nftables: handle non-TCP case in input-new chain

2024-04-11 10:34:00 -04:00 · 2024-04-11 10:34:00 -04:00 · 832a430954
parent 8f047de0c3
commit 832a430954
9 changed files with 9 additions and 0 deletions
--- a/nftables-attestation.conf
+++ b/nftables-attestation.conf
@ -69,6 +69,7 @@ table inet filter {
    }

    chain input-new {
+        meta l4proto != tcp goto graceful-reject
        tcp dport != { 22, 80, 443 } goto graceful-reject
        tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
--- a/nftables-discuss.conf
+++ b/nftables-discuss.conf
@ -69,6 +69,7 @@ table inet filter {
    }

    chain input-new {
+        meta l4proto != tcp goto graceful-reject
        tcp dport != { 22, 80, 443 } goto graceful-reject
        tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
--- a/nftables-mail.conf
+++ b/nftables-mail.conf
@ -69,6 +69,7 @@ table inet filter {
    }

    chain input-new {
+        meta l4proto != tcp goto graceful-reject
        tcp dport != { 22, 25, 80, 443, 465, 993 } goto graceful-reject
        tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
--- a/nftables-matrix.conf
+++ b/nftables-matrix.conf
@ -69,6 +69,7 @@ table inet filter {
    }

    chain input-new {
+        meta l4proto != tcp goto graceful-reject
        tcp dport != { 22, 80, 443 } goto graceful-reject
        tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
--- a/nftables-network.conf
+++ b/nftables-network.conf
@ -73,6 +73,7 @@ table inet filter {
    }

    chain input-new {
+        meta l4proto != tcp goto graceful-reject
        tcp dport != { 22, 80, 443, 7275 } goto graceful-reject
        tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
--- a/nftables-ns1.conf
+++ b/nftables-ns1.conf
@ -72,6 +72,7 @@ table inet filter {
    }

    chain input-new {
+        meta l4proto != tcp goto graceful-reject
        tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject
        tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
--- a/nftables-ns2.conf
+++ b/nftables-ns2.conf
@ -77,6 +77,7 @@ table inet filter {
    }

    chain input-new {
+        meta l4proto != tcp goto graceful-reject
        tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject
        tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
--- a/nftables-social.conf
+++ b/nftables-social.conf
@ -69,6 +69,7 @@ table inet filter {
    }

    chain input-new {
+        meta l4proto != tcp goto graceful-reject
        tcp dport != { 22, 80, 443 } goto graceful-reject
        tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
--- a/nftables-web.conf
+++ b/nftables-web.conf
@ -73,6 +73,7 @@ table inet filter {
    }

    chain input-new {
+        meta l4proto != tcp goto graceful-reject
        tcp dport != { 22, 80, 443 } goto graceful-reject
        tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
        tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset