diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2021-12-09 09:31:17 +0100 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2021-12-09 09:31:17 +0100 |
commit | 23923d7e463587ac9a82555b89d35e633560db32 (patch) | |
tree | 09e18285b1c5fdbc16a534a4e35f3abdecfa73dc | |
parent | ca072da5df2f40b4fd652266bf14590bbf661857 (diff) | |
download | nixos-23923d7e463587ac9a82555b89d35e633560db32.tar nixos-23923d7e463587ac9a82555b89d35e633560db32.tar.gz nixos-23923d7e463587ac9a82555b89d35e633560db32.tar.bz2 nixos-23923d7e463587ac9a82555b89d35e633560db32.tar.xz nixos-23923d7e463587ac9a82555b89d35e633560db32.zip |
vidhar: nftables...
-rw-r--r-- | hosts/vidhar/ruleset.nft | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft index 5a6d2c4e..f4e2aa94 100644 --- a/hosts/vidhar/ruleset.nft +++ b/hosts/vidhar/ruleset.nft | |||
@@ -24,8 +24,8 @@ table inet filter { | |||
24 | iifname eno1 oifname dsl counter accept | 24 | iifname eno1 oifname dsl counter accept |
25 | iifname dsl oifname eno1 ct state {established, related} counter accept | 25 | iifname dsl oifname eno1 ct state {established, related} counter accept |
26 | 26 | ||
27 | oifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local accept | 27 | oifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local counter accept |
28 | oifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl accept | 28 | oifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl counter accept |
29 | 29 | ||
30 | 30 | ||
31 | limit name lim_reject log prefix "drop forward: " counter drop | 31 | limit name lim_reject log prefix "drop forward: " counter drop |
@@ -72,7 +72,13 @@ table inet filter { | |||
72 | 72 | ||
73 | chain output { | 73 | chain output { |
74 | type filter hook output priority filter | 74 | type filter hook output priority filter |
75 | policy accept | 75 | policy drop |
76 | |||
77 | |||
78 | oifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local counter accept | ||
79 | oifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl counter accept | ||
80 | |||
81 | meta l4proto != { ipv6-icmp, icmp, igmp } counter drop | ||
76 | 82 | ||
77 | counter | 83 | counter |
78 | } | 84 | } |