From a6b9fa782bab803300f34d656e946a0e432ae36b Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Fri, 5 Apr 2024 19:14:05 -0400 Subject: [PATCH] reorganize nftables rules --- nftables-attestation.conf | 16 ++++++++-------- nftables-discuss.conf | 16 ++++++++-------- nftables-mail.conf | 16 ++++++++-------- nftables-matrix.conf | 16 ++++++++-------- nftables-network.conf | 18 +++++++++--------- nftables-ns1.conf | 16 ++++++++-------- nftables-ns2.conf | 16 ++++++++-------- nftables-social.conf | 16 ++++++++-------- nftables-web.conf | 16 ++++++++-------- 9 files changed, 73 insertions(+), 73 deletions(-) diff --git a/nftables-attestation.conf b/nftables-attestation.conf index 2c56ec4..0b5ab7b 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -47,14 +47,6 @@ table inet filter { meta l4proto { icmp, ipv6-icmp } notrack accept } - chain output-raw { - type filter hook output priority raw - - oif lo notrack accept - tcp sport 443 notrack accept - meta l4proto { icmp, ipv6-icmp } notrack accept - } - chain input { type filter hook input priority filter policy drop @@ -85,6 +77,14 @@ table inet filter { policy drop } + chain output-raw { + type filter hook output priority raw + + oif lo notrack accept + tcp sport 443 notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept + } + chain output { type filter hook output priority filter diff --git a/nftables-discuss.conf b/nftables-discuss.conf index ae8a084..67534d2 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -50,14 +50,6 @@ table inet filter { meta l4proto { icmp, ipv6-icmp } notrack accept } - chain output-raw { - type filter hook output priority raw - - oif lo notrack accept - tcp sport 443 notrack accept - meta l4proto { icmp, ipv6-icmp } notrack accept - } - chain input { type filter hook input priority filter policy drop @@ -88,6 +80,14 @@ table inet filter { policy drop } + chain output-raw { + type filter hook output priority raw + + oif lo notrack accept + tcp sport 443 notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept + } + chain output { type filter hook output priority filter diff --git a/nftables-mail.conf b/nftables-mail.conf index c859b43..3e47431 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -47,14 +47,6 @@ table inet filter { meta l4proto { icmp, ipv6-icmp } notrack accept } - chain output-raw { - type filter hook output priority raw - - oif lo notrack accept - tcp sport { 25, 465, 993 } notrack accept - meta l4proto { icmp, ipv6-icmp } notrack accept - } - chain input { type filter hook input priority filter policy drop @@ -85,6 +77,14 @@ table inet filter { policy drop } + chain output-raw { + type filter hook output priority raw + + oif lo notrack accept + tcp sport { 25, 465, 993 } notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept + } + chain output { type filter hook output priority filter diff --git a/nftables-matrix.conf b/nftables-matrix.conf index b95d79b..af985a7 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -47,14 +47,6 @@ table inet filter { meta l4proto { icmp, ipv6-icmp } notrack accept } - chain output-raw { - type filter hook output priority raw - - oif lo notrack accept - tcp sport 443 notrack accept - meta l4proto { icmp, ipv6-icmp } notrack accept - } - chain input { type filter hook input priority filter policy drop @@ -85,6 +77,14 @@ table inet filter { policy drop } + chain output-raw { + type filter hook output priority raw + + oif lo notrack accept + tcp sport 443 notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept + } + chain output { type filter hook output priority filter diff --git a/nftables-network.conf b/nftables-network.conf index c6ca26e..4f9ed20 100644 --- a/nftables-network.conf +++ b/nftables-network.conf @@ -50,15 +50,6 @@ table inet filter { meta l4proto { icmp, ipv6-icmp } notrack accept } - chain output-raw { - type filter hook output priority raw - - oif lo notrack accept - tcp sport { 80, 443 } notrack accept - udp sport 123 notrack accept - meta l4proto { icmp, ipv6-icmp } notrack accept - } - chain input { type filter hook input priority filter policy drop @@ -90,6 +81,15 @@ table inet filter { policy drop } + chain output-raw { + type filter hook output priority raw + + oif lo notrack accept + tcp sport { 80, 443 } notrack accept + udp sport 123 notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept + } + chain output { type filter hook output priority filter diff --git a/nftables-ns1.conf b/nftables-ns1.conf index 0b8fb41..ce865e7 100644 --- a/nftables-ns1.conf +++ b/nftables-ns1.conf @@ -47,14 +47,6 @@ table inet filter { meta l4proto { icmp, ipv6-icmp } notrack accept } - chain output-raw { - type filter hook output priority raw - - oif lo notrack accept - udp sport 53 notrack accept - meta l4proto { icmp, ipv6-icmp } notrack accept - } - chain input { type filter hook input priority filter policy drop @@ -85,6 +77,14 @@ table inet filter { policy drop } + chain output-raw { + type filter hook output priority raw + + oif lo notrack accept + udp sport 53 notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept + } + chain output { type filter hook output priority filter diff --git a/nftables-ns2.conf b/nftables-ns2.conf index 99dc2ca..86c91dd 100644 --- a/nftables-ns2.conf +++ b/nftables-ns2.conf @@ -52,14 +52,6 @@ table inet filter { meta l4proto { icmp, ipv6-icmp } notrack accept } - chain output-raw { - type filter hook output priority raw - - oif lo notrack accept - udp sport 53 notrack accept - meta l4proto { icmp, ipv6-icmp } notrack accept - } - chain input { type filter hook input priority filter policy drop @@ -90,6 +82,14 @@ table inet filter { policy drop } + chain output-raw { + type filter hook output priority raw + + oif lo notrack accept + udp sport 53 notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept + } + chain output { type filter hook output priority filter diff --git a/nftables-social.conf b/nftables-social.conf index 4b18fba..ac9ad67 100644 --- a/nftables-social.conf +++ b/nftables-social.conf @@ -47,14 +47,6 @@ table inet filter { meta l4proto { icmp, ipv6-icmp } notrack accept } - chain output-raw { - type filter hook output priority raw - - oif lo notrack accept - tcp sport 443 notrack accept - meta l4proto { icmp, ipv6-icmp } notrack accept - } - chain input { type filter hook input priority filter policy drop @@ -85,6 +77,14 @@ table inet filter { policy drop } + chain output-raw { + type filter hook output priority raw + + oif lo notrack accept + tcp sport 443 notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept + } + chain output { type filter hook output priority filter diff --git a/nftables-web.conf b/nftables-web.conf index b6a2fac..f0bdb3f 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -51,14 +51,6 @@ table inet filter { meta l4proto { icmp, ipv6-icmp } notrack accept } - chain output-raw { - type filter hook output priority raw - - oif lo notrack accept - tcp sport 443 notrack accept - meta l4proto { icmp, ipv6-icmp } notrack accept - } - chain input { type filter hook input priority filter policy drop @@ -89,6 +81,14 @@ table inet filter { policy drop } + chain output-raw { + type filter hook output priority raw + + oif lo notrack accept + tcp sport 443 notrack accept + meta l4proto { icmp, ipv6-icmp } notrack accept + } + chain output { type filter hook output priority filter