From 280eb51c8d165acb5654e2f1741ab6ecf4195667 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Thu, 28 Mar 2024 14:32:44 -0400 Subject: [PATCH] rename loopback chains for clarity --- nftables-attestation.conf | 8 ++++---- nftables-discuss.conf | 8 ++++---- nftables-mail.conf | 8 ++++---- nftables-matrix.conf | 8 ++++---- nftables-network.conf | 8 ++++---- nftables-ns1.conf | 8 ++++---- nftables-ns2.conf | 8 ++++---- nftables-social.conf | 8 ++++---- nftables-web.conf | 8 ++++---- 9 files changed, 36 insertions(+), 36 deletions(-) diff --git a/nftables-attestation.conf b/nftables-attestation.conf index 1d698b4..806d357 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -49,7 +49,7 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-internal + iif lo goto input-loopback tcp dport { 80, 443 } accept meta l4proto { icmp, ipv6-icmp } accept ct state vmap { established : accept, related : accept, new : goto graceful-reject } @@ -59,7 +59,7 @@ table inet filter { tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-internal { + chain input-loopback { tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset accept @@ -73,11 +73,11 @@ table inet filter { chain output { type filter hook output priority filter - oif lo goto output-internal + oif lo goto output-loopback skuid != { root, systemd-network, unbound, chrony, http, attestation } counter goto graceful-reject } - chain output-internal { + chain output-loopback { skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8080 accept skuid { chrony, attestation } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8080 th dport 53 accept diff --git a/nftables-discuss.conf b/nftables-discuss.conf index 7fbf724..b19f935 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -52,7 +52,7 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-internal + iif lo goto input-loopback tcp dport { 80, 443 } accept meta l4proto { icmp, ipv6-icmp } accept ct state vmap { established : accept, related : accept, new : goto graceful-reject } @@ -62,7 +62,7 @@ table inet filter { tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-internal { + chain input-loopback { tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset accept @@ -76,11 +76,11 @@ table inet filter { chain output { type filter hook output priority filter - oif lo goto output-internal + oif lo goto output-loopback skuid != { root, systemd-network, unbound, chrony, http, flarum, flarum-admin, geoipupdate } counter goto graceful-reject } - chain output-internal { + chain output-loopback { skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept skuid { chrony, http, flarum, flarum-admin, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept diff --git a/nftables-mail.conf b/nftables-mail.conf index 54b36d8..1d1cd10 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -49,7 +49,7 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-internal + iif lo goto input-loopback tcp dport { 25, 80, 443, 465, 993 } accept meta l4proto { icmp, ipv6-icmp } accept ct state vmap { established : accept, related : accept, new : goto graceful-reject } @@ -59,7 +59,7 @@ table inet filter { tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-internal { + chain input-loopback { tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset accept @@ -73,11 +73,11 @@ table inet filter { chain output { type filter hook output priority filter - oif lo goto output-internal + oif lo goto output-loopback skuid != { root, systemd-network, unbound, chrony, postfix, dovecot, dovenull, http } counter goto graceful-reject } - chain output-internal { + chain output-loopback { skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept skuid { chrony, postfix, opendkim, opendmarc, policyd-spf } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept diff --git a/nftables-matrix.conf b/nftables-matrix.conf index fe2c03e..681729f 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -49,7 +49,7 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-internal + iif lo goto input-loopback tcp dport { 80, 443 } accept meta l4proto { icmp, ipv6-icmp } accept ct state vmap { established : accept, related : accept, new : goto graceful-reject } @@ -59,7 +59,7 @@ table inet filter { tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-internal { + chain input-loopback { tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset accept @@ -73,11 +73,11 @@ table inet filter { chain output { type filter hook output priority filter - oif lo goto output-internal + oif lo goto output-loopback skuid != { root, systemd-network, unbound, chrony, http, synapse, matterbridge } counter goto graceful-reject } - chain output-internal { + chain output-loopback { skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8008 accept skuid { chrony, synapse, matterbridge } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8008 th dport 53 accept diff --git a/nftables-network.conf b/nftables-network.conf index 0b7e398..c721a74 100644 --- a/nftables-network.conf +++ b/nftables-network.conf @@ -53,7 +53,7 