From f3156e641db4584491cbdfbe48a725447d2b673d Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Tue, 16 Sep 2025 16:02:59 -0400
Subject: [PATCH] nftables: reorder network server UDP notrack

---
 etc/nftables/nftables-network.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/etc/nftables/nftables-network.conf b/etc/nftables/nftables-network.conf
index 7b3f5f9..de59d65 100644
--- a/etc/nftables/nftables-network.conf
+++ b/etc/nftables/nftables-network.conf
@@ -51,11 +51,11 @@ table inet filter {
         # ordered after accepting loopback to permit using external IPs via loopback
         fib daddr . iif type != { local, broadcast, multicast } counter drop
 
+        udp dport $udp-ports notrack accept
+
         # handle new TCP connections beyond rate limit via synproxy to avoid conntrack table exhaustion
         tcp dport $tcp-ports-full tcp flags syn limit rate over {{synproxy_threshold}}/second burst {{synproxy_threshold}} packets counter notrack accept
 
-        udp dport $udp-ports notrack accept
-
         meta l4proto { tcp, udp } accept
         icmp type { echo-reply, destination-unreachable, echo-request, time-exceeded, parameter-problem } notrack accept
         meta l4proto ipv6-icmp notrack accept