,
192.168.0.0/16 . 0.0.0.0/0 . "https" : accept,
10.0.0.0/8 . 0.0.0.0/0 . "domain-s" : accept,
172.16.0.0/12 . 0.0.0.0/0 . "domain-s" : accept,
192.168.0.0/16 . 0.0.0.0/0 . "domain-s" : accept,
10.0.0.0/8 . 0.0.0.0/0 . "ntske" : accept,
172.16.0.0/12 . 0.0.0.0/0 . "ntske" : accept,
192.168.0.0/16 . 0.0.0.0/0 . "ntske" : accept,
10.0.0.0/8 . 0.0.0.0/0 . 5349 : accept,
172.16.0.0/12 . 0.0.0.0/0 . 5349 : accept,
192.168.0.0/16 . 0.0.0.0/0 . 5349 : accept,
0.0.0.0/0 . 0.0.0.0/0 . "ircs-u" : accept }
}
map tcp_unicast_out6 { # handle 90
type ipv6_addr . ipv6_addr . inet_service : verdict
flags interval
elements = { 2000::/3 . 2000::/3 . "ircs-u" : accept,
fc00::/7 . fc00::/7 . "https" : accept,
fc00::/7 . fc00::/7 . "domain-s" : accept,
fc00::/7 . fc00::/7 . "ntske" : accept,
fc00::/7 . fc00::/7 . 5349 : accept,
2000::/3 . 2000::/3 . "https" : accept,
2000::/3 . 2000::/3 . "domain-s" : accept,
2000::/3 . 2000::/3 . "ntske" : accept,
2000::/3 . 2000::/3 . 5349 : accept }
}
map udp_unicast_out4 { # handle 91
type ipv4_addr . ipv4_addr . inet_service : verdict
flags interval
elements = {
80.78.23.0/24 . 0.0.0.0/0 . "ntp" : accept,
80.78.23.0/24 . 0.0.0.0/0 . "domain" : accept,
10.0.0.0/8 . 10.0.0.0/8 . "bootps" : accept,
172.16.0.0/12 . 172.16.0.0/12 . "bootps" : accept,
192.168.0.0/16 . 192.168.0.0/16 . "bootps" : accept,
169.254.0.0/16 . 169.254.0.0/16 . "bootps" : accept,
10.0.0.0/8 . 10.0.0.0/8 . "domain" : accept,
172.16.0.0/12 . 172.16.0.0/12 . "domain" : accept,
192.168.0.0/16 . 192.168.0.0/16 . "domain" : accept,
10.0.0.0/8 . 0.0.0.0/0 . "https" : accept,
172.16.0.0/12 . 0.0.0.0/0 . "https" : accept,
192.168.0.0/16 . 0.0.0.0/0 . "https" : accept,
10.0.0.0/8 . 0.0.0.0/0 . "openvpn" : accept,
172.16.0.0/12 . 0.0.0.0/0 . "openvpn" : accept,
192.168.0.0/16 . 0.0.0.0/0 . "openvpn" : accept,
10.0.0.0/8 . 10.0.0.0/8 . "ntp" : accept,
192.168.0.0/16 . 192.168.0.0/16 . "ntp" : accept,
172.16.0.0/12 . 172.16.0.0/12 . "ntp" : accept,
169.254.0.0/16 . 169.254.0.0/16 . "mdns" : accept,
169.254.0.0/16 . 224.0.0.0/4 . "mdns" : accept,
10.0.0.0/8 . 224.0.0.0/4 . "mdns" : accept,
192.168.0.0/16 . 224.0.0.0/4 . "mdns" : accept,
172.16.0.0/12 . 224.0.0.0/4 . "mdns" : accept,
169.254.0.0/16 . 169.254.0.0/16 . "netbios-ns" : accept,
10.0.0.0/8 . 10.0.0.0/8 . "netbios-dgm" : accept,
192.168.0.0/16 . 192.168.0.0/16 . "netbios-ns" : accept,
172.16.0.0/12 . 172.16.0.0/12 . "netbios-ns" : accept,
169.254.0.0/16 . 169.254.0.0/16 . "netbios-dgm" : accept,
192.168.0.0/16 . 192.168.0.0/16 . "netbios-dgm" : accept,
172.16.0.0/12 . 172.16.0.0/12 . "netbios-dgm" : accept }
}
map udp_unicast_out6 { # handle 92
type ipv6_addr . ipv6_addr . inet_service : verdict
flags interval
elements = {
2000::/3 . ::/0 . "ntp" : accept,
2000::/3 . ::/0 . "domain" : accept,
fe80::/10 . ff00::/8 . "dhcpv6-server" : accept,
2000::/3 . ::/0 . "https" : accept,
fe80::/10 . ff00::/8 . "mdns" : accept,
fc00::/7 . ff00::/8 . "mdns" : accept }
}
map icmp_types_forward4 { # handle 93
typeof ip saddr . ip daddr . icmp type : verdict
flags interval
elements = { 10.0.0.0/8 . 0.0.0.0/0 . echo-request : accept,
172.16.0.0/12 . 0.0.0.0/0 . echo-request : accept,
192.168.0.0/16 . 0.0.0.0/0 . echo-request : accept,
10.0.0.0/8 . 10.0.0.0/8 . echo-reply : accept,
172.16.0.0/12 . 172.16.0.0/12 . echo-reply : accept,
192.168.0.0/16 . 192.168.0.0/16 . echo-reply : accept,
10.0.0.0/8 . 10.0.0.0/8 . destination-unreachable : accept,
172.16.0.0/12 . 172.16.0.0/12 . destination-unreachable : accept,
192.168.0.0/16 . 192.168.0.0/16 . destination-unreachable : accept,
0.0.0.0/0 . 0.0.0.0/0 . echo-reply : jump icmp_echo_reply_rate_limit,
100.64.80.0/20 . 100.64.0.0/17 . echo-request : jump reject_with_icmp_admin_prohibited,
100.64.80.0/20 . 0.0.0.0/0 . echo-request : accept,
100.64.48.0/20 . 100.64.0.0/17 . echo-request : jump reject_with_icmp_admin_prohibited,
100.64.48.0/20 . 0.0.0.0/0 . echo-request : accept }
}
map icmp_types_forward6 { # handle 94
typeof ip6 saddr . ip6 daddr . icmpv6 type : verdict
flags interval
elements = { fe80::/10 . ff00::/8 . echo-request : accept,
fc00::/7 . fc00::/7 . echo-reply : accept,
2000::/3 . ::/0 . echo-reply : jump icmp_echo_reply_rate_limit }
}
map forward_all4 { # handle 95
type ipv4_addr . ipv4_addr : verdict
flags interval
elements = { 100.64.80.0/20 . 0.0.0.0/0 : accept,
0.0.0.0/0 . 100.64.80.0/20 : accept,
100.64.48.0/20 . 0.0.0.0/0 : accept,
0.0.0.0/0 . 100.64.48.0/20 : accept }
}
map forward_all6 { # handle 96
type ipv6_addr . ipv6_addr : verdict
flags interval
}
map tcp_net_forward_by_port4 { # handle 97
type ipv4_addr . ipv4_addr . inet_service : verdict
flags interval
elements = { 10.0.0.0/8 . 10.0.0.0/8 . "domain" : accept,
172.16.0.0/12 . 172.16.0.0/12 . "domain" : accept,
192.168.0.0/16 . 192.168.0.0/16 . "domain" : accept,
10.0.0.0/8 . 10.0.0.0/8 . "http" : accept,
172.16.0.0/12 . 172.16.0.0/12 . "http" : accept,
192.168.0.0/16 . 192.168.0.0/16 . "http" : accept,
10.0.0.0/8 . 0.0.0.0/0 . "ssh" : accept,
172.16.0.0/12 . 0.0.0.0/0 . "ssh" : accept,
192.168.0.0/16 . 0.0.0.0/0 . "ssh" : accept,
10.0.0.0/8 . 0.0.0.0/0 . "https" : accept,
172.16.0.0/12 . 0.0.0.0/0 . "https" : accept,
192.168.0.0/16 . 0.0.0.0/0 . "https" : accept,
10.0.0.0/8 . 0.0.0.0/0 . "domain-s" : accept,
172.16.0.0/12 . 0.0.0.0/0 . "domain-s" : accept,
192.168.0.0/16 . 0.0.0.0/0 . "domain-s" : accept,
10.0.0.0/8 . 0.0.0.0/0 . "ntske" : accept,
172.16.0.0/12 . 0.0.0.0/0 . "ntske" : accept,
192.168.0.0/16 . 0.0.0.0/0 . "ntske" : accept,
10.0.0.0/8 . 0.0.0.0/0 . 5349 : accept,
172.16.0.0/12 . 0.0.0.0/0 . 5349 : accept,
192.168.0.0/16 . 0.0.0.0/0 . 5349 : accept,
100.64.80.0/20 . 100.64.0.0/17 . "http" : jump reject_with_icmp_admin_prohibited,
100.64.80.0/20 . 0.0.0.0/0 . "http" : accept,
100.64.80.0/20 . 100.64.0.0/17 . "https" : jump reject_with_icmp_admin_prohibited,
100.64.80.0/20 . 0.0.0.0/0 . "https" : accept,
100.64.48.0/20 . 100.64.0.0/17 . "https" : jump reject_with_icmp_admin_prohibited,
100.64.48.0/20 . 0.0.0.0/0 . "https" : accept }
}
map tcp_net_forward_by_port6 { # handle 98
type ipv6_addr . ipv6_addr . inet_service : verdict
flags interval
elements = { fc00::/7 . fc00::/7 . "http" : accept,
fc00::/7 . fc00::/7 . "https" : accept,
fc00::/7 . fc00::/7 . "domain-s" : accept,
fc00::/7 . fc00::/7 . "ntske" : accept,
fc00::/7 . fc00::/7 . 5349 : accept,
2000::/3 . 2000::/3 . "https" : accept,
2000::/3 . 2000::/3 . "domain-s" : accept,
2000::/3 . 2000::/3 . "ntske" : accept,
2000::/3 . 2000::/3 . 5349 : accept }
}
map udp_net_forward_by_port4 { # handle 99
type ipv4_addr . ipv4_addr . inet_service : verdict
flags interval
elements = { 10.0.0.0/8 . 10.0.0.0/8 . "domain" : accept,
172.16.0.0/12 . 172.16.0.0/12 . "domain" : accept,
192.168.0.0/16 . 192.168.0.0/16 . "domain" : accept,
10.0.0.0/8 . 0.0.0.0/0 . "https" : accept,
172.16.0.0/12 . 0.0.0.0/0 . "https" : accept,
192.168.0.0/16 . 0.0.0.0/0 . "https" : accept }
}
map udp_net_forward_by_port6 { # handle 100
type ipv6_addr . ipv6_addr . inet_service : verdict
flags interval
elements = { 2000::/3 . ::/0 . "https" : accept }
}
map tcp_ports_nat_in_redirect4 { # handle 101
type inet_service : ipv4_addr
}
map tcp_ports_nat_out_redirect4 { # handle 102
type ipv4_addr . inet_service : ipv4_addr . inet_service
flags interval
elements = { 0.0.0.0/0 . "http" : 127.0.0.1 . 3128 }
}
map udp_ports_nat_in_redirect4 { # handle 103
type inet_service : ipv4_addr
}
map masquerade_networks4 { # handle 104
type iface_index . ipv4_addr : verdict
flags interval
elements = { "eth0" . 100.64.80.0/20 : jump masq,
"eth0" . 100.64.48.0/20 : jump masq }
}
chain input { # handle 1
type filter hook input priority filter; policy drop;
meta iiftype vmap { loopback : accept } # handle 115
ip saddr vmap @drop_hosts4 # handle 116
meta iiftype vmap { ether : jump ether_in } # handle 117
log prefix "input" group 1 # handle 118
counter # handle 119
}
chain forward { # handle 2
type filter hook forward priority filter; policy drop;
ip daddr vmap @drop_hosts4 # handle 120
meta oiftype vmap { ether : jump ether_forward } # handle 121
log prefix "forward" group 1 # handle 122
counter # handle 123
}
chain output { # handle 3
type filter hook output priority filter; policy drop;
meta oiftype vmap { loopback : accept } # handle 124
meta oiftype vmap { ether : jump ether_out } # handle 125
log prefix "output" group 1 # handle 126
counter # handle 127
}
chain filter_prerouting { # handle 4
type filter hook prerouting priority raw; policy accept;
ip saddr vmap @drop_bogons4 # handle 128
ip6 saddr vmap @drop_bogons6 # handle 129
ip saddr @tcp_syn_quarantine_meter4 tcp flags syn drop
ip6 saddr @tcp_syn_quarantine_meter6 tcp flags syn drop
tcp dport @synproxy_in_ports tcp flags syn notrack # handle 130
}
chain nat_output { # handle 5
type nat hook output priority -100; policy accept;
ip protocol tcp dnat ip to ip daddr . tcp dport map @tcp_ports_nat_out_redirect4 # handle 131
}
chain prerouting { # handle 6
type nat hook prerouting priority dstnat; policy accept;
ip protocol tcp dnat ip to tcp dport map @tcp_ports_nat_in_redirect4 # handle 132
ip protocol udp dnat ip to udp dport map @udp_ports_nat_in_redirect4 # handle 133
}
chain filter_postrouting { # handle 7
type filter hook postrouting priority raw; policy accept;
ip daddr vmap @drop_bogons4 # handle 134
ip6 daddr vmap @drop_bogons6 # handle 135
}
chain nat_postrouting { # handle 8
type nat hook postrouting priority srcnat; policy accept;
oif . ip saddr vmap @masquerade_networks4 # handle 136
}
chain masq { # handle 9
ip daddr vmap @drop_bogons4 # handle 137
ip daddr @invalid_nat_destinations return # handle 138
counter masquerade # handle 139
}
chain ether_in { # handle 10
ip protocol vmap { icmp : jump icmp_in, igmp : jump igmp_in, tcp : jump tcp_in, udp : jump udp_in } # handle 140
ip6 nexthdr vmap { tcp : jump tcp_in, udp : jump udp_in, ipv6-icmp : jump icmp_in } # handle 141
log prefix "ether_in" group 1 # handle 142
counter drop # handle 143
}
chain ether_out { # handle 11
ip protocol vmap { icmp : jump icmp_out, igmp : jump igmp_out, tcp : jump tcp_out, udp : jump udp_out } # handle 144
ip6 nexthdr vmap { tcp : jump tcp_out, udp : jump udp_out, ipv6-icmp : jump icmp_out } # handle 145
log prefix "ether_out" group 1 # handle 146
counter drop # handle 147
}
chain ether_forward { # handle 12
ip saddr . ip daddr . ct state vmap @default_forward4 # handle 148
ip6 saddr . ip6 daddr . ct state vmap @default_forward6 # handle 149
ip protocol vmap { icmp : jump icmp_forward, tcp : jump tcp_forward, udp : jump udp_forward } # handle 150
log prefix "ether_forward" group 1 # handle 151
counter drop # handle 152
}
chain igmp_in { # handle 13
meta pkttype multicast ip saddr . ip daddr . igmp type vmap @igmp_in4 # handle 153
limit name "igmp_in_log_lim" log prefix "igmp_in" group 1 # handle 154
counter drop # handle 155
}
chain igmp_out { # handle 14
ip saddr . ip daddr . igmp type vmap @igmp_out4 # handle 156
limit name "igmp_out_log_lim" log prefix "igmp_out" group 1 # handle 157
counter drop # handle 158
}
chain icmp_in { # handle 15
ip saddr . ip daddr . icmp type vmap @icmp_types_in4 # handle 159
ip6 saddr . ip6 daddr . icmpv6 type vmap @icmp_types_in6 # handle 160
limit name "icmp_in_log_lim" log prefix "icmp_in" group 1 # handle 161
counter drop # handle 162
}
chain icmp_out { # handle 16
ip saddr . ip daddr . icmp type vmap @icmp_types_out4 # handle 163
ip6 saddr . ip6 daddr . icmpv6 type vmap @icmp_types_out6 # handle 164
limit name "icmp_out_log_lim" log prefix "icmp_out" group 1 # handle 165
counter drop # handle 166
}
chain icmp_forward { # handle 17
ip saddr . ip daddr . icmp type vmap @icmp_types_forward4 # handle 167
ip6 saddr . ip6 daddr . icmpv6 type vmap @icmp_types_forward6 # handle 168
limit name "icmp_forward_log_lim" log prefix "icmp_forward" group 1 # handle 169
counter drop # handle 170
}
chain icmp_echo_reply_rate_limit { # handle 18
