mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2024-12-22 21:49:22 -05:00
nftables: handle non-TCP case in input-new chain
This commit is contained in:
parent
8f047de0c3
commit
832a430954
@ -69,6 +69,7 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-new {
|
||||||
|
meta l4proto != tcp goto graceful-reject
|
||||||
tcp dport != { 22, 80, 443 } goto graceful-reject
|
tcp dport != { 22, 80, 443 } goto graceful-reject
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
@ -69,6 +69,7 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-new {
|
||||||
|
meta l4proto != tcp goto graceful-reject
|
||||||
tcp dport != { 22, 80, 443 } goto graceful-reject
|
tcp dport != { 22, 80, 443 } goto graceful-reject
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
@ -69,6 +69,7 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-new {
|
||||||
|
meta l4proto != tcp goto graceful-reject
|
||||||
tcp dport != { 22, 25, 80, 443, 465, 993 } goto graceful-reject
|
tcp dport != { 22, 25, 80, 443, 465, 993 } goto graceful-reject
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
@ -69,6 +69,7 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-new {
|
||||||
|
meta l4proto != tcp goto graceful-reject
|
||||||
tcp dport != { 22, 80, 443 } goto graceful-reject
|
tcp dport != { 22, 80, 443 } goto graceful-reject
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
@ -73,6 +73,7 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-new {
|
||||||
|
meta l4proto != tcp goto graceful-reject
|
||||||
tcp dport != { 22, 80, 443, 7275 } goto graceful-reject
|
tcp dport != { 22, 80, 443, 7275 } goto graceful-reject
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
@ -72,6 +72,7 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-new {
|
||||||
|
meta l4proto != tcp goto graceful-reject
|
||||||
tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject
|
tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
@ -77,6 +77,7 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-new {
|
||||||
|
meta l4proto != tcp goto graceful-reject
|
||||||
tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject
|
tcp dport != { 22, 53, 80, 443, 853 } goto graceful-reject
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
@ -69,6 +69,7 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-new {
|
||||||
|
meta l4proto != tcp goto graceful-reject
|
||||||
tcp dport != { 22, 80, 443 } goto graceful-reject
|
tcp dport != { 22, 80, 443 } goto graceful-reject
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
@ -73,6 +73,7 @@ table inet filter {
|
|||||||
}
|
}
|
||||||
|
|
||||||
chain input-new {
|
chain input-new {
|
||||||
|
meta l4proto != tcp goto graceful-reject
|
||||||
tcp dport != { 22, 80, 443 } goto graceful-reject
|
tcp dport != { 22, 80, 443 } goto graceful-reject
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
Loading…
Reference in New Issue
Block a user