#!/usr/bin/nft -f
# vim: ft=nftables

# SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.com>
# SPDX-FileCopyrightText: 2023 1cho1ce <https://github.com/1cho1ce>
# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: GPL-3.0-or-later

## TODO: source this ruleset

## Stop leaks
chain ip  qubes forward '{ policy drop; }'
chain ip  qubes input   '{ policy drop; }'
chain ip  qubes output  '{ policy drop; }'
chain ip6 qubes forward '{ policy drop; }'
chain ip6 qubes input   '{ policy drop; }'
chain ip6 qubes output  '{ policy drop; }'
insert rule ip  qubes custom-forward oifgroup 1 drop
insert rule ip  qubes custom-forward iifgroup 1 drop
insert rule ip6 qubes custom-forward oifgroup 1 drop
insert rule ip6 qubes custom-forward iifgroup 1 drop

## Accept forward traffic between dowstream vif+ (group 2) and VPN (group9)
insert rule ip  qubes custom-forward iifgroup 2 oifgroup 9 accept
insert rule ip  qubes custom-forward iifgroup 9 oifgroup 2 accept
insert rule ip6 qubes custom-forward iifgroup 2 oifgroup 9 accept
insert rule ip6 qubes custom-forward iifgroup 9 oifgroup 2 accept

## Drop ICMP
insert rule ip  qubes custom-input      meta l4proto icmp drop
insert rule ip  qubes output oifgroup 1 meta l4proto icmp drop
insert rule ip6 qubes custom-input      meta l4proto icmp drop
insert rule ip6 qubes output oifgroup 1 meta l4proto icmp drop

## Allow traffic from the `qvpn` group to the uplink interface (eth0);
## Our VPN client will run with group `qvpn`.
insert rule ip  qubes output oifname "lo"            accept
insert rule ip  qubes output oifgroup 1 skgid qvpn   accept
insert rule ip6 qubes output oifname "lo"            accept
insert rule ip6 qubes output oifgroup 1 skgid "qvpn" accept