nftables: avoid unnecessary connection marking

2025-01-03 11:00:49 -05:00 · 2024-04-11 11:30:58 -04:00 · 2024-04-11 11:30:58 -04:00 · b152574da8
commit b152574da8
parent 832a430954
9 changed files with 36 additions and 0 deletions
--- a/nftables-attestation.conf
+++ b/nftables-attestation.conf
@ -79,6 +79,8 @@ table inet filter {
    }

    chain input-established {
+        meta l4proto != tcp accept
+        tcp dport != { 22, 80, 443 } accept
        ct mark 0x1 accept
        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
@ -88,6 +90,8 @@ table inet filter {
    }

    chain input-loopback {
+        meta l4proto != tcp accept
+        tcp dport != { 22, 80, 443 } accept
        tcp flags != syn accept
        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
--- a/nftables-discuss.conf
+++ b/nftables-discuss.conf
@ -79,6 +79,8 @@ table inet filter {
    }

    chain input-established {
+        meta l4proto != tcp accept
+        tcp dport != { 22, 80, 443 } accept
        ct mark 0x1 accept
        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
@ -88,6 +90,8 @@ table inet filter {
    }

    chain input-loopback {
+        meta l4proto != tcp accept
+        tcp dport != { 22, 80, 443 } accept
        tcp flags != syn accept
        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
--- a/nftables-mail.conf
+++ b/nftables-mail.conf
@ -79,6 +79,8 @@ table inet filter {
    }

    chain input-established {
+        meta l4proto != tcp accept
+        tcp dport != { 22, 25, 80, 443, 465, 993 } accept
        ct mark 0x1 accept
        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
@ -88,6 +90,8 @@ table inet filter {
    }

    chain input-loopback {
+        meta l4proto != tcp accept
+        tcp dport != { 22, 25, 80, 443, 465, 993 } accept
        tcp flags != syn accept
        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
--- a/nftables-matrix.conf
+++ b/nftables-matrix.conf
@ -79,6 +79,8 @@ table inet filter {
    }

    chain input-established {
+        meta l4proto != tcp accept
+        tcp dport != { 22, 80, 443 } accept
        ct mark 0x1 accept
        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
@ -88,6 +90,8 @@ table inet filter {
    }

    chain input-loopback {
+        meta l4proto != tcp accept
+        tcp dport != { 22, 80, 443 } accept
        tcp flags != syn accept
        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
--- a/nftables-network.conf
+++ b/nftables-network.conf
@ -83,6 +83,8 @@ table inet filter {
    }

    chain input-established {
+        meta l4proto != tcp accept
+        tcp dport != { 22, 80, 443, 7275 } accept
        ct mark 0x1 accept
        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
@ -92,6 +94,8 @@ table inet filter {
    }

    chain input-loopback {
+        meta l4proto != tcp accept
+        tcp dport != { 22, 80, 443, 7275 } accept
        tcp flags != syn accept
        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
--- a/nftables-ns1.conf
+++ b/nftables-ns1.conf
@ -82,6 +82,8 @@ table inet filter {
    }

    chain input-established {
+        meta l4proto != tcp accept
+        tcp dport != { 22, 53, 80, 443, 853 } accept
        ct mark 0x1 accept
        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
@ -91,6 +93,8 @@ table inet filter {
    }

    chain input-loopback {
+        meta l4proto != tcp accept
+        tcp dport != { 22, 53, 80, 443, 853 } accept
        tcp flags != syn accept
        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
--- a/nftables-ns2.conf
+++ b/nftables-ns2.conf
@ -87,6 +87,8 @@ table inet filter {
    }

    chain input-established {
+        meta l4proto != tcp accept
+        tcp dport != { 22, 53, 80, 443, 853 } accept
        ct mark 0x1 accept
        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
@ -96,6 +98,8 @@ table inet filter {
    }

    chain input-loopback {
+        meta l4proto != tcp accept
+        tcp dport != { 22, 53, 80, 443, 853 } accept
        tcp flags != syn accept
        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
--- a/nftables-social.conf
+++ b/nftables-social.conf
@ -79,6 +79,8 @@ table inet filter {
    }

    chain input-established {
+        meta l4proto != tcp accept
+        tcp dport != { 22, 80, 443 } accept
        ct mark 0x1 accept
        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
@ -88,6 +90,8 @@ table inet filter {
    }

    chain input-loopback {
+        meta l4proto != tcp accept
+        tcp dport != { 22, 80, 443 } accept
        tcp flags != syn accept
        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
--- a/nftables-web.conf
+++ b/nftables-web.conf
@ -83,6 +83,8 @@ table inet filter {
    }

    chain input-established {
+        meta l4proto != tcp accept
+        tcp dport != { 22, 80, 443 } accept
        ct mark 0x1 accept
        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset
@ -92,6 +94,8 @@ table inet filter {
    }

    chain input-loopback {
+        meta l4proto != tcp accept
+        tcp dport != { 22, 80, 443 } accept
        tcp flags != syn accept
        tcp dport 22 ip saddr != $ip-allowlist-ssh add @ip-connlimit-ssh { ip saddr ct count over 1 } counter reject with tcp reset
        tcp dport 22 ip6 saddr != $ip6-allowlist-ssh add @ip6-connlimit-ssh { ip6 saddr and ffff:ffff:ffff:ffff:ffff:: ct count over 1 } counter reject with tcp reset