nftables: simplify nameserver control socket rules

2025-07-30 10:08:53 -04:00 · 2025-06-27 13:10:16 -04:00 · 2025-06-27 13:10:16 -04:00 · 3b2f6d546c
commit 3b2f6d546c
parent 719e1fcd35
2 changed files with 5 additions and 5 deletions
--- a/etc/nftables/nftables-ns1.conf
+++ b/etc/nftables/nftables-ns1.conf
@ -131,11 +131,11 @@ table inet filter {
        skuid powerdns meta l4proto { tcp, udp } th sport 54 th dport >= 1024 notrack accept
        skuid dnsdist meta l4proto { tcp, udp } th sport >= 1024 th dport 54 notrack accept

-        skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 notrack accept
+        skuid powerdns tcp sport 81 tcp dport >= 1024 notrack accept

-        skuid dnsdist meta l4proto tcp th sport 5199 th dport >= 1024 notrack accept
+        skuid dnsdist tcp sport 5199 tcp dport >= 1024 notrack accept

-        skuid zerotier-one meta l4proto tcp th sport 9993 th dport >= 1024 notrack accept
+        skuid zerotier-one tcp sport 9993 tcp dport >= 1024 notrack accept

        skuid != root counter goto graceful-reject
        notrack accept
--- a/etc/nftables/nftables-ns2.conf
+++ b/etc/nftables/nftables-ns2.conf
@ -129,9 +129,9 @@ table inet filter {
        skuid powerdns meta l4proto { tcp, udp } th sport 54 th dport >= 1024 notrack accept
        skuid dnsdist meta l4proto { tcp, udp } th sport >= 1024 th dport 54 notrack accept

-        skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 notrack accept
+        skuid powerdns tcp sport 81 tcp dport >= 1024 notrack accept

-        skuid dnsdist meta l4proto tcp th sport 5199 th dport >= 1024 notrack accept
+        skuid dnsdist tcp sport 5199 tcp dport >= 1024 notrack accept

        skuid != root counter goto graceful-reject
        notrack accept