Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2024-12-22 13:45:02 -05:00
Code Issues Packages Projects Releases Wiki Activity

nftables: move output skuid checks to raw phase

Browse Source 
This is a minor simplification and also a minor optimization.
This commit is contained in:
Daniel Micay 2024-04-17 15:03:13 -04:00
parent 7782c861cb
commit 741ea728ea
9 changed files with 70 additions and 124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
nftables/nftables-attestation.conf
View File

@ -101,26 +101,20 @@ table inet filter {
chain output-raw {
type filter hook output priority raw
oif lo notrack accept
oif lo goto output-raw-loopback
skuid != { root, systemd-network, unbound, chrony, http, attestation } counter goto graceful-reject
meta l4proto { icmp, ipv6-icmp } notrack accept
}
chain output {
type filter hook output priority filter
chain output-raw-loopback {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8080 notrack accept
skuid { chrony, attestation } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8080 th dport 53 notrack accept
oif lo goto output-loopback
skuid != { root, systemd-network, unbound, chrony, http, attestation } counter goto graceful-reject
}
chain output-loopback {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8080 accept
skuid { chrony, attestation } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8080 th dport 53 accept
skuid attestation tcp sport 8080 tcp dport >= 1024 tcp dport != 8080 accept
skuid http tcp sport >= 1024 tcp sport != 8080 tcp dport 8080 accept
skuid attestation tcp sport 8080 tcp dport >= 1024 tcp dport != 8080 notrack accept
skuid http tcp sport >= 1024 tcp sport != 8080 tcp dport 8080 notrack accept
skuid != root counter goto graceful-reject
accept
notrack accept
}
chain graceful-reject {

18
nftables/nftables-discuss.conf
View File

@ -101,23 +101,17 @@ table inet filter {
chain output-raw {
type filter hook output priority raw
oif lo notrack accept
oif lo goto output-raw-loopback
skuid != { root, systemd-network, unbound, chrony, http, flarum, flarum-admin, geoipupdate } counter goto graceful-reject
meta l4proto { icmp, ipv6-icmp } notrack accept
}
chain output {
type filter hook output priority filter
oif lo goto output-loopback
skuid != { root, systemd-network, unbound, chrony, http, flarum, flarum-admin, geoipupdate } counter goto graceful-reject
}
chain output-loopback {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
skuid { chrony, http, flarum, flarum-admin, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
chain output-raw-loopback {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
skuid { chrony, http, flarum, flarum-admin, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
skuid != root counter goto graceful-reject
accept
notrack accept
}
chain graceful-reject {

18
nftables/nftables-mail.conf
View File

@ -113,23 +113,17 @@ table inet filter {
chain output-raw {
type filter hook output priority raw
oif lo notrack accept
oif lo goto output-raw-loopback
skuid != { root, systemd-network, unbound, chrony, postfix, dovecot, dovenull, http } counter goto graceful-reject
meta l4proto { icmp, ipv6-icmp } notrack accept
}
chain output {
type filter hook output priority filter
oif lo goto output-loopback
skuid != { root, systemd-network, unbound, chrony, postfix, dovecot, dovenull, http } counter goto graceful-reject
}
chain output-loopback {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
skuid { chrony, postfix, opendkim, opendmarc, policyd-spf } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
chain output-raw-loopback {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
skuid { chrony, postfix, opendkim, opendmarc, policyd-spf } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
skuid != root counter goto graceful-reject
accept
notrack accept
}
chain graceful-reject {

32
nftables/nftables-matrix.conf
View File

@ -101,33 +101,27 @@ table inet filter {
chain output-raw {
type filter hook output priority raw
oif lo notrack accept
oif lo goto output-raw-loopback
skuid != { root, systemd-network, unbound, chrony, http, synapse, matterbridge } counter goto graceful-reject
meta l4proto { icmp, ipv6-icmp } notrack accept
}
chain output {
type filter hook output priority filter
chain output-raw-loopback {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8008 notrack accept
skuid { chrony, synapse, matterbridge } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8008 th dport 53 notrack accept
oif lo goto output-loopback
skuid != { root, systemd-network, unbound, chrony, http, synapse, matterbridge } counter goto graceful-reject
}
skuid postgres udp sport >= 1024 udp sport != 8008 udp dport >= 1024 udp dport != 8008 notrack accept
chain output-loopback {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8008 accept
skuid { chrony, synapse, matterbridge } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8008 th dport 53 accept
skuid synapse tcp sport 8008 tcp dport >= 1024 tcp dport != 8008 notrack accept
skuid http tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 notrack accept
skuid mjolnir tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 notrack accept
skuid postgres udp sport >= 1024 udp sport != 8008 udp dport >= 1024 udp dport != 8008 accept
skuid synapse tcp sport 8008 tcp dport >= 1024 tcp dport != 8008 accept
skuid http tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 accept
skuid mjolnir tcp sport >= 1024 tcp sport != 8008 tcp dport 8008 accept
skuid http tcp sport 443 tcp dport >= 1024 tcp dport != 8008 accept
skuid matterbridge tcp sport >= 1024 tcp sport != 8008 tcp dport 443 accept
skuid synapse tcp sport >= 1024 tcp sport != 8008 tcp dport 443 accept
skuid http tcp sport 443 tcp dport >= 1024 tcp dport != 8008 notrack accept
skuid matterbridge tcp sport >= 1024 tcp sport != 8008 tcp dport 443 notrack accept
skuid synapse tcp sport >= 1024 tcp sport != 8008 tcp dport 443 notrack accept
skuid != root counter goto graceful-reject
accept
notrack accept
}
chain graceful-reject {

