From 59984a477cc2ef8c854690e5f39648de3da69274 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Sun, 24 Mar 2024 13:27:55 -0400
Subject: [PATCH] enforce strong host model via nftables

---
 nftables-attestation.conf | 4 ++++
 nftables-discuss.conf     | 4 ++++
 nftables-mail.conf        | 4 ++++
 nftables-matrix.conf      | 4 ++++
 nftables-network.conf     | 4 ++++
 nftables-ns1.conf         | 4 ++++
 nftables-ns2.conf         | 4 ++++
 nftables-social.conf      | 4 ++++
 nftables-web.conf         | 4 ++++
 9 files changed, 36 insertions(+)

diff --git a/nftables-attestation.conf b/nftables-attestation.conf
index 2af9456..08342d3 100644
--- a/nftables-attestation.conf
+++ b/nftables-attestation.conf
@@ -10,6 +10,10 @@ table inet filter {
         fib saddr . iif oif missing counter drop
 
         iif lo notrack accept
+
+        # drop packets to address not configured on incoming interface (strong host model)
+        fib daddr . iif type != { local, broadcast, multicast } counter drop
+
         tcp dport {22, 80, 443} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept
     }
diff --git a/nftables-discuss.conf b/nftables-discuss.conf
index 724a649..4091471 100644
--- a/nftables-discuss.conf
+++ b/nftables-discuss.conf
@@ -10,6 +10,10 @@ table inet filter {
         fib saddr . iif oif missing counter drop
 
         iif lo notrack accept
+
+        # drop packets to address not configured on incoming interface (strong host model)
+        fib daddr . iif type != { local, broadcast, multicast } counter drop
+
         tcp dport {22, 80, 443} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept
     }
diff --git a/nftables-mail.conf b/nftables-mail.conf
index b41ff06..9c0d302 100644
--- a/nftables-mail.conf
+++ b/nftables-mail.conf
@@ -10,6 +10,10 @@ table inet filter {
         fib saddr . iif oif missing counter drop
 
         iif lo notrack accept
+
+        # drop packets to address not configured on incoming interface (strong host model)
+        fib daddr . iif type != { local, broadcast, multicast } counter drop
+
         tcp dport {22, 25, 80, 443, 465, 993} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept
     }
diff --git a/nftables-matrix.conf b/nftables-matrix.conf
index 7d5622e..35c063d 100644
--- a/nftables-matrix.conf
+++ b/nftables-matrix.conf
@@ -10,6 +10,10 @@ table inet filter {
         fib saddr . iif oif missing counter drop
 
         iif lo notrack accept
+
+        # drop packets to address not configured on incoming interface (strong host model)
+        fib daddr . iif type != { local, broadcast, multicast } counter drop
+
         tcp dport {22, 80, 443} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept
     }
diff --git a/nftables-network.conf b/nftables-network.conf
index 5f36564..7eb49f6 100644
--- a/nftables-network.conf
+++ b/nftables-network.conf
@@ -10,6 +10,10 @@ table inet filter {
         fib saddr . iif oif missing counter drop
 
         iif lo notrack accept
+
+        # drop packets to address not configured on incoming interface (strong host model)
+        fib daddr . iif type != { local, broadcast, multicast } counter drop
+
         tcp dport {22, 80, 443, 7275} notrack accept
         udp dport 123 notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept
diff --git a/nftables-ns1.conf b/nftables-ns1.conf
index 0e204c9..ad69b99 100644
--- a/nftables-ns1.conf
+++ b/nftables-ns1.conf
@@ -10,6 +10,10 @@ table inet filter {
         fib saddr . iif oif missing counter drop
 
         iif lo notrack accept
+
+        # drop packets to address not configured on incoming interface (strong host model)
+        fib daddr . iif type != { local, broadcast, multicast } counter drop
+
         udp dport 53 notrack accept
         tcp dport {22, 53, 80, 443, 853} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept
diff --git a/nftables-ns2.conf b/nftables-ns2.conf
index 644ecd8..15e7f12 100644
--- a/nftables-ns2.conf
+++ b/nftables-ns2.conf
@@ -10,6 +10,10 @@ table inet filter {
         fib saddr . iif oif missing counter drop
 
         iif lo notrack accept
+
+        # drop packets to address not configured on incoming interface (strong host model)
+        fib daddr . iif type != { local, broadcast, multicast } counter drop
+
         udp dport 53 notrack accept
         tcp dport {22, 53, 80, 443, 853} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept
diff --git a/nftables-social.conf b/nftables-social.conf
index 49f8224..74b2eed 100644
--- a/nftables-social.conf
+++ b/nftables-social.conf
@@ -10,6 +10,10 @@ table inet filter {
         fib saddr . iif oif missing counter drop
 
         iif lo notrack accept
+
+        # drop packets to address not configured on incoming interface (strong host model)
+        fib daddr . iif type != { local, broadcast, multicast } counter drop
+
         tcp dport {22, 80, 443} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept
     }
diff --git a/nftables-web.conf b/nftables-web.conf
index 70e3c80..b0104cf 100644
--- a/nftables-web.conf
+++ b/nftables-web.conf
@@ -10,6 +10,10 @@ table inet filter {
         fib saddr . iif oif missing counter drop
 
         iif lo notrack accept
+
+        # drop packets to address not configured on incoming interface (strong host model)
+        fib daddr . iif type != { local, broadcast, multicast } counter drop
+
         tcp dport {22, 80, 443} notrack accept
         meta l4proto {icmp, ipv6-icmp} notrack accept
     }