game-stream: gate Moonlight before node routing

services/game-stream/wolf-gatekeeper-configmap.yaml

@@ -45,42 +45,47 @@ data:
       return ["{", *[f"{port}," for port in ports[:-1]], ports[-1], "}"]
 
 
-    def _ensure_rules():
+    def _install_chain(name, hook, priority):
-      _nft(["add", "table", "inet", "wolf_gatekeeper"], check=False)
-      _nft(["add", "set", "inet", "wolf_gatekeeper", "allowed_v4", "{", "type", "ipv4_addr;", "flags", "timeout;", "}"], check=False)
-      _nft(["add", "set", "inet", "wolf_gatekeeper", "allowed_v6", "{", "type", "ipv6_addr;", "flags", "timeout;", "}"], check=False)
       _nft(
         [
           "add",
           "chain",
           "inet",
           "wolf_gatekeeper",
-          "input",
+          name,
           "{",
           "type",
           "filter",
           "hook",
-          "input",
+          hook,
           "priority",
-          "-90;",
+          priority,
           "policy",
           "accept;",
           "}",
         ],
         check=False,
       )
-      _nft(["flush", "chain", "inet", "wolf_gatekeeper", "input"], check=False)
+      _nft(["flush", "chain", "inet", "wolf_gatekeeper", name], check=False)
-      _nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "iifname", "lo", "accept"])
+      _nft(["add", "rule", "inet", "wolf_gatekeeper", name, "iifname", "lo", "accept"])
       for cidr in PRIVATE_V4:
-        _nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "ip", "saddr", cidr, "accept"])
+        _nft(["add", "rule", "inet", "wolf_gatekeeper", name, "ip", "saddr", cidr, "accept"])
       for cidr in PRIVATE_V6:
-        _nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "ip6", "saddr", cidr, "accept"])
+        _nft(["add", "rule", "inet", "wolf_gatekeeper", name, "ip6", "saddr", cidr, "accept"])
-      _nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "ip", "saddr", "@allowed_v4", "tcp", "dport", *_port_set(TCP_PORTS), "accept"])
+      _nft(["add", "rule", "inet", "wolf_gatekeeper", name, "ip", "saddr", "@allowed_v4", "tcp", "dport", *_port_set(TCP_PORTS), "accept"])
-      _nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "ip", "saddr", "@allowed_v4", "udp", "dport", *_port_set(UDP_PORTS), "accept"])
+      _nft(["add", "rule", "inet", "wolf_gatekeeper", name, "ip", "saddr", "@allowed_v4", "udp", "dport", *_port_set(UDP_PORTS), "accept"])
-      _nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "ip6", "saddr", "@allowed_v6", "tcp", "dport", *_port_set(TCP_PORTS), "accept"])
+      _nft(["add", "rule", "inet", "wolf_gatekeeper", name, "ip6", "saddr", "@allowed_v6", "tcp", "dport", *_port_set(TCP_PORTS), "accept"])
-      _nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "ip6", "saddr", "@allowed_v6", "udp", "dport", *_port_set(UDP_PORTS), "accept"])
+      _nft(["add", "rule", "inet", "wolf_gatekeeper", name, "ip6", "saddr", "@allowed_v6", "udp", "dport", *_port_set(UDP_PORTS), "accept"])
-      _nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "tcp", "dport", *_port_set(TCP_PORTS), "drop"])
+      _nft(["add", "rule", "inet", "wolf_gatekeeper", name, "tcp", "dport", *_port_set(TCP_PORTS), "drop"])
-      _nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "udp", "dport", *_port_set(UDP_PORTS), "drop"])
+      _nft(["add", "rule", "inet", "wolf_gatekeeper", name, "udp", "dport", *_port_set(UDP_PORTS), "drop"])
+
+
+    def _ensure_rules():
+      _nft(["add", "table", "inet", "wolf_gatekeeper"], check=False)
+      _nft(["add", "set", "inet", "wolf_gatekeeper", "allowed_v4", "{", "type", "ipv4_addr;", "flags", "timeout;", "}"], check=False)
+      _nft(["add", "set", "inet", "wolf_gatekeeper", "allowed_v6", "{", "type", "ipv6_addr;", "flags", "timeout;", "}"], check=False)
+      _install_chain("prerouting", "prerouting", "-300;")
+      _install_chain("input", "input", "-90;")
 
 
     def _validate_ip(value):