From ee62868a7b6c04fb62abf1bf9babd9234d1eada2 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Tue, 23 Apr 2024 03:29:52 -0400 Subject: [PATCH] nftables: use standard order for verdict map --- nftables/nftables-attestation.conf | 2 +- nftables/nftables-discuss.conf | 2 +- nftables/nftables-mail.conf | 2 +- nftables/nftables-matrix.conf | 2 +- nftables/nftables-network.conf | 2 +- nftables/nftables-ns1.conf | 2 +- nftables/nftables-ns2.conf | 2 +- nftables/nftables-social.conf | 2 +- nftables/nftables-web.conf | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/nftables/nftables-attestation.conf b/nftables/nftables-attestation.conf index 4e5374b..d553c10 100644 --- a/nftables/nftables-attestation.conf +++ b/nftables/nftables-attestation.conf @@ -54,7 +54,7 @@ table inet filter { iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } + ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset diff --git a/nftables/nftables-discuss.conf b/nftables/nftables-discuss.conf index 0809af7..b446f50 100644 --- a/nftables/nftables-discuss.conf +++ b/nftables/nftables-discuss.conf @@ -54,7 +54,7 @@ table inet filter { iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } + ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset diff --git a/nftables/nftables-mail.conf b/nftables/nftables-mail.conf index 9a75416..90a555c 100644 --- a/nftables/nftables-mail.conf +++ b/nftables/nftables-mail.conf @@ -66,7 +66,7 @@ table inet filter { iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } + ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset diff --git a/nftables/nftables-matrix.conf b/nftables/nftables-matrix.conf index 57dfcd2..af0fa24 100644 --- a/nftables/nftables-matrix.conf +++ b/nftables/nftables-matrix.conf @@ -54,7 +54,7 @@ table inet filter { iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } + ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset diff --git a/nftables/nftables-network.conf b/nftables/nftables-network.conf index f6ca8fe..3b17041 100644 --- a/nftables/nftables-network.conf +++ b/nftables/nftables-network.conf @@ -63,7 +63,7 @@ table inet filter { iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } + ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset diff --git a/nftables/nftables-ns1.conf b/nftables/nftables-ns1.conf index ec57b59..d7468d3 100644 --- a/nftables/nftables-ns1.conf +++ b/nftables/nftables-ns1.conf @@ -56,7 +56,7 @@ table inet filter { iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } + ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset diff --git a/nftables/nftables-ns2.conf b/nftables/nftables-ns2.conf index 42a017a..5eb7a95 100644 --- a/nftables/nftables-ns2.conf +++ b/nftables/nftables-ns2.conf @@ -68,7 +68,7 @@ table inet filter { iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } + ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset diff --git a/nftables/nftables-social.conf b/nftables/nftables-social.conf index 3b46e0f..9e3345e 100644 --- a/nftables/nftables-social.conf +++ b/nftables/nftables-social.conf @@ -54,7 +54,7 @@ table inet filter { iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } + ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset diff --git a/nftables/nftables-web.conf b/nftables/nftables-web.conf index e6f8471..40e9ad0 100644 --- a/nftables/nftables-web.conf +++ b/nftables/nftables-web.conf @@ -64,7 +64,7 @@ table inet filter { iif lo goto input-tcp-service-loopback # for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough - ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept } + ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new } tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset