Beispiel #1
        // This works, but we use base to avoid shell

         * public override long Ping(IpAddress host, int timeoutSec)
         * {
         *      if ((host == null) || (host.Valid == false))
         *              return -1;
         *      // <2.17.3, require root
         *      //return NativeMethods.PingIP(host.ToString(), timeoutSec * 1000);
         *      {
         *              float iMS = -1;
         *              string pingPath = LocateExecutable("ping");
         *              if (pingPath != "")
         *              {
         *                      SystemShell s = new SystemShell();
         *                      s.Path = pingPath;
         *                      s.Arguments.Add("-c 1");
         *                      s.Arguments.Add("-w " + timeoutSec.ToString());
         *                      s.Arguments.Add("-q");
         *                      s.Arguments.Add("-n");
         *                      s.Arguments.Add(host.Address);
         *                      s.NoDebugLog = true;
         *                      if (s.Run())
         *                      {
         *                              string result = s.Output;
         *                              string sMS = UtilsString.ExtractBetween(result.ToLowerInvariant(), "min/avg/max/mdev = ", "/");
         *                              if (float.TryParse(sMS, System.Globalization.NumberStyles.Float, System.Globalization.CultureInfo.InvariantCulture, out iMS) == false)
         *                                      iMS = -1;
         *                      }
         *              }
         *              return (long)iMS;
         *      }
         * }

        public override bool RouteAdd(Json jRoute)
            IpAddress ip = jRoute["address"].Value as string;

            if (ip.Valid == false)
            IpAddress gateway = jRoute["gateway"].Value as string;

            if (gateway.Valid == false)

                Core.Elevated.Command c = new Core.Elevated.Command();
                c.Parameters["command"] = "route";
                if (ip.IsV4)
                    c.Parameters["layer"] = "ipv4";
                else if (ip.IsV6)
                    c.Parameters["layer"] = "ipv6";
                c.Parameters["action"]  = "add";
                c.Parameters["cidr"]    = ip.ToCIDR();
                c.Parameters["gateway"] = gateway.ToCIDR();
                if (jRoute.HasKey("interface"))
                    c.Parameters["interface"] = jRoute["interface"].Value as string;
                    c.Parameters["interface"] = "";
                if (jRoute.HasKey("metric"))
                    c.Parameters["metric"] = jRoute["metric"].Value as string;
                    c.Parameters["metric"] = "";
            catch (Exception e)
                Engine.Instance.Logs.LogWarning(LanguageManager.GetText("RouteAddFailed", ip.ToCIDR(), gateway.ToCIDR(), e.Message));

Beispiel #2
        public override bool RouteRemove(Json jRoute)
            IpAddress ip = jRoute["address"].Value as string;

            if (ip.Valid == false)
            IpAddress gateway = jRoute["gateway"].Value as string;

            if (gateway.Valid == false)

            Core.Elevated.Command c = new Core.Elevated.Command();
            c.Parameters["command"] = "route";
            if (ip.IsV4)
                c.Parameters["layer"] = "ipv4";
            else if (ip.IsV6)
                c.Parameters["layer"] = "ipv6";
            c.Parameters["action"]  = "delete";
            c.Parameters["cidr"]    = ip.ToCIDR();
            c.Parameters["gateway"] = gateway.Address;

            string result = Engine.Instance.Elevated.DoCommandSync(c);

            if (result == "")
                Engine.Instance.Logs.LogWarning(LanguageManager.GetText("RouteDelFailed", ip.ToCIDR(), gateway.ToCIDR(), result));

Beispiel #3
        public override bool OnIPv6Restore()
            foreach (IpV6ModeEntry entry in m_listIpV6Mode)
                Core.Elevated.Command c = new Core.Elevated.Command();
                c.Parameters["command"]   = "ipv6-restore";
                c.Parameters["interface"] = entry.Interface;

                Engine.Instance.Logs.Log(LogType.Verbose, LanguageManager.GetText("OsLinuxNetworkAdapterIPv6Restored", entry.Interface));