add @icmp_egress_meter4 { ip saddr timeout 4s limit rate 3/second } accept # handle 171
add @icmp_egress_meter6 { ip6 saddr timeout 4s limit rate 3/second } accept # handle 172
limit name "icmp_out_log_lim" log prefix "icmp_echo_reply_rate_limit" group 1 # handle 173
counter drop # handle 174
}
chain reject_with_icmp_port_unreachable_metered { # handle 19
add @icmp_egress_meter4 { ip daddr timeout 4s limit rate 3/second } counter reject with icmp port-unreachable # handle 175
add @icmp_egress_meter6 { ip6 daddr timeout 4s limit rate 3/second } counter reject with icmpv6 port-unreachable # handle 176
limit name "icmp_out_log_lim" log prefix "reject_with_icmp_port_unreachable_metered" group 1 # handle 177
counter drop # handle 178
}
chain reject_with_icmp_port_unreachable { # handle 20
limit name "icmp_out_log_lim" log prefix "reject_with_icmp_port_unreachable" group 1 # handle 179
counter reject # handle 180
}
chain reject_with_icmp_host_unreachable_metered { # handle 21
add @icmp_egress_meter4 { ip daddr timeout 4s limit rate 3/second } counter reject with icmpx host-unreachable # handle 181
add @icmp_egress_meter6 { ip6 daddr timeout 4s limit rate 3/second } counter reject with icmpx host-unreachable # handle 182
limit name "icmp_out_log_lim" log prefix "reject_with_icmp_host_unreachable_metered" group 1 # handle 183
counter drop # handle 184
}
chain reject_with_icmp_host_unreachable { # handle 22
limit name "icmp_out_log_lim" log prefix "reject_with_icmp_host_unreachable" group 1 # handle 185
counter reject with icmpx host-unreachable # handle 186
}
chain reject_with_icmp_no_route_metered { # handle 23
add @icmp_egress_meter4 { ip daddr timeout 4s limit rate 3/second } counter reject with icmpx no-route # handle 187
add @icmp_egress_meter6 { ip6 daddr timeout 4s limit rate 3/second } counter reject with icmpx no-route # handle 188
limit name "icmp_out_log_lim" log prefix "reject_with_icmp_no_route_metered" group 1 # handle 189
counter drop # handle 190
}
chain reject_with_icmp_no_route { # handle 24
limit name "icmp_out_log_lim" log prefix "reject_with_icmp_no_route" group 1 # handle 191
counter reject with icmpx no-route # handle 192
}
chain reject_with_icmp_admin_prohibited_metered { # handle 25
add @icmp_egress_meter4 { ip daddr timeout 4s limit rate 3/second } counter reject with icmpx admin-prohibited # handle 193
add @icmp_egress_meter6 { ip6 daddr timeout 4s limit rate 3/second } counter reject with icmpx admin-prohibited # handle 194
limit name "icmp_out_log_lim" log prefix "reject_with_icmp_admin_prohibited_metered" group 1 # handle 195
counter drop # handle 196
}
chain reject_with_icmp_admin_prohibited { # handle 26
limit name "icmp_out_log_lim" log prefix "reject_with_icmp_admin_prohibited" group 1 # handle 197
counter reject with icmpx admin-prohibited # handle 198
}
chain tcp_rst_metered { # handle 27
add @tcp_rst_egress_meter4 { ip daddr timeout 32s limit rate 3/minute } counter return # handle 199
