From 01f9274fc4465ed0c415d0c7dbca767f89e12c19 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Thu, 30 Jun 2022 06:41:52 -0400
Subject: [PATCH] nftables: implement output filtering for loopback

---
 nftables-attestation.conf | 2 --
 nftables-discuss.conf     | 2 --
 nftables-dns.conf         | 2 --
 nftables-mail.conf        | 3 +--
 nftables-matrix.conf      | 4 ++--
 nftables-web.conf         | 2 --
 6 files changed, 3 insertions(+), 12 deletions(-)

diff --git a/nftables-attestation.conf b/nftables-attestation.conf
index 7c86a85..79f5e6e 100644
--- a/nftables-attestation.conf
+++ b/nftables-attestation.conf
@@ -45,8 +45,6 @@ table inet filter {
     chain output {
         type filter hook output priority filter
 
-        oif lo accept
-
         skuid != {root, systemd-network, chrony, unbound, http, attestation} counter goto output-reject
     }
 
diff --git a/nftables-discuss.conf b/nftables-discuss.conf
index 9d2bff9..061d8f1 100644
--- a/nftables-discuss.conf
+++ b/nftables-discuss.conf
@@ -45,8 +45,6 @@ table inet filter {
     chain output {
         type filter hook output priority filter
 
-        oif lo accept
-
         skuid != {root, systemd-network, chrony, unbound, http, flarum} counter goto output-reject
     }
 
diff --git a/nftables-dns.conf b/nftables-dns.conf
index 7ed1fa3..15bd396 100644
--- a/nftables-dns.conf
+++ b/nftables-dns.conf
@@ -48,8 +48,6 @@ table inet filter {
     chain output {
         type filter hook output priority filter
 
-        oif lo accept
-
         skuid != {root, systemd-network, chrony, unbound, powerdns} counter goto output-reject
     }
 
diff --git a/nftables-mail.conf b/nftables-mail.conf
index ea71610..f4b2582 100644
--- a/nftables-mail.conf
+++ b/nftables-mail.conf
@@ -45,8 +45,7 @@ table inet filter {
     chain output {
         type filter hook output priority filter
 
-        oif lo accept
-
+        skuid {opendmarc, opendkim, policyd-spf} oif lo meta l4proto {tcp, udp} th dport 53 accept
         skuid != {root, systemd-network, chrony, unbound, postfix, dovecot, dovenull} counter goto output-reject
     }
 
diff --git a/nftables-matrix.conf b/nftables-matrix.conf
index 068260b..bbdf6ba 100644
--- a/nftables-matrix.conf
+++ b/nftables-matrix.conf
@@ -45,8 +45,8 @@ table inet filter {
     chain output {
         type filter hook output priority filter
 
-        oif lo accept
-
+        skuid postgres oif lo meta l4proto udp accept
+        skuid mjolnir oif lo tcp dport 8008 accept
         skuid != {root, systemd-network, chrony, unbound, http, synapse, matterbridge} counter goto output-reject
     }
 
diff --git a/nftables-web.conf b/nftables-web.conf
index ca74e49..f40b01f 100644
--- a/nftables-web.conf
+++ b/nftables-web.conf
@@ -45,8 +45,6 @@ table inet filter {
     chain output {
         type filter hook output priority filter
 
-        oif lo accept
-
         skuid != {root, systemd-network, chrony, unbound, http} counter goto output-reject
     }