Beispiel #4
        public override void Activation()

            m_supportIPv4 = true; // IPv4 assumed, if not available, will throw a fatal exception.
            m_supportIPv6 = Conversions.ToBool(Engine.Instance.Manifest["network_info"]["support_ipv6"].Value);

            if (m_supportIPv6 == false)
                Engine.Instance.Logs.Log(LogType.Verbose, LanguageManager.GetText("NetworkLockLinuxIPv6NotAvailable"));

                IpAddresses ipsWhiteListIncoming = GetIpsWhiteListIncoming();
                IpAddresses ipsWhiteListOutgoing = GetIpsWhiteListOutgoing(true);

                // Build rules
                var rulesIPv4 = new System.Text.StringBuilder();
                var rulesIPv6 = new System.Text.StringBuilder();

                    string defaultPolicyInput   = "DROP";
                    string defaultPolicyForward = "DROP";
                    string defaultPolicyOutput  = "DROP";
                    if (Engine.Instance.Storage.Get("netlock.incoming") == "allow")
                        defaultPolicyInput = "ACCEPT";
                    if (Engine.Instance.Storage.Get("netlock.outgoing") == "allow")
                        defaultPolicyOutput = "ACCEPT";

                    // IPv4
                    if (m_supportIPv4)
                        rulesIPv4.AppendLine(":PREROUTING ACCEPT [0:0]");
                        rulesIPv4.AppendLine(":INPUT ACCEPT [0:0]");
                        rulesIPv4.AppendLine(":FORWARD ACCEPT [0:0]");
                        rulesIPv4.AppendLine(":OUTPUT ACCEPT [0:0]");
                        rulesIPv4.AppendLine(":POSTROUTING ACCEPT [0:0]");
                        rulesIPv4.AppendLine(":PREROUTING ACCEPT [0:0]");
                        rulesIPv4.AppendLine(":INPUT ACCEPT [0:0]");
                        rulesIPv4.AppendLine(":OUTPUT ACCEPT [0:0]");
                        rulesIPv4.AppendLine(":POSTROUTING ACCEPT [0:0]");
                        rulesIPv4.AppendLine(":INPUT " + defaultPolicyInput + " [0:0]");
                        rulesIPv4.AppendLine(":FORWARD " + defaultPolicyForward + " [0:0]");
                        rulesIPv4.AppendLine(":OUTPUT " + defaultPolicyOutput + " [0:0]");

                        // Local
                        rulesIPv4.AppendLine("-A INPUT -i lo -j ACCEPT");

                        if (Engine.Instance.Storage.GetBool("netlock.allow_dhcp") == true)
                            rulesIPv4.AppendLine("-A INPUT -s -j ACCEPT");

                        if (Engine.Instance.Storage.GetBool("netlock.allow_private"))
                            // Private networks
                            rulesIPv4.AppendLine("-A INPUT -s -d -j ACCEPT");
                            rulesIPv4.AppendLine("-A INPUT -s -d -j ACCEPT");
                            rulesIPv4.AppendLine("-A INPUT -s -d -j ACCEPT");

                        if (Engine.Instance.Storage.GetBool("netlock.allow_ping"))
                            // icmp-type: echo-request
                            rulesIPv4.AppendLine("-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT");

                        // Allow established sessions to receive traffic
                        rulesIPv4.AppendLine("-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT");

                        // Allow TUN
                        rulesIPv4.AppendLine("-A INPUT -i tun+ -j ACCEPT");

                        // Whitelist incoming
                        foreach (IpAddress ip in ipsWhiteListIncoming.IPs)
                            if (ip.IsV4)
                                //body.AppendLine("-A INPUT -s " + ip.ToCIDR() + " -m state --state NEW,ESTABLISHED -j ACCEPT");
                                rulesIPv4.AppendLine("-A INPUT -s " + ip.ToCIDR() + " -j ACCEPT");

                        // Redundand, equal to default policy
                        rulesIPv4.AppendLine("-A INPUT -j " + defaultPolicyInput);

                        // Allow TUN
                        rulesIPv4.AppendLine("-A FORWARD -i tun+ -j ACCEPT");

                        // Redundand, equal to default policy
                        rulesIPv4.AppendLine("-A FORWARD -j " + defaultPolicyForward);