add @tcp_rst_egress_meter6 { ip6 daddr timeout 32s limit rate 3/minute } counter return # handle 199
limit name "tcp_rst_out_log_lim" log prefix "tcp_rst_metered" group 1 # handle 200
counter drop # handle 201
}
chain tcp_in_syn_rate_limit {
add @tcp_syn_ingress_meter4 { ip daddr . tcp dport timeout 8s limit rate 8/minute } counter return # handle 199
add @tcp_syn_ingress_meter6 { ip6 daddr . tcp dport timeout 8s limit rate 8/minute } counter return # handle 199
add @tcp_syn_quarantine_meter4 { ip saddr timeout 64s }
add @tcp_syn_quarantine_meter6 { ip6 saddr timeout 64s }
counter drop
}
chain tcp_in { # handle 28
meta pkttype host ct state established accept # handle 202
meta pkttype host tcp flags syn ct state new jump tcp_in_syn_rate_limit
meta pkttype host ct state invalid,untracked synproxy name tcp dport map @synproxy_in_ports # handle 203
ct state invalid limit name "tcp_in_log_lim" log prefix "tcp_in_invalid" group 1 # handle 204
ct state invalid counter drop # handle 205
meta pkttype host ip saddr . ip daddr . tcp dport vmap @tcp_unicast_in4 # handle 206
meta pkttype host ip6 saddr . ip6 daddr . tcp dport vmap @tcp_unicast_in6 # handle 207
limit name "tcp_in_log_lim" log prefix "tcp_in" group 1 # handle 208
ip saddr . ip daddr vmap @reject_or_drop_port4 # handle 209
ip6 saddr . ip6 daddr vmap @reject_or_drop_port6 # handle 210
counter drop # handle 211
}
chain tcp_out { # handle 29
meta pkttype host tcp flags rst jump tcp_rst_metered # handle 212
meta pkttype host ct state invalid tcp sport @synproxy_in_ports accept # handle 213
meta pkttype host ct state established accept # handle 214
meta pkttype host ip saddr . ip daddr . tcp dport vmap @tcp_unicast_out4 # handle 215
meta pkttype host ip6 saddr . ip6 daddr . tcp dport vmap @tcp_unicast_out6 # handle 216
meta pkttype host ip saddr . ip daddr . meta skuid vmap @unrestrict_out_by_user_id4 # handle 217
meta pkttype host ip6 saddr . ip6 daddr . meta skuid vmap @unrestrict_out_by_user_id6 # handle 218
meta pkttype host ip saddr . ip daddr vmap @unrestrict_out_by_src_dest_network4 # handle 219
limit name "tcp_out_log_lim" log prefix "tcp_out" group 1 # handle 220
counter drop # handle 221
}
chain tcp_forward { # handle 30
meta pkttype host ct state established accept # handle 222
meta pkttype host ct state invalid,untracked synproxy name tcp dport map @synproxy_forward_ports # handle 223
meta pkttype host ip saddr . ip daddr vmap @forward_all4 # handle 224
meta pkttype host ip6 saddr . ip6 daddr vmap @forward_all6 # handle 225
meta pkttype host ip saddr . ip daddr . tcp dport vmap @tcp_net_forward_by_port4 # handle 226
meta pkttype host ip6 saddr . ip6 daddr . tcp dport vmap @tcp_net_forward_by_port6 # handle 227
limit name "tcp_forward_log_lim" log prefix "tcp_forward" group 1 # handle 228
counter drop # handle 229
}
chain udp_in { # handle 31
ct state established accept # handle 230
meta pkttype broadcast ip saddr . ip daddr . udp dport vmap @udp_broadcast_in # handle 231
