Strykar · June 22, 2021 12:12
diff --git a/myruleset.nft b/myruleset.nft
 # ASN 18207 YouBroadBand
 #	103.247.210.0/24
 #	103.39.4.0/23
 #	103.48.96.0/22
 #	103.5.70.0/24
 #	123.201.0.0/16
 #	150.107.208.0/22
 #	175.100.128.0/19
 #	196.1.104.0/24
 #	203.109.64.0/18
 #	203.187.192.0/18
 #	203.88.128.0/19
 #	219.0.0.0/8
 #	2001:df1:bb80::/48
 # ASN 45609 Airtel 5G IPv6, using upstream prefix 2401:4900::/32 because asn tool is choking
 #	2405:6800::/32
 #	2401:4900::/32

 #14:08 <@duclicsic> "table inet_filter" implies "table ip inet_filter"
 #14:09 <@duclicsic> you would need to specify it as "table inet inet_filter"
 #14:09 <@duclicsic> if you don't specify an address family "ip" is the default
 #14:10 <@duclicsic> and IPv6 matching makes no sense in the "ip" family
 #14:21 <@duclicsic> Strykar: https://paste.debian.net/plain/1183174
 #14:21 <@duclicsic> that ruleset loads for me
 #14:23 <@duclicsic> note the removal of the underscore in "inet_filter" to make it a table called "filter" in the inet address family, instead of a table called "inet_filter" in the ip address family

 table inet filter {
        set myset4 {
                        type ipv4_addr . ipv4_addr
                        flags interval
                        elements = { 103.247.210.0/24 . 172.105.60.167,
                                     103.39.4.0/23 . 172.105.60.167,
                                     103.48.96.0/22 . 172.105.60.167,
                                     103.5.70.0/24 . 172.105.60.167,
                                     123.201.0.0/16 . 172.105.60.167,
                                     150.107.208.0/22 . 172.105.60.167,
                                     175.100.128.0/19 . 172.105.60.167,
                                     196.1.104.0/24 . 172.105.60.167,
                                     203.109.64.0/18 . 172.105.60.167,
                                     203.187.192.0/18 . 172.105.60.167,
                                     203.88.128.0/19 . 172.105.60.167,
                                     219.0.0.0/8 . 172.105.60.167 }
        }

        set myset6 {
                        type ipv6_addr . ipv6_addr
                        flags interval
                        elements = { 2001:df1:bb80::/48 . 2400:8904::f03c:92ff:fe9b:75de,
                                     2405:6800::/32 . 2400:8904::f03c:92ff:fe9b:75de,
                                     2401:4900::/32 . 2400:8904::f03c:92ff:fe9b:75de,
                                     2001:df1:bb80::/48 . 2400:8904:e001:b:0:6c61:6972:3234,
                                     2405:6800::/32 . 2400:8904:e001:b:0:6c61:6972:3234,
                                     2401:4900::/32 . 2400:8904:e001:b:0:6c61:6972:3234 }
        }

        chain INPUT {
                        ip saddr . ip daddr @myset4 tcp dport 853 accept
                        ip6 saddr . ip6 daddr @myset6 tcp dport 853 accept
        }

 	chain INPUT {
                        ip saddr . ip daddr @myset4 tcp dport 31338 accept
                        ip6 saddr . ip6 daddr @myset6 tcp dport 31338 accept
        }
 }
	# ASN 18207 YouBroadBand
	# 103.247.210.0/24
	# 103.39.4.0/23
	# 103.48.96.0/22
	# 103.5.70.0/24
	# 123.201.0.0/16
	# 150.107.208.0/22
	# 175.100.128.0/19
	# 196.1.104.0/24
	# 203.109.64.0/18
	# 203.187.192.0/18
	# 203.88.128.0/19
	# 219.0.0.0/8
	# 2001:df1:bb80::/48
	# ASN 45609 Airtel 5G IPv6, using upstream prefix 2401:4900::/32 because asn tool is choking
	# 2405:6800::/32
	# 2401:4900::/32

	#14:08 <@duclicsic> "table inet_filter" implies "table ip inet_filter"
	#14:09 <@duclicsic> you would need to specify it as "table inet inet_filter"
	#14:09 <@duclicsic> if you don't specify an address family "ip" is the default
	#14:10 <@duclicsic> and IPv6 matching makes no sense in the "ip" family
	#14:21 <@duclicsic> Strykar: https://paste.debian.net/plain/1183174
	#14:21 <@duclicsic> that ruleset loads for me
	#14:23 <@duclicsic> note the removal of the underscore in "inet_filter" to make it a table called "filter" in the inet address family, instead of a table called "inet_filter" in the ip address family

	table inet filter {
	set myset4 {
	type ipv4_addr . ipv4_addr
	flags interval
	elements = { 103.247.210.0/24 . 172.105.60.167,
	103.39.4.0/23 . 172.105.60.167,
	103.48.96.0/22 . 172.105.60.167,
	103.5.70.0/24 . 172.105.60.167,
	123.201.0.0/16 . 172.105.60.167,
	150.107.208.0/22 . 172.105.60.167,
	175.100.128.0/19 . 172.105.60.167,
	196.1.104.0/24 . 172.105.60.167,
	203.109.64.0/18 . 172.105.60.167,
	203.187.192.0/18 . 172.105.60.167,
	203.88.128.0/19 . 172.105.60.167,
	219.0.0.0/8 . 172.105.60.167 }
	}

	set myset6 {
	type ipv6_addr . ipv6_addr
	flags interval
	elements = { 2001:df1:bb80::/48 . 2400:8904::f03c:92ff:fe9b:75de,
	2405:6800::/32 . 2400:8904::f03c:92ff:fe9b:75de,
	2401:4900::/32 . 2400:8904::f03c:92ff:fe9b:75de,
	2001:df1:bb80::/48 . 2400:8904:e001:b:0:6c61:6972:3234,
	2405:6800::/32 . 2400:8904:e001:b:0:6c61:6972:3234,
	2401:4900::/32 . 2400:8904:e001:b:0:6c61:6972:3234 }
	}

	chain INPUT {
	ip saddr . ip daddr @myset4 tcp dport 853 accept
	ip6 saddr . ip6 daddr @myset6 tcp dport 853 accept
	}

	chain INPUT {
	ip saddr . ip daddr @myset4 tcp dport 31338 accept
	ip6 saddr . ip6 daddr @myset6 tcp dport 31338 accept
	}
	}