                        // Local
                        rulesIPv4.AppendLine("-A OUTPUT -o lo -j ACCEPT");

                        if (Engine.Instance.Storage.GetBool("netlock.allow_dhcp") == true)
                            // Make sure you can communicate with any DHCP server
                            rulesIPv4.AppendLine("-A OUTPUT -d -j ACCEPT");

                        if (Engine.Instance.Storage.GetBool("netlock.allow_private"))
                            // Private networks
                            rulesIPv4.AppendLine("-A OUTPUT -s -d -j ACCEPT");
                            rulesIPv4.AppendLine("-A OUTPUT -s -d -j ACCEPT");
                            rulesIPv4.AppendLine("-A OUTPUT -s -d -j ACCEPT");

                            // Multicast
                            rulesIPv4.AppendLine("-A OUTPUT -s -d -j ACCEPT");
                            rulesIPv4.AppendLine("-A OUTPUT -s -d -j ACCEPT");
                            rulesIPv4.AppendLine("-A OUTPUT -s -d -j ACCEPT");

                            // Simple Service Discovery Protocol address
                            rulesIPv4.AppendLine("-A OUTPUT -s -d -j ACCEPT");
                            rulesIPv4.AppendLine("-A OUTPUT -s -d -j ACCEPT");
                            rulesIPv4.AppendLine("-A OUTPUT -s -d -j ACCEPT");

                            // Service Location Protocol version 2 address
                            rulesIPv4.AppendLine("-A OUTPUT -s -d -j ACCEPT");
                            rulesIPv4.AppendLine("-A OUTPUT -s -d -j ACCEPT");
                            rulesIPv4.AppendLine("-A OUTPUT -s -d -j ACCEPT");

                        if (Engine.Instance.Storage.GetBool("netlock.allow_ping"))
                            // icmp-type: echo-reply
                            rulesIPv4.AppendLine("-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT");

                        // Allow TUN
                        rulesIPv4.AppendLine("-A OUTPUT -o tun+ -j ACCEPT");

                        // If incoming=allow, allow packet response to out
                        // We avoid a general rules, because in block/block mode don't drop already exists keepalive
                        if (defaultPolicyInput == "ACCEPT")
                            rulesIPv4.AppendLine("-A OUTPUT -m state --state ESTABLISHED -j ACCEPT");

                        // Whitelist incoming
                        foreach (IpAddress ip in ipsWhiteListIncoming.IPs)
                            if (ip.IsV4)
                                rulesIPv4.AppendLine("-A OUTPUT -d " + ip.ToCIDR() + " -m state --state ESTABLISHED -j ACCEPT");

                        // Whitelist outgoing
                        foreach (IpAddress ip in ipsWhiteListOutgoing.IPs)
                            if (ip.IsV4)
                                rulesIPv4.AppendLine("-A OUTPUT -d " + ip.ToCIDR() + " -j ACCEPT");

                        // Redundand, equal to default policy
                        rulesIPv4.AppendLine("-A OUTPUT -j " + defaultPolicyOutput);

                        // Commit

                    // IPv6
                    if (m_supportIPv6)
                        rulesIPv6.AppendLine(":PREROUTING ACCEPT [0:0]");
                        rulesIPv6.AppendLine(":INPUT ACCEPT [0:0]");
                        rulesIPv6.AppendLine(":FORWARD ACCEPT [0:0]");
                        rulesIPv6.AppendLine(":OUTPUT ACCEPT [0:0]");
                        rulesIPv6.AppendLine(":POSTROUTING ACCEPT [0:0]");
                        rulesIPv6.AppendLine(":PREROUTING ACCEPT [0:0]");
                        rulesIPv6.AppendLine(":INPUT ACCEPT [0:0]");
                        rulesIPv6.AppendLine(":OUTPUT ACCEPT [0:0]");
                        rulesIPv6.AppendLine(":POSTROUTING ACCEPT [0:0]");
                        rulesIPv6.AppendLine(":INPUT " + defaultPolicyInput + " [0:0]");
                        rulesIPv6.AppendLine(":FORWARD " + defaultPolicyForward + " [0:0]");
                        rulesIPv6.AppendLine(":OUTPUT " + defaultPolicyOutput + " [0:0]");

