From b17b2f3fd3d34ad3f151eddb07096e39d0f5c6d6 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Thu, 18 Apr 2024 10:40:29 -0400
Subject: [PATCH] nftables: add define for ns2.grapheneos.org anycast IP

---
 nftables/nftables-ns2.conf | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/nftables/nftables-ns2.conf b/nftables/nftables-ns2.conf
index b9821ff..215afc8 100644
--- a/nftables/nftables-ns2.conf
+++ b/nftables/nftables-ns2.conf
@@ -3,6 +3,8 @@
 flush ruleset
 
 table inet filter {
+    define ip-anycast = 198.251.90.93
+
     define ip-allowlist-ssh = {
         198.98.53.141, # 0.ns2.grapheneos.org
     }
@@ -46,8 +48,7 @@ table inet filter {
 
         udp dport 53 notrack accept
 
-        # reject SSH packets via anycast IP
-        tcp dport 22 ip daddr 198.251.90.93 reject with tcp reset
+        tcp dport 22 ip daddr $ip-anycast reject with tcp reset
 
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
         tcp dport { 22, 53, 80, 443, 853 } tcp flags syn limit rate over 1024/second burst 128 packets counter notrack accept