Merge pull request #222545 from K900/nft-avoid-wildcards

nixos/firewall-nftables: avoid using wildcards
This commit is contained in:
K900 2023-03-22 17:54:41 +03:00 committed by GitHub
commit 07513e2c6b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -94,7 +94,13 @@ in
${optionalString (ifaceSet != "") ''iifname { ${ifaceSet} } accept comment "trusted interfaces"''}
# Some ICMPv6 types like NDP is untracked
ct state vmap { invalid : drop, established : accept, related : accept, * : jump input-allow } comment "*: new and untracked"
ct state vmap {
invalid : drop,
established : accept,
related : accept,
new : jump input-allow,
untracked: jump input-allow,
}
${optionalString cfg.logRefusedConnections ''
tcp flags syn / fin,syn,rst,ack log level info prefix "refused connection: "
@ -143,7 +149,13 @@ in
chain forward {
type filter hook forward priority filter; policy drop;
ct state vmap { invalid : drop, established : accept, related : accept, * : jump forward-allow } comment "*: new and untracked"
ct state vmap {
invalid : drop,
established : accept,
related : accept,
new : jump forward-allow,
untracked : jump forward-allow,
}
}