                        // Local
                        rulesIPv6.AppendLine("-A INPUT -i lo -j ACCEPT");

                        // Reject traffic to localhost that does not originate from lo0.
                        rulesIPv6.AppendLine("-A INPUT -s ::1/128 ! -i lo -j REJECT --reject-with icmp6-port-unreachable");

                        // Disable processing of any RH0 packet which could allow a ping-pong of packets
                        rulesIPv6.AppendLine("-A INPUT -m rt --rt-type 0 -j DROP");

                        // icmpv6-type:router-advertisement - Rules which are required for your IPv6 address to be properly allocated
                        rulesIPv6.AppendLine("-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m hl --hl-eq 255 -j ACCEPT");

                        // icmpv6-type:neighbor-solicitation - Rules which are required for your IPv6 address to be properly allocated
                        rulesIPv6.AppendLine("-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m hl --hl-eq 255 -j ACCEPT");

                        // icmpv6-type:neighbor-advertisement - Rules which are required for your IPv6 address to be properly allocated
                        rulesIPv6.AppendLine("-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m hl --hl-eq 255 -j ACCEPT");

                        // icmpv6-type:redirect - Rules which are required for your IPv6 address to be properly allocated
                        rulesIPv6.AppendLine("-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -m hl --hl-eq 255 -j ACCEPT");

                        if (Engine.Instance.Storage.GetBool("netlock.allow_private"))
                            // Allow Link-Local addresses
                            rulesIPv6.AppendLine("-A INPUT -s fe80::/10 -j ACCEPT");

                            // Allow multicast
                            rulesIPv6.AppendLine("-A INPUT -d ff00::/8 -j ACCEPT");

                        if (Engine.Instance.Storage.GetBool("netlock.allow_ping"))
                            rulesIPv6.AppendLine("-A INPUT -p ipv6-icmp -j ACCEPT");

                        // Allow established sessions to receive traffic
                        rulesIPv6.AppendLine("-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT");

                        // Allow TUN
                        rulesIPv6.AppendLine("-A INPUT -i tun+ -j ACCEPT");

                        // Whitelist incoming
                        foreach (IpAddress ip in ipsWhiteListIncoming.IPs)
                            if (ip.IsV6)
                                rulesIPv6.AppendLine("-A INPUT -s " + ip.ToCIDR() + " -j ACCEPT");

                        // Redundand, equal to default policy
                        rulesIPv6.AppendLine("-A INPUT -j " + defaultPolicyInput);

                        // Disable processing of any RH0 packet which could allow a ping-pong of packets
                        rulesIPv6.AppendLine("-A FORWARD -m rt --rt-type 0 -j DROP");

                        // Allow TUN
                        rulesIPv6.AppendLine("-A FORWARD -i tun+ -j ACCEPT");

                        // Redundand, equal to default policy
                        rulesIPv6.AppendLine("-A FORWARD -j " + defaultPolicyForward);

                        // Local
                        rulesIPv6.AppendLine("-A OUTPUT -o lo -j ACCEPT");

                        // Disable processing of any RH0 packet which could allow a ping-pong of packets
                        rulesIPv6.AppendLine("-A OUTPUT -m rt --rt-type 0 -j DROP");

                        if (Engine.Instance.Storage.GetBool("netlock.allow_private"))
                            // Allow Link-Local addresses
                            rulesIPv6.AppendLine("-A OUTPUT -s fe80::/10 -j ACCEPT");

                            // Allow multicast
                            rulesIPv6.AppendLine("-A OUTPUT -d ff00::/8 -j ACCEPT");

                        if (Engine.Instance.Storage.GetBool("netlock.allow_ping"))
                            rulesIPv6.AppendLine("-A OUTPUT -p ipv6-icmp -j ACCEPT");

                        // Allow TUN
                        rulesIPv6.AppendLine("-A OUTPUT -o tun+ -j ACCEPT");

                        // If incoming=allow, allow packet response to out
                        // We avoid a general rules, because in block/block mode don't drop already exists keepalive
                        if (defaultPolicyInput == "ACCEPT")
                            rulesIPv6.AppendLine("-A OUTPUT -m state --state ESTABLISHED -j ACCEPT");

