Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2024-06-26 14:22:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

nftables: rename output-reject to graceful-reject

Browse Source
This commit is contained in:
Daniel Micay 2024-03-27 12:31:09 -04:00
parent 66562272ac
commit 16ef317460
9 changed files with 27 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
nftables-attestation.conf
View File

@ -50,7 +50,7 @@ table inet filter {
type filter hook output priority filter
oif lo goto output-internal
skuid != { root, systemd-network, unbound, chrony, http, attestation } counter goto output-reject
skuid != { root, systemd-network, unbound, chrony, http, attestation } counter goto graceful-reject
}
chain output-internal {
@ -60,11 +60,11 @@ table inet filter {
skuid attestation tcp sport 8080 tcp dport >= 1024 tcp dport != 8080 accept
skuid http tcp sport >= 1024 tcp sport != 8080 tcp dport 8080 accept
skuid != root counter goto output-reject
skuid != root counter goto graceful-reject
accept
}
chain output-reject {
chain graceful-reject {
meta l4proto udp reject
meta l4proto tcp reject with tcp reset
reject

6
nftables-discuss.conf
View File

@ -53,18 +53,18 @@ table inet filter {
type filter hook output priority filter
oif lo goto output-internal
skuid != { root, systemd-network, unbound, chrony, http, flarum, flarum-admin, geoipupdate } counter goto output-reject
skuid != { root, systemd-network, unbound, chrony, http, flarum, flarum-admin, geoipupdate } counter goto graceful-reject
}
chain output-internal {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
skuid { chrony, http, flarum, flarum-admin, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
skuid != root counter goto output-reject
skuid != root counter goto graceful-reject
accept
}
chain output-reject {
chain graceful-reject {
meta l4proto udp reject
meta l4proto tcp reject with tcp reset
reject

6
nftables-mail.conf
View File

@ -50,18 +50,18 @@ table inet filter {
type filter hook output priority filter
oif lo goto output-internal
skuid != { root, systemd-network, unbound, chrony, postfix, dovecot, dovenull, http } counter goto output-reject
skuid != { root, systemd-network, unbound, chrony, postfix, dovecot, dovenull, http } counter goto graceful-reject
}
chain output-internal {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
skuid { chrony, postfix, opendkim, opendmarc, policyd-spf } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
skuid != root counter goto output-reject
skuid != root counter goto graceful-reject
accept
}
chain output-reject {
chain graceful-reject {
meta l4proto udp reject
meta l4proto tcp reject with tcp reset
reject

6
nftables-matrix.conf
View File

@ -50,7 +50,7 @@ table inet filter {
type filter hook output priority filter
oif lo goto output-internal
skuid != { root, systemd-network, unbound, chrony, http, synapse, matterbridge } counter goto output-reject
skuid != { root, systemd-network, unbound, chrony, http, synapse, matterbridge } counter goto graceful-reject
}
chain output-internal {
@ -67,11 +67,11 @@ table inet filter {
skuid matterbridge tcp sport >= 1024 tcp sport != 8008 tcp dport 443 accept
skuid synapse tcp sport >= 1024 tcp sport != 8008 tcp dport 443 accept
skuid != root counter goto output-reject
skuid != root counter goto graceful-reject
accept
}
chain output-reject {
chain graceful-reject {
meta l4proto udp reject
meta l4proto tcp reject with tcp reset
reject

6
nftables-network.conf
View File

@ -53,18 +53,18 @@ table inet filter {
type filter hook output priority filter
oif lo goto output-internal
skuid != { root, systemd-network, unbound, chrony, http } counter goto output-reject
skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject
}
chain output-internal {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
skuid { chrony, http } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
skuid != root counter goto output-reject
skuid != root counter goto graceful-reject
accept
}
chain output-reject {
chain graceful-reject {
meta l4proto udp reject
meta l4proto tcp reject with tcp reset
reject

6
nftables-ns1.conf
View File

@ -53,7 +53,7 @@ table inet filter {
type filter hook output priority filter
oif lo goto output-internal
skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto output-reject
skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject
}
chain output-internal {
@ -65,11 +65,11 @@ table inet filter {
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept
skuid != root counter goto output-reject
skuid != root counter goto graceful-reject
accept
}
chain output-reject {
chain graceful-reject {
meta l4proto udp reject
meta l4proto tcp reject with tcp reset
reject

6
nftables-ns2.conf
View File

@ -56,7 +56,7 @@ table inet filter {
type filter hook output priority filter
oif lo goto output-internal
skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto output-reject
skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject
}
chain output-internal {
@ -68,11 +68,11 @@ table inet filter {
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept
skuid != root counter goto output-reject
skuid != root counter goto graceful-reject
accept
}
chain output-reject {
chain graceful-reject {
meta l4proto udp reject
meta l4proto tcp reject with tcp reset
reject

6
nftables-social.conf
View File

@ -50,7 +50,7 @@ table inet filter {
type filter hook output priority filter
oif lo goto output-internal
skuid != { root, systemd-network, unbound, chrony, http, mastodon } counter goto output-reject
skuid != { root, systemd-network, unbound, chrony, http, mastodon } counter goto graceful-reject
}
chain output-internal {
@ -59,11 +59,11 @@ table inet filter {
skuid postgres udp sport >= 1024 udp dport >= 1024 accept
skuid != root counter goto output-reject
skuid != root counter goto graceful-reject
accept
}
chain output-reject {
chain graceful-reject {
meta l4proto udp reject
meta l4proto tcp reject with tcp reset
reject

6
nftables-web.conf
View File

@ -50,18 +50,18 @@ table inet filter {
type filter hook output priority filter
oif lo goto output-internal
skuid != { root, systemd-network, unbound, chrony, http } counter goto output-reject
skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject
}
chain output-internal {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
skuid chrony meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
skuid != root counter goto output-reject
skuid != root counter goto graceful-reject
accept
}
chain output-reject {
chain graceful-reject {
meta l4proto udp reject
meta l4proto tcp reject with tcp reset
reject