Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-09-24 14:38:32 -04:00
Code Issues Projects Releases Packages Wiki Activity

clean inbound DSCP

Browse source 
This avoids setting outbound DSCP for echo-reply, TCP RST for TCP
sockets in the Time-Wait state and potentially other cases. We don't
want it to be possible for inbound packets to determine our outbound
traffic classification even to a small extent.
This commit is contained in:
Daniel Micay 2025-08-29 11:27:31 -04:00
parent 28106192b1
commit 41174c2a08
9 changed files with 27 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
etc/nftables/nftables-attestation.conf
View file

@ -57,6 +57,9 @@ table inet filter {
type filter hook input priority filter type filter hook input priority filter
policy drop policy drop
ip dscp set cs0
ip6 dscp set cs0
tcp dport { 22, 80, 443 } goto input-tcp-service tcp dport { 22, 80, 443 } goto input-tcp-service
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
} }

3
etc/nftables/nftables-discuss.conf
View file

@ -60,6 +60,9 @@ table inet filter {
type filter hook input priority filter type filter hook input priority filter
policy drop policy drop
ip dscp set cs0
ip6 dscp set cs0
tcp dport { 22, 80, 443 } goto input-tcp-service tcp dport { 22, 80, 443 } goto input-tcp-service
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
} }

3
etc/nftables/nftables-mail.conf
View file

@ -69,6 +69,9 @@ table inet filter {
type filter hook input priority filter type filter hook input priority filter
policy drop policy drop
ip dscp set cs0
ip6 dscp set cs0
tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
} }

3
etc/nftables/nftables-matrix.conf
View file

@ -57,6 +57,9 @@ table inet filter {
type filter hook input priority filter type filter hook input priority filter
policy drop policy drop
ip dscp set cs0
ip6 dscp set cs0
tcp dport { 22, 80, 443 } goto input-tcp-service tcp dport { 22, 80, 443 } goto input-tcp-service
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
} }

3
etc/nftables/nftables-network.conf
View file

@ -61,6 +61,9 @@ table inet filter {
type filter hook input priority filter type filter hook input priority filter
policy drop policy drop
ip dscp set cs0
ip6 dscp set cs0
tcp dport { 22, 80, 443, 7275 } goto input-tcp-service tcp dport { 22, 80, 443, 7275 } goto input-tcp-service
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
} }

3
etc/nftables/nftables-ns1.conf
View file

@ -67,6 +67,9 @@ table inet filter {
type filter hook input priority filter type filter hook input priority filter
policy drop policy drop
ip dscp set cs0
ip6 dscp set cs0
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
} }

3
etc/nftables/nftables-ns2.conf
View file

@ -65,6 +65,9 @@ table inet filter {
type filter hook input priority filter type filter hook input priority filter
policy drop policy drop
ip dscp set cs0
ip6 dscp set cs0
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
} }

3
etc/nftables/nftables-social.conf
View file

@ -57,6 +57,9 @@ table inet filter {
type filter hook input priority filter type filter hook input priority filter
policy drop policy drop
ip dscp set cs0
ip6 dscp set cs0
tcp dport { 22, 80, 443 } goto input-tcp-service tcp dport { 22, 80, 443 } goto input-tcp-service
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
} }

3
etc/nftables/nftables-web.conf
View file

@ -61,6 +61,9 @@ table inet filter {
type filter hook input priority filter type filter hook input priority filter
policy drop policy drop
ip dscp set cs0
ip6 dscp set cs0
tcp dport { 22, 80, 443 } goto input-tcp-service tcp dport { 22, 80, 443 } goto input-tcp-service
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept } ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
} }