meta pkttype host ip saddr . ip daddr . udp dport vmap @udp_unicast_in4 # handle 232
meta pkttype host ip6 saddr . ip6 daddr . udp dport vmap @udp_unicast_in6 # handle 233
meta pkttype multicast ip saddr . ip daddr . udp dport vmap @udp_multicast_in4 # handle 234
meta pkttype multicast ip6 saddr . ip6 daddr . udp dport vmap @udp_multicast_in6 # handle 235
meta pkttype host limit name "udp_in_log_lim" log prefix "udp_unicast_in" group 1 # handle 236
meta pkttype broadcast limit name "udp_in_log_lim" log prefix "udp_broadcast_in" group 1 # handle 237
meta pkttype multicast limit name "udp_in_log_lim" log prefix "udp_multicast_in" group 1 # handle 238
ip saddr . ip daddr vmap @reject_or_drop_port4 # handle 239
ip6 saddr . ip6 daddr vmap @reject_or_drop_port6 # handle 240
counter drop # handle 241
}
chain udp_out { # handle 32
ct state established accept # handle 242
meta pkttype broadcast ip saddr . ip daddr . udp dport vmap @udp_broadcast_out # handle 243
meta pkttype multicast ip saddr . ip daddr . udp dport vmap @udp_multicast_out4 # handle 244
meta pkttype multicast ip6 saddr . ip6 daddr . udp dport vmap @udp_multicast_out6 # handle 245
meta pkttype host ip saddr . ip daddr . udp dport vmap @udp_unicast_out4 # handle 246
meta pkttype host ip6 saddr . ip6 daddr . udp dport vmap @udp_unicast_out6 # handle 247
meta pkttype host ip saddr . ip daddr vmap @unrestrict_out_by_src_dest_network4 # handle 248
meta pkttype host limit name "udp_out_log_lim" log prefix "udp_unicast_out" group 1 # handle 249
meta pkttype broadcast meta pkttype host limit name "udp_out_log_lim" log prefix "udp_broadcast_out" group 1 # handle 250
meta pkttype multicast meta pkttype host limit name "udp_out_log_lim" log prefix "udp_multicast_out" group 1 # handle 251
counter drop # handle 252
}
chain udp_forward { # handle 33
meta pkttype host ct state established accept # handle 253
meta pkttype host ip saddr . ip daddr vmap @forward_all4 # handle 254
meta pkttype host ip6 saddr . ip6 daddr vmap @forward_all6 # handle 255
meta pkttype host ip saddr . ip daddr . udp dport vmap @udp_net_forward_by_port4 # handle 256
meta pkttype host ip6 saddr . ip6 daddr . udp dport vmap @udp_net_forward_by_port6 # handle 257
limit name "udp_forward_log_lim" log prefix "udp_forward" group 1 # handle 258
counter drop # handle 259
}
chain bogon { # handle 34
limit name "bogon_log_lim" log prefix "bogon" group 1 # handle 260
counter drop # handle 261
}
chain wont_forward { # handle 35
limit name "wont_forward_log_lim" log prefix "wont_forward" group 1 # handle 262
counter drop # handle 263
}
chain dropped_host { # handle 36
limit name "dropped_host_log_lim" log prefix "blocked" group 1 # handle 264
counter drop # handle 265
}
}
Raw
squid.conf.d.conf
logfile_rotate 0
acl redir proto HTTP
deny_info 301:https://%H%R redir
http_access deny redir
http_port 3128 intercept
Raw
sysctl.conf
net.netfilter.nf_conntrack_tcp_loose = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment