1 files changed, 4 insertions, 2 deletions
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index cb41f1cf..b57434a6 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -44,8 +44,10 @@ table inet filter {
    iifname lo counter accept
-    meta l4proto $icmp_protos limit name lim_icmp counter drop
+    meta l4proto $icmp_protos iifname yggdrasil limit name lim_icmp counter drop
-    meta l4proto $icmp_protos counter accept
+    meta l4proto $icmp_protos iifname yggdrasil counter accept
+    meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop
+    meta l4proto $icmp_protos ct state {established, related} counter accept
    limit name lim_reject log prefix "drop forward: " counter drop

diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index cb41f1cf..b57434a6 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft
@@ -44,8 +44,10 @@ table inet filter {
44		44
45	iifname lo counter accept	45	iifname lo counter accept
46		46
47	meta l4proto $icmp_protos limit name lim_icmp counter drop	47	meta l4proto $icmp_protos iifname yggdrasil limit name lim_icmp counter drop
48	meta l4proto $icmp_protos counter accept	48	meta l4proto $icmp_protos iifname yggdrasil counter accept
		49	meta l4proto $icmp_protos ct state {established, related} limit name lim_icmp counter drop
		50	meta l4proto $icmp_protos ct state {established, related} counter accept
49		51
50		52
51	limit name lim_reject log prefix "drop forward: " counter drop	53	limit name lim_reject log prefix "drop forward: " counter drop