Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-07-29 17:48:41 -04:00
Code Issues Projects Releases Packages Wiki Activity

nftables: add support for rage4 anycast for ns1

Browse source
This commit is contained in:
Daniel Micay 2025-05-03 17:44:05 -04:00
parent 566f1a10d2
commit 2784008a65
1 changed files with 4 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
etc/nftables/nftables-ns1.conf
View file

@ -105,20 +105,22 @@ table inet filter {
type filter hook output priority raw
oif lo goto output-raw-loopback
skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, geoipupdate } counter goto graceful-reject
skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, geoipupdate, zerotier-one, bird } counter goto graceful-reject
udp sport 53 notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept
}
chain output-raw-loopback {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
skuid { alpm, chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
skuid { alpm, chrony, geoipupdate, zerotier-one } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 notrack accept
skuid http meta l4proto tcp th sport >= 1024 th dport 54 notrack accept
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 notrack accept
skuid zerotier-one meta l4proto tcp th sport 9993 th dport >= 1024 notrack accept
skuid != root counter goto graceful-reject
notrack accept
}