Merge pull request #222545 from K900/nft-avoid-wildcards
nixos/firewall-nftables: avoid using wildcards
This commit is contained in:
commit
07513e2c6b
1 changed files with 14 additions and 2 deletions
|
@ -94,7 +94,13 @@ in
|
|||
${optionalString (ifaceSet != "") ''iifname { ${ifaceSet} } accept comment "trusted interfaces"''}
|
||||
|
||||
# Some ICMPv6 types like NDP is untracked
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, * : jump input-allow } comment "*: new and untracked"
|
||||
ct state vmap {
|
||||
invalid : drop,
|
||||
established : accept,
|
||||
related : accept,
|
||||
new : jump input-allow,
|
||||
untracked: jump input-allow,
|
||||
}
|
||||
|
||||
${optionalString cfg.logRefusedConnections ''
|
||||
tcp flags syn / fin,syn,rst,ack log level info prefix "refused connection: "
|
||||
|
@ -143,7 +149,13 @@ in
|
|||
chain forward {
|
||||
type filter hook forward priority filter; policy drop;
|
||||
|
||||
ct state vmap { invalid : drop, established : accept, related : accept, * : jump forward-allow } comment "*: new and untracked"
|
||||
ct state vmap {
|
||||
invalid : drop,
|
||||
established : accept,
|
||||
related : accept,
|
||||
new : jump forward-allow,
|
||||
untracked : jump forward-allow,
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue