mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2024-06-29 07:42:07 +00:00
nftables: rename output-reject to graceful-reject
This commit is contained in:
parent
66562272ac
commit
16ef317460
|
@ -50,7 +50,7 @@ table inet filter {
|
|||
type filter hook output priority filter
|
||||
|
||||
oif lo goto output-internal
|
||||
skuid != { root, systemd-network, unbound, chrony, http, attestation } counter goto output-reject
|
||||
skuid != { root, systemd-network, unbound, chrony, http, attestation } counter goto graceful-reject
|
||||
}
|
||||
|
||||
chain output-internal {
|
||||
|
@ -60,11 +60,11 @@ table inet filter {
|
|||
skuid attestation tcp sport 8080 tcp dport >= 1024 tcp dport != 8080 accept
|
||||
skuid http tcp sport >= 1024 tcp sport != 8080 tcp dport 8080 accept
|
||||
|
||||
skuid != root counter goto output-reject
|
||||
skuid != root counter goto graceful-reject
|
||||
accept
|
||||
}
|
||||
|
||||
chain output-reject {
|
||||
chain graceful-reject {
|
||||
meta l4proto udp reject
|
||||
meta l4proto tcp reject with tcp reset
|
||||
reject
|
||||
|
|
|
@ -53,18 +53,18 @@ table inet filter {
|
|||
type filter hook output priority filter
|
||||
|
||||
oif lo goto output-internal
|
||||
skuid != { root, systemd-network, unbound, chrony, http, flarum, flarum-admin, geoipupdate } counter goto output-reject
|
||||
skuid != { root, systemd-network, unbound, chrony, http, flarum, flarum-admin, geoipupdate } counter goto graceful-reject
|
||||
}
|
||||
|
||||
chain output-internal {
|
||||
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
|
||||
skuid { chrony, http, flarum, flarum-admin, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
|
||||
|
||||
skuid != root counter goto output-reject
|
||||
skuid != root counter goto graceful-reject
|
||||
accept
|
||||
}
|
||||
|
||||
chain output-reject {
|
||||
chain graceful-reject {
|
||||
meta l4proto udp reject
|
||||
meta l4proto tcp reject with tcp reset
|
||||
reject
|
||||
|
|
|
@ -50,18 +50,18 @@ table inet filter {
|
|||
type filter hook output priority filter
|
||||
|
||||
oif lo goto output-internal
|
||||
skuid != { root, systemd-network, unbound, chrony, postfix, dovecot, dovenull, http } counter goto output-reject
|
||||
skuid != { root, systemd-network, unbound, chrony, postfix, dovecot, dovenull, http } counter goto graceful-reject
|
||||
}
|
||||
|
||||
chain output-internal {
|
||||
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
|
||||
skuid { chrony, postfix, opendkim, opendmarc, policyd-spf } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
|
||||
|
||||
skuid != root counter goto output-reject
|
||||
skuid != root counter goto graceful-reject
|
||||
accept
|
||||
}
|
||||
|
||||
chain output-reject {
|
||||
chain graceful-reject {
|
||||
meta l4proto udp reject
|
||||
meta l4proto tcp reject with tcp reset
|
||||
reject
|
||||
|
|
|
@ -50,7 +50,7 @@ table inet filter {
|
|||
type filter hook output priority filter
|
||||
|
||||
oif lo goto output-internal
|
||||
skuid != { root, systemd-network, unbound, chrony, http, synapse, matterbridge } counter goto output-reject
|
||||
skuid != { root, systemd-network, unbound, chrony, http, synapse, matterbridge } counter goto graceful-reject
|
||||
}
|
||||
|
||||
chain output-internal {
|
||||
|
@ -67,11 +67,11 @@ table inet filter {
|
|||
skuid matterbridge tcp sport >= 1024 tcp sport != 8008 tcp dport 443 accept
|
||||
skuid synapse tcp sport >= 1024 tcp sport != 8008 tcp dport 443 accept
|
||||
|
||||
skuid != root counter goto output-reject
|
||||
skuid != root counter goto graceful-reject
|
||||
accept
|
||||
}
|
||||
|
||||
chain output-reject {
|
||||
chain graceful-reject {
|
||||
meta l4proto udp reject
|
||||
meta l4proto tcp reject with tcp reset
|
||||
reject
|
||||
|
|
|
@ -53,18 +53,18 @@ table inet filter {
