From 2784008a65c156f283ca2312d78823a8c84f36f6 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Sat, 3 May 2025 17:44:05 -0400
Subject: [PATCH] nftables: add support for rage4 anycast for ns1

---
 etc/nftables/nftables-ns1.conf | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/etc/nftables/nftables-ns1.conf b/etc/nftables/nftables-ns1.conf
index 12b74c2..1e0f0fa 100644
--- a/etc/nftables/nftables-ns1.conf
+++ b/etc/nftables/nftables-ns1.conf
@@ -105,20 +105,22 @@ table inet filter {
         type filter hook output priority raw
 
         oif lo goto output-raw-loopback
-        skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, geoipupdate } counter goto graceful-reject
+        skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, geoipupdate, zerotier-one, bird } counter goto graceful-reject
         udp sport 53 notrack accept
         meta l4proto { icmp, ipv6-icmp } notrack accept
     }
 
     chain output-raw-loopback {
         skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
-        skuid { alpm, chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
+        skuid { alpm, chrony, geoipupdate, zerotier-one } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
 
         skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 notrack accept
         skuid http meta l4proto tcp th sport >= 1024 th dport 54 notrack accept
 
         skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 notrack accept
 
+        skuid zerotier-one meta l4proto tcp th sport 9993 th dport >= 1024 notrack accept
+
         skuid != root counter goto graceful-reject
         notrack accept
     }