From d8922d513a35bf5e7d75ea0d812d7dcdb6f2c395 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Mon, 13 Dec 2021 21:41:10 +0100
Subject: nftables: ...

---
 hosts/surtr/ruleset.nft  | 4 ++--
 hosts/vidhar/ruleset.nft | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index f8cadc94..0a9ff530 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -72,8 +72,6 @@ table inet filter {
     meta l4proto $icmp_protos limit name lim_icmp counter drop
     meta l4proto $icmp_protos counter accept
 
-    ct state {established, related} counter accept
-
     tcp dport 22 counter accept
     meta protocol ip udp dport 51820 counter accept
     meta protocol ip6 udp dport 51821 counter accept
@@ -82,6 +80,8 @@ table inet filter {
     tcp dport 53 counter accept
     udp dport 53 counter accept
 
+    ct state {established, related} counter accept
+
 
     limit name lim_reject log prefix "drop input: " counter drop
     log prefix "reject input: " counter
diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft
index 3d4d1bb0..ca0e5716 100644
--- a/hosts/vidhar/ruleset.nft
+++ b/hosts/vidhar/ruleset.nft
@@ -88,14 +88,14 @@ table inet filter {
     iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter drop
     meta l4proto $icmp_protos counter accept
 
-    ct state {established, related} counter accept
-
     tcp dport 22 counter accept
     meta protocol ip udp dport 51820 counter accept
     udp dport 60000-61000 counter accept
 
     iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter accept
 
+    ct state {established, related} counter accept
+
 
     limit name lim_reject log prefix "drop input: " counter drop
     log prefix "reject input: " counter
-- 
cgit v1.2.3