|
|||
type filter hook output priority filter
|
||||
|
||||
oif lo goto output-internal
|
||||
skuid != { root, systemd-network, unbound, chrony, http } counter goto output-reject
|
||||
skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject
|
||||
}
|
||||
|
||||
chain output-internal {
|
||||
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
|
||||
skuid { chrony, http } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
|
||||
|
||||
skuid != root counter goto output-reject
|
||||
skuid != root counter goto graceful-reject
|
||||
accept
|
||||
}
|
||||
|
||||
chain output-reject {
|
||||
chain graceful-reject {
|
||||
meta l4proto udp reject
|
||||
meta l4proto tcp reject with tcp reset
|
||||
reject
|
||||
|
|
|
@ -53,7 +53,7 @@ table inet filter {
|
|||
type filter hook output priority filter
|
||||
|
||||
oif lo goto output-internal
|
||||
skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto output-reject
|
||||
skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject
|
||||
}
|
||||
|
||||
chain output-internal {
|
||||
|
@ -65,11 +65,11 @@ table inet filter {
|
|||
|
||||
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept
|
||||
|
||||
skuid != root counter goto output-reject
|
||||
skuid != root counter goto graceful-reject
|
||||
accept
|
||||
}
|
||||
|
||||
chain output-reject {
|
||||
chain graceful-reject {
|
||||
meta l4proto udp reject
|
||||
meta l4proto tcp reject with tcp reset
|
||||
reject
|
||||
|
|
|
@ -56,7 +56,7 @@ table inet filter {
|
|||
type filter hook output priority filter
|
||||
|
||||
oif lo goto output-internal
|
||||
skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto output-reject
|
||||
skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject
|
||||
}
|
||||
|
||||
chain output-internal {
|
||||
|
@ -68,11 +68,11 @@ table inet filter {
|
|||
|
||||
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept
|
||||
|
||||
skuid != root counter goto output-reject
|
||||
skuid != root counter goto graceful-reject
|
||||
accept
|
||||
}
|
||||
|
||||
chain output-reject {
|
||||
chain graceful-reject {
|
||||
meta l4proto udp reject
|
||||
meta l4proto tcp reject with tcp reset
|
||||
reject
|
||||
|
|
|
@ -50,7 +50,7 @@ table inet filter {
|
|||
type filter hook output priority filter
|
||||
|
||||
oif lo goto output-internal
|
||||
skuid != { root, systemd-network, unbound, chrony, http, mastodon } counter goto output-reject
|
||||
skuid != { root, systemd-network, unbound, chrony, http, mastodon } counter goto graceful-reject
|
||||
}
|
||||
|
||||
chain output-internal {
|
||||
|
@ -59,11 +59,11 @@ table inet filter {
|
|||
|
||||
skuid postgres udp sport >= 1024 udp dport >= 1024 accept
|
||||
|
||||
skuid != root counter goto output-reject
|
||||
skuid != root counter goto graceful-reject
|
||||
accept
|
||||
}
|
||||
|
||||
chain output-reject {
|
||||
chain graceful-reject {
|
||||
meta l4proto udp reject
|
||||
meta l4proto tcp reject with tcp reset
|
||||
reject
|
||||
|
|
|
@ -50,18 +50,18 @@ table inet filter {
|
|||
type filter hook output priority filter
|
||||
|
||||
oif lo goto output-internal
|
||||
skuid != { root, systemd-network, unbound, chrony, http } counter goto output-reject
|
||||
skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject
|
||||
}
|
||||
|
||||
chain output-internal {
|
||||
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
|
||||
skuid chrony meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
|
||||
|
||||
skuid != root counter goto output-reject
|
||||
skuid != root counter goto graceful-reject
|
||||
accept
|
||||
}
|
||||
|
||||
chain output-reject {
|
||||
chain graceful-reject {
|
||||
meta l4proto udp reject
|
||||
meta l4proto tcp reject with tcp reset
|
||||
reject
|
||||
|
|
Loading…
Reference in New Issue
Block a user