From 23923d7e463587ac9a82555b89d35e633560db32 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Thu, 9 Dec 2021 09:31:17 +0100
Subject: vidhar: nftables...

---
 hosts/vidhar/ruleset.nft | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

(limited to 'hosts/vidhar/ruleset.nft')

diff --git a/hosts/vidhar/ruleset.nft b/hosts/vidhar/ruleset.nft
index 5a6d2c4e..f4e2aa94 100644
--- a/hosts/vidhar/ruleset.nft
+++ b/hosts/vidhar/ruleset.nft
@@ -24,8 +24,8 @@ table inet filter {
     iifname eno1 oifname dsl counter accept
     iifname dsl oifname eno1 ct state {established, related} counter accept
 
-    oifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local accept
-    oifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl accept
+    oifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local counter accept
+    oifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl counter accept
 
 
     limit name lim_reject log prefix "drop forward: " counter drop
@@ -72,7 +72,13 @@ table inet filter {
 
   chain output {
     type filter hook output priority filter
-    policy accept
+    policy drop
+
+
+    oifname != dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_local counter accept
+    oifname dsl meta l4proto { ipv6-icmp, icmp, igmp } limit name lim_icmp_dsl counter accept
+
+    meta l4proto != { ipv6-icmp, icmp, igmp } counter drop
 
     counter
   }
-- 
cgit v1.2.3