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-internal + iif lo goto input-loopback tcp dport { 80, 443, 7275 } accept udp dport 123 accept meta l4proto { icmp, ipv6-icmp } accept @@ -64,7 +64,7 @@ table inet filter { tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-internal { + chain input-loopback { tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset accept @@ -78,11 +78,11 @@ table inet filter { chain output { type filter hook output priority filter - oif lo goto output-internal + oif lo goto output-loopback skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject } - chain output-internal { + chain output-loopback { skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept skuid { chrony, http } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept diff --git a/nftables-ns1.conf b/nftables-ns1.conf index 83196a5..d4e30d5 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -61,7 +61,7 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-internal + iif lo goto input-loopback udp dport 53 accept tcp dport { 80, 443 } accept meta l4proto { icmp, ipv6-icmp } accept @@ -75,7 +75,7 @@ table inet filter { tcp dport { 53, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-internal { + chain input-loopback { tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset tcp dport { 53, 853 } tcp flags syn add @ip-connlimit-dns { ip saddr ct count over 16 } reject with tcp reset @@ -91,11 +91,11 @@ table inet filter { chain output { type filter hook output priority filter - oif lo goto output-internal + oif lo goto output-loopback skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject } - chain output-internal { + chain output-loopback { skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept skuid { chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept diff --git a/nftables-ns2.conf b/nftables-ns2.conf index 6e0d159..e0cdde7 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -66,7 +66,7 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-internal + iif lo goto input-loopback udp dport 53 accept tcp dport { 80, 443 } accept meta l4proto { icmp, ipv6-icmp } accept @@ -80,7 +80,7 @@ table inet filter { tcp dport { 53, 853 } synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-internal { + chain input-loopback { tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset tcp dport { 53, 853 } tcp flags syn add @ip-connlimit-dns { ip saddr ct count over 16 } reject with tcp reset @@ -96,11 +96,11 @@ table inet filter { chain output { type filter hook output priority filter - oif lo goto output-internal + oif lo goto output-loopback skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject } - chain output-internal { + chain output-loopback { skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept skuid { chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept diff --git a/nftables-social.conf b/nftables-social.conf index 03e6a49..cef1659 100644 --- a/nftables-social.conf +++ b/nftables-social.conf @@ -49,7 +49,7 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-internal + iif lo goto input-loopback tcp dport { 80, 443 } accept meta l4proto { icmp, ipv6-icmp } accept ct state vmap { established : accept, related : accept, new : goto graceful-reject } @@ -59,7 +59,7 @@ table inet filter { tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-internal { + chain input-loopback { tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset accept @@ -73,11 +73,11 @@ table inet filter { chain output { type filter hook output priority filter - oif lo goto output-internal + oif lo goto output-loopback skuid != { root, systemd-network, unbound, chrony, http, mastodon } counter goto graceful-reject } - chain output-internal { + chain output-loopback { skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept skuid { chrony, mastodon } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept diff --git a/nftables-web.conf b/nftables-web.conf index dfa4c83..290ac34 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -53,7 +53,7 @@ table inet filter { type filter hook input priority filter policy drop - iif lo goto input-internal + iif lo goto input-loopback tcp dport { 80, 443 } accept meta l4proto { icmp, ipv6-icmp } accept ct state vmap { established : accept, related : accept, new : goto graceful-reject } @@ -63,7 +63,7 @@ table inet filter { tcp dport 22 synproxy mss 1460 wscale 7 timestamp sack-perm } - chain input-internal { + chain input-loopback { tcp dport 22 tcp flags syn ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } reject with tcp reset tcp dport 22 tcp flags syn ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } reject with tcp reset accept @@ -77,11 +77,11 @@ table inet filter { chain output { type filter hook output priority filter - oif lo goto output-internal + oif lo goto output-loopback skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject } - chain output-internal { + chain output-loopback { skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept skuid chrony meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept