Git-Mirrors/graphene-os-server-infrastructure
1
0
Fork 0
mirror of https://github.com/GrapheneOS/infrastructure.git synced 2025-11-26 17:46:23 -05:00
Code Issues Projects Releases Packages Wiki Activity

nftables: reorder network server UDP notrack

Browse source
This commit is contained in:
Daniel Micay 2025-09-16 16:02:59 -04:00
parent 78bd96f4ae
commit f3156e641d
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
etc/nftables/nftables-network.conf
View file

@ -51,11 +51,11 @@ table inet filter {
# ordered after accepting loopback to permit using external IPs via loopback
fib daddr . iif type != { local, broadcast, multicast } counter drop
udp dport $udp-ports notrack accept
# handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
udp dport $udp-ports notrack accept
meta l4proto { tcp, udp } accept
icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
meta l4proto ipv6-icmp notrack accept