router: small routing tables tweak

TODO: find a way to filter by SNI so I don't have to keep this ugly hack
This commit is contained in:
chayleaf 2023-09-13 16:44:50 +07:00
parent 32ea4fdd8d
commit 12c27384df
2 changed files with 7 additions and 6 deletions

View file

@ -38,7 +38,7 @@ in {
# See also https://meta.akkoma.dev/t/390 # See also https://meta.akkoma.dev/t/390
# https://<pleroma>/oauth/keycloak?scope=openid+profile # https://<pleroma>/oauth/keycloak?scope=openid+profile
# ...but this doesnt even work, the callback simply gets ignored # ...but this doesnt even work, the callback fails with %OAuth2.Error{reason: :invalid_request}
# oh well # oh well
services.akkoma.config = { services.akkoma.config = {
":ueberauth" = let ":ueberauth" = let

View file

@ -545,11 +545,12 @@ in {
[(is.eq ip6.daddr "@force_unvpn6") (mangle meta.mark wan_table)] [(is.eq ip6.daddr "@force_unvpn6") (mangle meta.mark wan_table)]
[(is.eq ip.saddr "@force_unvpn4") (mangle meta.mark wan_table)] [(is.eq ip.saddr "@force_unvpn4") (mangle meta.mark wan_table)]
[(is.eq ip6.saddr "@force_unvpn6") (mangle meta.mark wan_table)] [(is.eq ip6.saddr "@force_unvpn6") (mangle meta.mark wan_table)]
# force vpn to/from force_vpn4/force_vpn6 even if we previously decided to unvpn this connection # ...force vpn to/from force_vpn4/force_vpn6
[(is.eq ip.daddr "@force_vpn4") (mangle meta.mark vpn_table)] # (temporarily disable this because it breaks codeforces.org)
[(is.eq ip6.daddr "@force_vpn6") (mangle meta.mark vpn_table)] # [(is.eq ip.daddr "@force_vpn4") (mangle meta.mark vpn_table)]
[(is.eq ip.saddr "@force_vpn4") (mangle meta.mark vpn_table)] # [(is.eq ip6.daddr "@force_vpn6") (mangle meta.mark vpn_table)]
[(is.eq ip6.saddr "@force_vpn6") (mangle meta.mark vpn_table)] # [(is.eq ip.saddr "@force_vpn4") (mangle meta.mark vpn_table)]
# [(is.eq ip6.saddr "@force_vpn6") (mangle meta.mark vpn_table)]
# block requests to port 25 from hosts other than the server so they can't send mail pretending to originate from my domain # block requests to port 25 from hosts other than the server so they can't send mail pretending to originate from my domain
# only do this for br0 since traffic from other interfaces isn't forwarded to wan # only do this for br0 since traffic from other interfaces isn't forwarded to wan
[(is.eq meta.iifname "br0") (is.ne ether.saddr cfg.serverMac) (is.eq meta.l4proto (f: f.tcp)) (is.eq tcp.dport 25) (log "smtp ") drop] [(is.eq meta.iifname "br0") (is.ne ether.saddr cfg.serverMac) (is.eq meta.l4proto (f: f.tcp)) (is.eq tcp.dport 25) (log "smtp ") drop]