diff options
author | K900 <me@0upti.me> | 2023-03-22 17:45:05 +0300 |
---|---|---|
committer | K900 <me@0upti.me> | 2023-03-22 17:45:05 +0300 |
commit | d0f7d224da3c01b487094d6f5071ebd6a8c30437 (patch) | |
tree | f4b4b70a5541462f93306ddd21271439cb34c1e5 /nixos | |
parent | 396918ad019dc1f84fa65d3c548bc9c22f84a73b (diff) |
nixos/firewall-nftables: avoid using wildcards
Those were added in kernel 5.13, which is newer than our oldest supported.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/networking/firewall-nftables.nix | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/nixos/modules/services/networking/firewall-nftables.nix b/nixos/modules/services/networking/firewall-nftables.nix index 0ed3c228075d3..452dd97d89d29 100644 --- a/nixos/modules/services/networking/firewall-nftables.nix +++ b/nixos/modules/services/networking/firewall-nftables.nix @@ -94,7 +94,13 @@ in ${optionalString (ifaceSet != "") ''iifname { ${ifaceSet} } accept comment "trusted interfaces"''} # Some ICMPv6 types like NDP is untracked - ct state vmap { invalid : drop, established : accept, related : accept, * : jump input-allow } comment "*: new and untracked" + ct state vmap { + invalid : drop, + established : accept, + related : accept, + new : jump input-allow, + untracked: jump input-allow, + } ${optionalString cfg.logRefusedConnections '' tcp flags syn / fin,syn,rst,ack log level info prefix "refused connection: " @@ -143,7 +149,13 @@ in chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { invalid : drop, established : accept, related : accept, * : jump forward-allow } comment "*: new and untracked" + ct state vmap { + invalid : drop, + established : accept, + related : accept, + new : jump forward-allow, + untracked : jump forward-allow, + } } |