Git-Mirrors
/
graphene-os-server-infrastructure
mirror of https://github.com/GrapheneOS/infrastructure.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

nftables: add invalid case to ct state vmap 

This might as well be dropped by the verdict map instead of falling
through to the default drop policy.
This commit is contained in:
Daniel Micay 2024-04-23 02:14:07 -04:00
parent 5ba6cbd3d1
commit 965bc4f951
9 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nftables/nftables-attestation.conf
View File

@ -47,7 +47,7 @@ table inet filter {
policy drop
tcp dport { 22, 80, 443 } goto input-tcp-service
ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {

2
nftables/nftables-discuss.conf
View File

@ -47,7 +47,7 @@ table inet filter {
policy drop
tcp dport { 22, 80, 443 } goto input-tcp-service
ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {

2
nftables/nftables-mail.conf
View File

@ -59,7 +59,7 @@ table inet filter {
policy drop
tcp dport { 22, 25, 80, 443, 465, 993 } goto input-tcp-service
ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {

2
nftables/nftables-matrix.conf
View File

@ -47,7 +47,7 @@ table inet filter {
policy drop
tcp dport { 22, 80, 443 } goto input-tcp-service
ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {

2
nftables/nftables-network.conf
View File

@ -56,7 +56,7 @@ table inet filter {
policy drop
tcp dport { 22, 80, 443, 7275 } goto input-tcp-service
ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {

2
nftables/nftables-ns1.conf
View File

@ -49,7 +49,7 @@ table inet filter {
policy drop
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {

2
nftables/nftables-ns2.conf
View File

@ -61,7 +61,7 @@ table inet filter {
policy drop
tcp dport { 22, 53, 80, 443, 853 } goto input-tcp-service
ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {

2
nftables/nftables-social.conf
View File

@ -47,7 +47,7 @@ table inet filter {
policy drop
tcp dport { 22, 80, 443 } goto input-tcp-service
ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {

2
nftables/nftables-web.conf
View File

@ -57,7 +57,7 @@ table inet filter {
policy drop
tcp dport { 22, 80, 443 } goto input-tcp-service
ct state vmap { established : accept, related : accept, new : drop, untracked: accept }
ct state vmap { invalid : drop, established : accept, related : accept, new : drop, untracked: accept }
}
chain input-tcp-service {