dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #222545 from K900/nft-avoid-wildcards

Browse Source 
nixos/firewall-nftables: avoid using wildcards
This commit is contained in:
K900 2023-03-22 17:54:41 +03:00 committed by GitHub
commit 07513e2c6b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
nixos/modules/services/networking/firewall-nftables.nix
View File

@ -94,7 +94,13 @@ in
${optionalString (ifaceSet != "") ''iifname { ${ifaceSet} } accept comment "trusted interfaces"''} ${optionalString (ifaceSet != "") ''iifname { ${ifaceSet} } accept comment "trusted interfaces"''}
# Some ICMPv6 types like NDP is untracked # Some ICMPv6 types like NDP is untracked
ct state vmap { invalid : drop, established : accept, related : accept, * : jump input-allow } comment "*: new and untracked" ct state vmap {
invalid : drop,
established : accept,
related : accept,
new : jump input-allow,
untracked: jump input-allow,
}
${optionalString cfg.logRefusedConnections '' ${optionalString cfg.logRefusedConnections ''
tcp flags syn / fin,syn,rst,ack log level info prefix "refused connection: " tcp flags syn / fin,syn,rst,ack log level info prefix "refused connection: "
@ -143,7 +149,13 @@ in
chain forward { chain forward {
type filter hook forward priority filter; policy drop; type filter hook forward priority filter; policy drop;
ct state vmap { invalid : drop, established : accept, related : accept, * : jump forward-allow } comment "*: new and untracked" ct state vmap {
invalid : drop,
established : accept,
related : accept,
new : jump forward-allow,
untracked : jump forward-allow,
}
} }