                        // Whitelist incoming
                        foreach (IpAddress ip in ipsWhiteListIncoming.IPs)
                            if (ip.IsV6)
                                rulesIPv6.AppendLine("-A OUTPUT -o " + ip.ToCIDR() + " -m state --state ESTABLISHED -j ACCEPT");

                        // Whitelist outgoing
                        foreach (IpAddress ip in ipsWhiteListOutgoing.IPs)
                            if (ip.IsV6)
                                rulesIPv6.AppendLine("-A OUTPUT -d " + ip.ToCIDR() + " -j ACCEPT");

                        // Redundand, equal to default policy
                        rulesIPv6.AppendLine("-A OUTPUT -j " + defaultPolicyOutput);

                        // Commit

                Core.Elevated.Command c = new Core.Elevated.Command();
                c.Parameters["command"] = "netlock-iptables-activate";
                if (m_supportIPv4)
                    c.Parameters["rules-ipv4"] = rulesIPv4.ToString();
                if (m_supportIPv6)
                    c.Parameters["rules-ipv6"] = rulesIPv6.ToString();
                string result = Engine.Instance.Elevated.DoCommandSync(c);
                if (result != "")
                    throw new Exception("Unexpected result: " + result);

                m_ipsWhiteListIncoming = ipsWhiteListIncoming;
                m_ipsWhiteListOutgoing = ipsWhiteListOutgoing;

            catch (Exception ex)
                throw new Exception(ex.Message);
Beispiel #5
        public override void Activation()

            m_supportIPv4 = true; // IPv4 assumed, if not available, will throw a fatal exception.
            m_supportIPv6 = Conversions.ToBool(Engine.Instance.Manifest["network_info"]["support_ipv6"].Value);

            if (m_supportIPv6 == false)
                Engine.Instance.Logs.Log(LogType.Verbose, LanguageManager.GetText("NetworkLockLinuxIPv6NotAvailable"));

                IpAddresses ipsWhiteListIncoming = GetIpsWhiteListIncoming();
                IpAddresses ipsWhiteListOutgoing = GetIpsWhiteListOutgoing(true);

                string defaultPolicyInput   = "drop";
                string defaultPolicyForward = "drop";
                string defaultPolicyOutput  = "drop";
                if (Engine.Instance.Storage.Get("netlock.incoming") == "allow")
                    defaultPolicyInput = "accept";
                if (Engine.Instance.Storage.Get("netlock.outgoing") == "allow")
                    defaultPolicyOutput = "accept";

                // Build rules
                var rules = new System.Text.StringBuilder();

                AddRule(rules, "", "flush ruleset");
                AddRule(rules, "ipv4", "add table ip nat");
                AddRule(rules, "ipv6", "add table ip6 nat");
                AddRule(rules, "ipv4", "add chain ip nat PREROUTING { type nat hook prerouting priority -100; policy accept; }");
                AddRule(rules, "ipv6", "add chain ip6 nat PREROUTING { type nat hook prerouting priority -100; policy accept; }");
                AddRule(rules, "ipv4", "add chain ip nat INPUT { type nat hook input priority 100; policy accept; }");
                AddRule(rules, "ipv6", "add chain ip6 nat INPUT { type nat hook input priority 100; policy accept; }");
                AddRule(rules, "ipv4", "add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; }");
                AddRule(rules, "ipv6", "add chain ip6 nat OUTPUT { type nat hook output priority -100; policy accept; }");
                AddRule(rules, "ipv4", "add chain ip nat POSTROUTING { type nat hook postrouting priority 100; policy accept; }");
                AddRule(rules, "ipv6", "add chain ip6 nat POSTROUTING { type nat hook postrouting priority 100; policy accept; }");

                AddRule(rules, "ipv4", "add table ip mangle");
                AddRule(rules, "ipv6", "add table ip6 mangle");
                AddRule(rules, "ipv4", "add chain ip mangle PREROUTING { type filter hook prerouting priority -150; policy accept; }");
                AddRule(rules, "ipv6", "add chain ip6 mangle PREROUTING { type filter hook prerouting priority -150; policy accept; }");
                AddRule(rules, "ipv4", "add chain ip mangle INPUT { type filter hook input priority -150; policy accept; }");
                AddRule(rules, "ipv6", "add chain ip6 mangle INPUT { type filter hook input priority -150; policy accept; }");
                AddRule(rules, "ipv4", "add chain ip mangle FORWARD { type filter hook forward priority -150; policy accept; }");
                AddRule(rules, "ipv6", "add chain ip6 mangle FORWARD { type filter hook forward priority -150; policy accept; }");
                AddRule(rules, "ipv4", "add chain ip mangle OUTPUT { type route hook output priority - 150; policy accept; }");
                AddRule(rules, "ipv6", "add chain ip6 mangle OUTPUT { type route hook output priority -150; policy accept; }");
                AddRule(rules, "ipv4", "add chain ip mangle POSTROUTING { type filter hook postrouting priority -150; policy accept; }");
                AddRule(rules, "ipv6", "add chain ip6 mangle POSTROUTING { type filter hook postrouting priority -150; policy accept; }");

                AddRule(rules, "ipv4", "add table ip filter");
                AddRule(rules, "ipv6", "add table ip6 filter");
                AddRule(rules, "ipv4", "add chain ip filter INPUT { type filter hook input priority 0; policy " + defaultPolicyInput + "; }");
                AddRule(rules, "ipv6", "add chain ip6 filter INPUT { type filter hook input priority 0; policy " + defaultPolicyInput + "; }");
                AddRule(rules, "ipv4", "add chain ip filter FORWARD { type filter hook forward priority 0; policy " + defaultPolicyForward + "; }");
                AddRule(rules, "ipv6", "add chain ip6 filter FORWARD { type filter hook forward priority 0; policy " + defaultPolicyForward + "; }");
                AddRule(rules, "ipv4", "add chain ip filter OUTPUT { type filter hook output priority 0; policy " + defaultPolicyOutput + "; }");
                AddRule(rules, "ipv6", "add chain ip6 filter OUTPUT { type filter hook output priority 0; policy " + defaultPolicyOutput + "; }");

                // Input - Local
                AddRule(rules, "ipv4", "add rule ip filter INPUT iifname \"lo\" counter accept");
                AddRule(rules, "ipv6", "add rule ip6 filter INPUT iifname \"lo\" counter accept");

                // Input - Reject traffic to localhost that does not originate from lo0.
                AddRule(rules, "ipv6", "add rule ip6 filter INPUT iifname != \"lo\" ip6 saddr ::1 counter reject");

                if (Engine.Instance.Storage.GetBool("netlock.allow_dhcp") == true)
                    AddRule(rules, "ipv4", "add rule ip filter INPUT ip saddr counter accept");

                if (Engine.Instance.Storage.GetBool("netlock.allow_private"))
                    AddRule(rules, "ipv4", "add rule ip filter INPUT ip saddr ip daddr counter accept");
                    AddRule(rules, "ipv4", "add rule ip filter INPUT ip saddr ip daddr counter accept");
                    AddRule(rules, "ipv4", "add rule ip filter INPUT ip saddr ip daddr counter accept");

                    AddRule(rules, "ipv6", "add rule ip6 filter INPUT ip6 saddr fe80::/10 counter accept");
                    AddRule(rules, "ipv6", "add rule ip6 filter INPUT ip6 daddr ff00::/8 counter accept");

                if (Engine.Instance.Storage.GetBool("netlock.allow_ping"))
                    AddRule(rules, "ipv4", "add rule ip filter INPUT icmp type echo-request counter accept");

                    AddRule(rules, "ipv6", "add rule ip6 filter INPUT meta l4proto ipv6-icmp counter accept");

                // Input - Disable processing of any RH0 packet which could allow a ping-pong of packets
                AddRule(rules, "ipv6", "add rule ip6 filter INPUT rt type 0 counter drop");

                // Input - icmpv6-type:router-advertisement - Rules which are required for your IPv6 address to be properly allocated
                AddRule(rules, "ipv6", "add rule ip6 filter INPUT meta l4proto ipv6-icmp icmpv6 type nd-router-advert ip6 hoplimit 255 counter accept");