18
nftables/nftables-network.conf
View File

@ -111,24 +111,18 @@ table inet filter {
chain output-raw {
type filter hook output priority raw
oif lo notrack accept
oif lo goto output-raw-loopback
skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject
udp sport 123 notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept
}
chain output {
type filter hook output priority filter
oif lo goto output-loopback
skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject
}
chain output-loopback {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
skuid { chrony, http } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
chain output-raw-loopback {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
skuid { chrony, http } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
skuid != root counter goto graceful-reject
accept
notrack accept
}
chain graceful-reject {

24
nftables/nftables-ns1.conf
View File

@ -104,29 +104,23 @@ table inet filter {
chain output-raw {
type filter hook output priority raw
oif lo notrack accept
oif lo goto output-raw-loopback
skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject
udp sport 53 notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept
}
chain output {
type filter hook output priority filter
chain output-raw-loopback {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
skuid { chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
oif lo goto output-loopback
skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject
}
skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 notrack accept
skuid http meta l4proto tcp th sport >= 1024 th dport 54 notrack accept
chain output-loopback {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
skuid { chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 accept
skuid http meta l4proto tcp th sport >= 1024 th dport 54 accept
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 notrack accept
skuid != root counter goto graceful-reject
accept
notrack accept
}
chain graceful-reject {

24
nftables/nftables-ns2.conf
View File

@ -115,29 +115,23 @@ table inet filter {
chain output-raw {
type filter hook output priority raw
oif lo notrack accept
oif lo goto output-raw-loopback
skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject
udp sport 53 notrack accept
meta l4proto { icmp, ipv6-icmp } notrack accept
}
chain output {
type filter hook output priority filter
chain output-raw-loopback {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
skuid { chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
oif lo goto output-loopback
skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject
}
skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 notrack accept
skuid http meta l4proto tcp th sport >= 1024 th dport 54 notrack accept
chain output-loopback {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
skuid { chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 accept
skuid http meta l4proto tcp th sport >= 1024 th dport 54 accept
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 accept
skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 notrack accept
skuid != root counter goto graceful-reject
accept
notrack accept
}
chain graceful-reject {

20
nftables/nftables-social.conf
View File

@ -101,25 +101,19 @@ table inet filter {
chain output-raw {
type filter hook output priority raw
oif lo notrack accept
oif lo goto output-raw-loopback
skuid != { root, systemd-network, unbound, chrony, http, mastodon } counter goto graceful-reject
meta l4proto { icmp, ipv6-icmp } notrack accept
}
chain output {
type filter hook output priority filter
chain output-raw-loopback {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
skuid { chrony, mastodon } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
oif lo goto output-loopback
skuid != { root, systemd-network, unbound, chrony, http, mastodon } counter goto graceful-reject
}
chain output-loopback {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
skuid { chrony, mastodon } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
skuid postgres udp sport >= 1024 udp dport >= 1024 accept
skuid postgres udp sport >= 1024 udp dport >= 1024 notrack accept
skuid != root counter goto graceful-reject
accept
notrack accept
}
chain graceful-reject {

18
nftables/nftables-web.conf
View File

@ -111,23 +111,17 @@ table inet filter {
chain output-raw {
type filter hook output priority raw
oif lo notrack accept
oif lo goto output-raw-loopback
skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject
meta l4proto { icmp, ipv6-icmp } notrack accept
}
chain output {
type filter hook output priority filter
oif lo goto output-loopback
skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject
}
chain output-loopback {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 accept
skuid chrony meta l4proto { tcp, udp } th sport >= 1024 th dport 53 accept
chain output-raw-loopback {
skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
skuid chrony meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
skuid != root counter goto graceful-reject
accept
notrack accept
}
chain graceful-reject {