nftables: implement output filtering for loopback

This commit is contained in:
Daniel Micay 2022-06-30 06:41:52 -04:00
parent fea9197ace
commit 01f9274fc4
6 changed files with 3 additions and 12 deletions

View File

@ -45,8 +45,6 @@ table inet filter {
chain output { chain output {
type filter hook output priority filter type filter hook output priority filter
oif lo accept
skuid != {root, systemd-network, chrony, unbound, http, attestation} counter goto output-reject skuid != {root, systemd-network, chrony, unbound, http, attestation} counter goto output-reject
} }

View File

@ -45,8 +45,6 @@ table inet filter {
chain output { chain output {
type filter hook output priority filter type filter hook output priority filter
oif lo accept
skuid != {root, systemd-network, chrony, unbound, http, flarum} counter goto output-reject skuid != {root, systemd-network, chrony, unbound, http, flarum} counter goto output-reject
} }

View File

@ -48,8 +48,6 @@ table inet filter {
chain output { chain output {
type filter hook output priority filter type filter hook output priority filter
oif lo accept
skuid != {root, systemd-network, chrony, unbound, powerdns} counter goto output-reject skuid != {root, systemd-network, chrony, unbound, powerdns} counter goto output-reject
} }

View File

@ -45,8 +45,7 @@ table inet filter {
chain output { chain output {
type filter hook output priority filter type filter hook output priority filter
oif lo accept skuid {opendmarc, opendkim, policyd-spf} oif lo meta l4proto {tcp, udp} th dport 53 accept
skuid != {root, systemd-network, chrony, unbound, postfix, dovecot, dovenull} counter goto output-reject skuid != {root, systemd-network, chrony, unbound, postfix, dovecot, dovenull} counter goto output-reject
} }

View File

@ -45,8 +45,8 @@ table inet filter {
chain output { chain output {
type filter hook output priority filter type filter hook output priority filter
oif lo accept skuid postgres oif lo meta l4proto udp accept
skuid mjolnir oif lo tcp dport 8008 accept
skuid != {root, systemd-network, chrony, unbound, http, synapse, matterbridge} counter goto output-reject skuid != {root, systemd-network, chrony, unbound, http, synapse, matterbridge} counter goto output-reject
} }

View File

@ -45,8 +45,6 @@ table inet filter {
chain output { chain output {
type filter hook output priority filter type filter hook output priority filter
oif lo accept
skuid != {root, systemd-network, chrony, unbound, http} counter goto output-reject skuid != {root, systemd-network, chrony, unbound, http} counter goto output-reject
} }