                // Input - icmpv6-type:neighbor-solicitation - Rules which are required for your IPv6 address to be properly allocated
                AddRule(rules, "ipv6", "add rule ip6 filter INPUT meta l4proto ipv6-icmp icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter accept");

                // Input - icmpv6-type:neighbor-advertisement - Rules which are required for your IPv6 address to be properly allocated
                AddRule(rules, "ipv6", "add rule ip6 filter INPUT meta l4proto ipv6-icmp icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter accept");

                // Input - icmpv6-type:redirect - Rules which are required for your IPv6 address to be properly allocated
                AddRule(rules, "ipv6", "add rule ip6 filter INPUT meta l4proto ipv6-icmp icmpv6 type nd-redirect ip6 hoplimit 255 counter accept");

                // Input - Allow established sessions to receive traffic
                AddRule(rules, "ipv4", "add rule ip filter INPUT ct state related,established  counter accept");
                AddRule(rules, "ipv6", "add rule ip6 filter INPUT ct state related,established  counter accept");

                // Input - Allow TUN
                AddRule(rules, "ipv4", "add rule ip filter INPUT iifname \"tun*\" counter accept");
                AddRule(rules, "ipv6", "add rule ip6 filter INPUT iifname \"tun*\" counter accept");

                // Input - Whitelist incoming
                foreach (IpAddress ip in ipsWhiteListIncoming.IPs)
                    if (ip.IsV4)
                        AddRule(rules, "ipv4", "add rule ip filter INPUT ip saddr " + ip.ToCIDR() + " counter accept");

                    if (ip.IsV6)
                        AddRule(rules, "ipv6", "add rule ip6 filter INPUT ip6 saddr " + ip.ToCIDR() + " counter accept");

                // Input - Redundand, equal to default policy
                AddRule(rules, "ipv4", "add rule ip filter INPUT counter " + defaultPolicyInput + "");
                AddRule(rules, "ipv6", "add rule ip6 filter INPUT counter " + defaultPolicyInput + "");

                // Forward - Disable processing of any RH0 packet which could allow a ping-pong of packets
                AddRule(rules, "ipv6", "add rule ip6 filter FORWARD rt type 0 counter drop");

                // Forward - Allow TUN
                AddRule(rules, "ipv4", "add rule ip filter FORWARD iifname \"tun*\" counter accept");
                AddRule(rules, "ipv6", "add rule ip6 filter FORWARD iifname \"tun*\" counter accept");

                // Forward - Redundand, equal to default policy
                AddRule(rules, "ipv4", "add rule ip filter FORWARD counter " + defaultPolicyForward + "");
                AddRule(rules, "ipv6", "add rule ip6 filter FORWARD counter " + defaultPolicyForward + "");

                // Output - Local
                AddRule(rules, "ipv4", "add rule ip filter OUTPUT oifname \"lo\" counter accept");
                AddRule(rules, "ipv6", "add rule ip6 filter OUTPUT oifname \"lo\" counter accept");

                // Output - Disable processing of any RH0 packet which could allow a ping-pong of packets
                AddRule(rules, "ipv6", "add rule ip6 filter OUTPUT rt type 0 counter drop");

                if (Engine.Instance.Storage.GetBool("netlock.allow_dhcp") == true)
                    AddRule(rules, "ipv4", "add rule ip filter OUTPUT ip daddr counter accept");

                if (Engine.Instance.Storage.GetBool("netlock.allow_private"))
                    // Private networks
                    AddRule(rules, "ipv4", "add rule ip filter OUTPUT ip saddr ip daddr counter accept");
                    AddRule(rules, "ipv4", "add rule ip filter OUTPUT ip saddr ip daddr counter accept");
                    AddRule(rules, "ipv4", "add rule ip filter OUTPUT ip saddr ip daddr counter accept");

                    // Multicast
                    AddRule(rules, "ipv4", "add rule ip filter OUTPUT ip saddr ip daddr counter accept");
                    AddRule(rules, "ipv4", "add rule ip filter OUTPUT ip saddr ip daddr counter accept");
                    AddRule(rules, "ipv4", "add rule ip filter OUTPUT ip saddr ip daddr counter accept");

