mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2025-01-11 06:39:25 -05:00
nftables: use standard order for verdict map
This commit is contained in:
parent
965bc4f951
commit
ee62868a7b
@ -54,7 +54,7 @@ table inet filter {
|
|||||||
iif lo goto input-tcp-service-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
@ -54,7 +54,7 @@ table inet filter {
|
|||||||
iif lo goto input-tcp-service-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
@ -66,7 +66,7 @@ table inet filter {
|
|||||||
iif lo goto input-tcp-service-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
@ -54,7 +54,7 @@ table inet filter {
|
|||||||
iif lo goto input-tcp-service-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
@ -63,7 +63,7 @@ table inet filter {
|
|||||||
iif lo goto input-tcp-service-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
@ -56,7 +56,7 @@ table inet filter {
|
|||||||
iif lo goto input-tcp-service-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
@ -68,7 +68,7 @@ table inet filter {
|
|||||||
iif lo goto input-tcp-service-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
@ -54,7 +54,7 @@ table inet filter {
|
|||||||
iif lo goto input-tcp-service-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
@ -64,7 +64,7 @@ table inet filter {
|
|||||||
iif lo goto input-tcp-service-loopback
|
iif lo goto input-tcp-service-loopback
|
||||||
|
|
||||||
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
# for synproxy, SYN is untracked and first ACK is invalid which are handled via fallthrough
|
||||||
ct state vmap { new : goto input-tcp-service-new, established : goto input-tcp-service-established, related : accept }
|
ct state vmap { established : goto input-tcp-service-established, related : accept, new : goto input-tcp-service-new }
|
||||||
|
|
||||||
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip saddr @ip-connlimit-ssh counter reject with tcp reset
|
||||||
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
tcp dport 22 ip6 saddr and ffff:ffff:ffff:ffff:ffff:: @ip6-connlimit-ssh counter reject with tcp reset
|
||||||
|
Loading…
Reference in New Issue
Block a user