From 76b5b554cac8353471dbf7bb817372c80e713640 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Fri, 27 Jun 2025 13:10:16 -0400 Subject: [PATCH] nftables: simplify nameserver control socket rules --- etc/nftables/nftables-ns1.conf | 6 +++--- etc/nftables/nftables-ns2.conf | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/etc/nftables/nftables-ns1.conf b/etc/nftables/nftables-ns1.conf index 1fcc421..ec956c3 100644 --- a/etc/nftables/nftables-ns1.conf +++ b/etc/nftables/nftables-ns1.conf @@ -131,11 +131,11 @@ table inet filter { skuid powerdns meta l4proto { tcp, udp } th sport 54 th dport >= 1024 notrack accept skuid dnsdist meta l4proto { tcp, udp } th sport >= 1024 th dport 54 notrack accept - skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 notrack accept + skuid powerdns tcp sport 81 tcp dport >= 1024 notrack accept - skuid dnsdist meta l4proto tcp th sport 5199 th dport >= 1024 notrack accept + skuid dnsdist tcp sport 5199 tcp dport >= 1024 notrack accept - skuid zerotier-one meta l4proto tcp th sport 9993 th dport >= 1024 notrack accept + skuid zerotier-one tcp sport 9993 tcp dport >= 1024 notrack accept skuid != root counter goto graceful-reject notrack accept diff --git a/etc/nftables/nftables-ns2.conf b/etc/nftables/nftables-ns2.conf index 93b944b..14b2e15 100644 --- a/etc/nftables/nftables-ns2.conf +++ b/etc/nftables/nftables-ns2.conf @@ -129,9 +129,9 @@ table inet filter { skuid powerdns meta l4proto { tcp, udp } th sport 54 th dport >= 1024 notrack accept skuid dnsdist meta l4proto { tcp, udp } th sport >= 1024 th dport 54 notrack accept - skuid powerdns meta l4proto tcp th sport 81 th dport >= 1024 notrack accept + skuid powerdns tcp sport 81 tcp dport >= 1024 notrack accept - skuid dnsdist meta l4proto tcp th sport 5199 th dport >= 1024 notrack accept + skuid dnsdist tcp sport 5199 tcp dport >= 1024 notrack accept skuid != root counter goto graceful-reject notrack accept