                    // Simple Service Discovery Protocol address
                    AddRule(rules, "ipv4", "add rule ip filter OUTPUT ip saddr ip daddr counter accept");
                    AddRule(rules, "ipv4", "add rule ip filter OUTPUT ip saddr ip daddr counter accept");
                    AddRule(rules, "ipv4", "add rule ip filter OUTPUT ip saddr ip daddr counter accept");

                    // Service Location Protocol version 2 address
                    AddRule(rules, "ipv4", "add rule ip filter OUTPUT ip saddr ip daddr counter accept");
                    AddRule(rules, "ipv4", "add rule ip filter OUTPUT ip saddr ip daddr counter accept");
                    AddRule(rules, "ipv4", "add rule ip filter OUTPUT ip saddr ip daddr counter accept");

                    // Allow Link-Local addresses
                    AddRule(rules, "ipv6", "add rule ip6 filter OUTPUT ip6 saddr fe80::/10 counter accept");

                    // Allow multicast
                    AddRule(rules, "ipv6", "add rule ip6 filter OUTPUT ip6 daddr ff00::/8 counter accept");

                if (Engine.Instance.Storage.GetBool("netlock.allow_ping"))
                    AddRule(rules, "ipv4", "add rule ip filter OUTPUT icmp type echo-reply counter accept");
                    AddRule(rules, "ipv6", "add rule ip6 filter OUTPUT meta l4proto ipv6-icmp counter accept");

                // Allow TUN
                AddRule(rules, "ipv4", "add rule ip filter OUTPUT oifname \"tun*\" counter accept");
                AddRule(rules, "ipv6", "add rule ip6 filter OUTPUT oifname \"tun*\" counter accept");

                // If incoming=allow, allow packet response to out
                // We avoid a general rules, because in block/block mode don't drop already exists keepalive
                if (defaultPolicyInput == "ACCEPT")
                    AddRule(rules, "ipv4", "add rule ip filter OUTPUT ct state established  counter accept");
                    AddRule(rules, "ipv6", "add rule ip6 filter OUTPUT ct state established  counter accept");

                // Whitelist incoming
                foreach (IpAddress ip in ipsWhiteListIncoming.IPs)
                    if (ip.IsV4)
                        AddRule(rules, "ipv4", "add rule ip filter OUTPUT ip daddr " + ip.ToCIDR() + " ct state established  counter accept");
                    if (ip.IsV6)
                        AddRule(rules, "ipv6", "add rule ip6 filter OUTPUT ip6 daddr " + ip.ToCIDR() + " ct state established  counter accept");

                // Whitelist outgoing
                foreach (IpAddress ip in ipsWhiteListOutgoing.IPs)
                    if (ip.IsV4)
                        AddRule(rules, "ipv4", "add rule ip filter OUTPUT ip daddr " + ip.ToCIDR() + " counter accept");
                    if (ip.IsV6)
                        AddRule(rules, "ipv6", "add rule ip6 filter OUTPUT ip6 daddr " + ip.ToCIDR() + " counter accept");

                // Redundand, equal to default policy
                AddRule(rules, "ipv4", "add rule ip filter OUTPUT counter " + defaultPolicyOutput + "");
                AddRule(rules, "ipv6", "add rule ip6 filter OUTPUT counter " + defaultPolicyOutput + "");

                // Apply
                Core.Elevated.Command c = new Core.Elevated.Command();
                c.Parameters["command"]      = "netlock-nftables-activate";
                c.Parameters["support-ipv4"] = (m_supportIPv4 ? "y" : "n");
                c.Parameters["support-ipv6"] = (m_supportIPv6 ? "y" : "n");
                c.Parameters["rules"]        = rules.ToString();
                string result = Engine.Instance.Elevated.DoCommandSync(c);
                if (result != "")
                    throw new Exception("Unexpected result: " + result);

                m_ipsWhiteListIncoming = ipsWhiteListIncoming;
                m_ipsWhiteListOutgoing = ipsWhiteListOutgoing;

            catch (Exception ex)
                throw new Exception(ex.Message);