From f7da6830128b5d00c58da3a5ec5f539910ac08a5 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Mon, 18 Jul 2022 22:14:35 -0400 Subject: [PATCH] nftables: simplify ICMP handling --- nftables-attestation.conf | 9 +++------ nftables-discuss.conf | 9 +++------ nftables-dns.conf | 9 +++------ nftables-mail.conf | 9 +++------ nftables-matrix.conf | 9 +++------ nftables-web.conf | 9 +++------ 6 files changed, 18 insertions(+), 36 deletions(-) diff --git a/nftables-attestation.conf b/nftables-attestation.conf index aa993a3..47656da 100644 --- a/nftables-attestation.conf +++ b/nftables-attestation.conf @@ -8,8 +8,7 @@ table inet filter { iif lo notrack tcp dport {22, 80, 443} notrack - ip protocol icmp notrack - meta l4proto ipv6-icmp notrack + meta l4proto {icmp, ipv6-icmp} notrack } chain output-raw { @@ -17,8 +16,7 @@ table inet filter { oif lo notrack tcp sport {22, 80, 443} notrack - ip protocol icmp notrack - meta l4proto ipv6-icmp notrack + meta l4proto {icmp, ipv6-icmp} notrack } chain input { @@ -27,8 +25,7 @@ table inet filter { iif lo accept tcp dport {22, 80, 443} accept - ip protocol icmp accept - meta l4proto ipv6-icmp accept + meta l4proto {icmp, ipv6-icmp} accept ct state vmap { invalid : drop, established : accept, related : accept } diff --git a/nftables-discuss.conf b/nftables-discuss.conf index 68473ed..22f46d0 100644 --- a/nftables-discuss.conf +++ b/nftables-discuss.conf @@ -8,8 +8,7 @@ table inet filter { iif lo notrack tcp dport {22, 80, 443} notrack - ip protocol icmp notrack - meta l4proto ipv6-icmp notrack + meta l4proto {icmp, ipv6-icmp} notrack } chain output-raw { @@ -17,8 +16,7 @@ table inet filter { oif lo notrack tcp sport {22, 80, 443} notrack - ip protocol icmp notrack - meta l4proto ipv6-icmp notrack + meta l4proto {icmp, ipv6-icmp} notrack } chain input { @@ -27,8 +25,7 @@ table inet filter { iif lo accept tcp dport {22, 80, 443} accept - ip protocol icmp accept - meta l4proto ipv6-icmp accept + meta l4proto {icmp, ipv6-icmp} accept ct state vmap { invalid : drop, established : accept, related : accept } diff --git a/nftables-dns.conf b/nftables-dns.conf index 82e7496..49817c3 100644 --- a/nftables-dns.conf +++ b/nftables-dns.conf @@ -9,8 +9,7 @@ table inet filter { iif lo notrack udp dport 53 notrack tcp dport {22, 53} notrack - ip protocol icmp notrack - meta l4proto ipv6-icmp notrack + meta l4proto {icmp, ipv6-icmp} notrack } chain output-raw { @@ -19,8 +18,7 @@ table inet filter { oif lo notrack udp sport 53 notrack tcp sport {22, 53} notrack - ip protocol icmp notrack - meta l4proto ipv6-icmp notrack + meta l4proto {icmp, ipv6-icmp} notrack } chain input { @@ -30,8 +28,7 @@ table inet filter { iif lo accept udp dport 53 accept tcp dport {22, 53} accept - ip protocol icmp accept - meta l4proto ipv6-icmp accept + meta l4proto {icmp, ipv6-icmp} accept ct state vmap { invalid : drop, established : accept, related : accept } diff --git a/nftables-mail.conf b/nftables-mail.conf index 84bba4c..8644baf 100644 --- a/nftables-mail.conf +++ b/nftables-mail.conf @@ -8,8 +8,7 @@ table inet filter { iif lo notrack tcp dport {22, 25, 80, 465, 993} notrack - ip protocol icmp notrack - meta l4proto ipv6-icmp notrack + meta l4proto {icmp, ipv6-icmp} notrack } chain output-raw { @@ -17,8 +16,7 @@ table inet filter { oif lo notrack tcp sport {22, 25, 80, 465, 993} notrack - ip protocol icmp notrack - meta l4proto ipv6-icmp notrack + meta l4proto {icmp, ipv6-icmp} notrack } chain input { @@ -27,8 +25,7 @@ table inet filter { iif lo accept tcp dport {22, 25, 80, 465, 993} accept - ip protocol icmp accept - meta l4proto ipv6-icmp accept + meta l4proto {icmp, ipv6-icmp} accept ct state vmap { invalid : drop, established : accept, related : accept } diff --git a/nftables-matrix.conf b/nftables-matrix.conf index 09d5e65..dd5612f 100644 --- a/nftables-matrix.conf +++ b/nftables-matrix.conf @@ -8,8 +8,7 @@ table inet filter { iif lo notrack tcp dport {22, 80, 443} notrack - ip protocol icmp notrack - meta l4proto ipv6-icmp notrack + meta l4proto {icmp, ipv6-icmp} notrack } chain output-raw { @@ -17,8 +16,7 @@ table inet filter { oif lo notrack tcp sport {22, 80, 443} notrack - ip protocol icmp notrack - meta l4proto ipv6-icmp notrack + meta l4proto {icmp, ipv6-icmp} notrack } chain input { @@ -27,8 +25,7 @@ table inet filter { iif lo accept tcp dport {22, 80, 443} accept - ip protocol icmp accept - meta l4proto ipv6-icmp accept + meta l4proto {icmp, ipv6-icmp} accept ct state vmap { invalid : drop, established : accept, related : accept } diff --git a/nftables-web.conf b/nftables-web.conf index 77484b3..0c3994d 100644 --- a/nftables-web.conf +++ b/nftables-web.conf @@ -8,8 +8,7 @@ table inet filter { iif lo notrack tcp dport {22, 80, 443} notrack - ip protocol icmp notrack - meta l4proto ipv6-icmp notrack + meta l4proto {icmp, ipv6-icmp} notrack } chain output-raw { @@ -17,8 +16,7 @@ table inet filter { oif lo notrack tcp sport {22, 80, 443} notrack - ip protocol icmp notrack - meta l4proto ipv6-icmp notrack + meta l4proto {icmp, ipv6-icmp} notrack } chain input { @@ -27,8 +25,7 @@ table inet filter { iif lo accept tcp dport {22, 80, 443} accept - ip protocol icmp accept - meta l4proto ipv6-icmp accept + meta l4proto {icmp, ipv6-icmp} accept ct state vmap { invalid : drop, established : accept, related : accept }