mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2024-12-22 21:49:22 -05:00
reorganize nftables rules
This commit is contained in:
parent
cf274f34d7
commit
a6b9fa782b
@ -47,14 +47,6 @@ table inet filter {
|
|||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output-raw {
|
|
||||||
type filter hook output priority raw
|
|
||||||
|
|
||||||
oif lo notrack accept
|
|
||||||
tcp sport 443 notrack accept
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
|
||||||
}
|
|
||||||
|
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
@ -85,6 +77,14 @@ table inet filter {
|
|||||||
policy drop
|
policy drop
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain output-raw {
|
||||||
|
type filter hook output priority raw
|
||||||
|
|
||||||
|
oif lo notrack accept
|
||||||
|
tcp sport 443 notrack accept
|
||||||
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
|
}
|
||||||
|
|
||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority filter
|
type filter hook output priority filter
|
||||||
|
|
||||||
|
@ -50,14 +50,6 @@ table inet filter {
|
|||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output-raw {
|
|
||||||
type filter hook output priority raw
|
|
||||||
|
|
||||||
oif lo notrack accept
|
|
||||||
tcp sport 443 notrack accept
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
|
||||||
}
|
|
||||||
|
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
@ -88,6 +80,14 @@ table inet filter {
|
|||||||
policy drop
|
policy drop
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain output-raw {
|
||||||
|
type filter hook output priority raw
|
||||||
|
|
||||||
|
oif lo notrack accept
|
||||||
|
tcp sport 443 notrack accept
|
||||||
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
|
}
|
||||||
|
|
||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority filter
|
type filter hook output priority filter
|
||||||
|
|
||||||
|
@ -47,14 +47,6 @@ table inet filter {
|
|||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output-raw {
|
|
||||||
type filter hook output priority raw
|
|
||||||
|
|
||||||
oif lo notrack accept
|
|
||||||
tcp sport { 25, 465, 993 } notrack accept
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
|
||||||
}
|
|
||||||
|
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
@ -85,6 +77,14 @@ table inet filter {
|
|||||||
policy drop
|
policy drop
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain output-raw {
|
||||||
|
type filter hook output priority raw
|
||||||
|
|
||||||
|
oif lo notrack accept
|
||||||
|
tcp sport { 25, 465, 993 } notrack accept
|
||||||
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
|
}
|
||||||
|
|
||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority filter
|
type filter hook output priority filter
|
||||||
|
|
||||||
|
@ -47,14 +47,6 @@ table inet filter {
|
|||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output-raw {
|
|
||||||
type filter hook output priority raw
|
|
||||||
|
|
||||||
oif lo notrack accept
|
|
||||||
tcp sport 443 notrack accept
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
|
||||||
}
|
|
||||||
|
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
@ -85,6 +77,14 @@ table inet filter {
|
|||||||
policy drop
|
policy drop
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain output-raw {
|
||||||
|
type filter hook output priority raw
|
||||||
|
|
||||||
|
oif lo notrack accept
|
||||||
|
tcp sport 443 notrack accept
|
||||||
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
|
}
|
||||||
|
|
||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority filter
|
type filter hook output priority filter
|
||||||
|
|
||||||
|
@ -50,15 +50,6 @@ table inet filter {
|
|||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output-raw {
|
|
||||||
type filter hook output priority raw
|
|
||||||
|
|
||||||
oif lo notrack accept
|
|
||||||
tcp sport { 80, 443 } notrack accept
|
|
||||||
udp sport 123 notrack accept
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
|
||||||
}
|
|
||||||
|
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
@ -90,6 +81,15 @@ table inet filter {
|
|||||||
policy drop
|
policy drop
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain output-raw {
|
||||||
|
type filter hook output priority raw
|
||||||
|
|
||||||
|
oif lo notrack accept
|
||||||
|
tcp sport { 80, 443 } notrack accept
|
||||||
|
udp sport 123 notrack accept
|
||||||
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
|
}
|
||||||
|
|
||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority filter
|
type filter hook output priority filter
|
||||||
|
|
||||||
|
@ -47,14 +47,6 @@ table inet filter {
|
|||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output-raw {
|
|
||||||
type filter hook output priority raw
|
|
||||||
|
|
||||||
oif lo notrack accept
|
|
||||||
udp sport 53 notrack accept
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
|
||||||
}
|
|
||||||
|
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
@ -85,6 +77,14 @@ table inet filter {
|
|||||||
policy drop
|
policy drop
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain output-raw {
|
||||||
|
type filter hook output priority raw
|
||||||
|
|
||||||
|
oif lo notrack accept
|
||||||
|
udp sport 53 notrack accept
|
||||||
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
|
}
|
||||||
|
|
||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority filter
|
type filter hook output priority filter
|
||||||
|
|
||||||
|
@ -52,14 +52,6 @@ table inet filter {
|
|||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output-raw {
|
|
||||||
type filter hook output priority raw
|
|
||||||
|
|
||||||
oif lo notrack accept
|
|
||||||
udp sport 53 notrack accept
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
|
||||||
}
|
|
||||||
|
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
@ -90,6 +82,14 @@ table inet filter {
|
|||||||
policy drop
|
policy drop
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain output-raw {
|
||||||
|
type filter hook output priority raw
|
||||||
|
|
||||||
|
oif lo notrack accept
|
||||||
|
udp sport 53 notrack accept
|
||||||
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
|
}
|
||||||
|
|
||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority filter
|
type filter hook output priority filter
|
||||||
|
|
||||||
|
@ -47,14 +47,6 @@ table inet filter {
|
|||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output-raw {
|
|
||||||
type filter hook output priority raw
|
|
||||||
|
|
||||||
oif lo notrack accept
|
|
||||||
tcp sport 443 notrack accept
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
|
||||||
}
|
|
||||||
|
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
@ -85,6 +77,14 @@ table inet filter {
|
|||||||
policy drop
|
policy drop
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain output-raw {
|
||||||
|
type filter hook output priority raw
|
||||||
|
|
||||||
|
oif lo notrack accept
|
||||||
|
tcp sport 443 notrack accept
|
||||||
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
|
}
|
||||||
|
|
||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority filter
|
type filter hook output priority filter
|
||||||
|
|
||||||
|
@ -51,14 +51,6 @@ table inet filter {
|
|||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output-raw {
|
|
||||||
type filter hook output priority raw
|
|
||||||
|
|
||||||
oif lo notrack accept
|
|
||||||
tcp sport 443 notrack accept
|
|
||||||
meta l4proto { icmp, ipv6-icmp } notrack accept
|
|
||||||
}
|
|
||||||
|
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority filter
|
type filter hook input priority filter
|
||||||
policy drop
|
policy drop
|
||||||
@ -89,6 +81,14 @@ table inet filter {
|
|||||||
policy drop
|
policy drop
|
||||||
}
|
}
|
||||||
|
|
||||||
|
chain output-raw {
|
||||||
|
type filter hook output priority raw
|
||||||
|
|
||||||
|
oif lo notrack accept
|
||||||
|
tcp sport 443 notrack accept
|
||||||
|
meta l4proto { icmp, ipv6-icmp } notrack accept
|
||||||
|
}
|
||||||
|
|
||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority filter
|
type filter hook output priority filter
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user