nftables: simplify ICMP handling

This commit is contained in:
Daniel Micay 2022-07-18 22:14:35 -04:00
parent 494247747c
commit f7da683012
6 changed files with 18 additions and 36 deletions

View File

@ -8,8 +8,7 @@ table inet filter {
iif lo notrack iif lo notrack
tcp dport {22, 80, 443} notrack tcp dport {22, 80, 443} notrack
ip protocol icmp notrack meta l4proto {icmp, ipv6-icmp} notrack
meta l4proto ipv6-icmp notrack
} }
chain output-raw { chain output-raw {
@ -17,8 +16,7 @@ table inet filter {
oif lo notrack oif lo notrack
tcp sport {22, 80, 443} notrack tcp sport {22, 80, 443} notrack
ip protocol icmp notrack meta l4proto {icmp, ipv6-icmp} notrack
meta l4proto ipv6-icmp notrack
} }
chain input { chain input {
@ -27,8 +25,7 @@ table inet filter {
iif lo accept iif lo accept
tcp dport {22, 80, 443} accept tcp dport {22, 80, 443} accept
ip protocol icmp accept meta l4proto {icmp, ipv6-icmp} accept
meta l4proto ipv6-icmp accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }

View File

@ -8,8 +8,7 @@ table inet filter {
iif lo notrack iif lo notrack
tcp dport {22, 80, 443} notrack tcp dport {22, 80, 443} notrack
ip protocol icmp notrack meta l4proto {icmp, ipv6-icmp} notrack
meta l4proto ipv6-icmp notrack
} }
chain output-raw { chain output-raw {
@ -17,8 +16,7 @@ table inet filter {
oif lo notrack oif lo notrack
tcp sport {22, 80, 443} notrack tcp sport {22, 80, 443} notrack
ip protocol icmp notrack meta l4proto {icmp, ipv6-icmp} notrack
meta l4proto ipv6-icmp notrack
} }
chain input { chain input {
@ -27,8 +25,7 @@ table inet filter {
iif lo accept iif lo accept
tcp dport {22, 80, 443} accept tcp dport {22, 80, 443} accept
ip protocol icmp accept meta l4proto {icmp, ipv6-icmp} accept
meta l4proto ipv6-icmp accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }

View File

@ -9,8 +9,7 @@ table inet filter {
iif lo notrack iif lo notrack
udp dport 53 notrack udp dport 53 notrack
tcp dport {22, 53} notrack tcp dport {22, 53} notrack
ip protocol icmp notrack meta l4proto {icmp, ipv6-icmp} notrack
meta l4proto ipv6-icmp notrack
} }
chain output-raw { chain output-raw {
@ -19,8 +18,7 @@ table inet filter {
oif lo notrack oif lo notrack
udp sport 53 notrack udp sport 53 notrack
tcp sport {22, 53} notrack tcp sport {22, 53} notrack
ip protocol icmp notrack meta l4proto {icmp, ipv6-icmp} notrack
meta l4proto ipv6-icmp notrack
} }
chain input { chain input {
@ -30,8 +28,7 @@ table inet filter {
iif lo accept iif lo accept
udp dport 53 accept udp dport 53 accept
tcp dport {22, 53} accept tcp dport {22, 53} accept
ip protocol icmp accept meta l4proto {icmp, ipv6-icmp} accept
meta l4proto ipv6-icmp accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }

View File

@ -8,8 +8,7 @@ table inet filter {
iif lo notrack iif lo notrack
tcp dport {22, 25, 80, 465, 993} notrack tcp dport {22, 25, 80, 465, 993} notrack
ip protocol icmp notrack meta l4proto {icmp, ipv6-icmp} notrack
meta l4proto ipv6-icmp notrack
} }
chain output-raw { chain output-raw {
@ -17,8 +16,7 @@ table inet filter {
oif lo notrack oif lo notrack
tcp sport {22, 25, 80, 465, 993} notrack tcp sport {22, 25, 80, 465, 993} notrack
ip protocol icmp notrack meta l4proto {icmp, ipv6-icmp} notrack
meta l4proto ipv6-icmp notrack
} }
chain input { chain input {
@ -27,8 +25,7 @@ table inet filter {
iif lo accept iif lo accept
tcp dport {22, 25, 80, 465, 993} accept tcp dport {22, 25, 80, 465, 993} accept
ip protocol icmp accept meta l4proto {icmp, ipv6-icmp} accept
meta l4proto ipv6-icmp accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }

View File

@ -8,8 +8,7 @@ table inet filter {
iif lo notrack iif lo notrack
tcp dport {22, 80, 443} notrack tcp dport {22, 80, 443} notrack
ip protocol icmp notrack meta l4proto {icmp, ipv6-icmp} notrack
meta l4proto ipv6-icmp notrack
} }
chain output-raw { chain output-raw {
@ -17,8 +16,7 @@ table inet filter {
oif lo notrack oif lo notrack
tcp sport {22, 80, 443} notrack tcp sport {22, 80, 443} notrack
ip protocol icmp notrack meta l4proto {icmp, ipv6-icmp} notrack
meta l4proto ipv6-icmp notrack
} }
chain input { chain input {
@ -27,8 +25,7 @@ table inet filter {
iif lo accept iif lo accept
tcp dport {22, 80, 443} accept tcp dport {22, 80, 443} accept
ip protocol icmp accept meta l4proto {icmp, ipv6-icmp} accept
meta l4proto ipv6-icmp accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }

View File

@ -8,8 +8,7 @@ table inet filter {
iif lo notrack iif lo notrack
tcp dport {22, 80, 443} notrack tcp dport {22, 80, 443} notrack
ip protocol icmp notrack meta l4proto {icmp, ipv6-icmp} notrack
meta l4proto ipv6-icmp notrack
} }
chain output-raw { chain output-raw {
@ -17,8 +16,7 @@ table inet filter {
oif lo notrack oif lo notrack
tcp sport {22, 80, 443} notrack tcp sport {22, 80, 443} notrack
ip protocol icmp notrack meta l4proto {icmp, ipv6-icmp} notrack
meta l4proto ipv6-icmp notrack
} }
chain input { chain input {
@ -27,8 +25,7 @@ table inet filter {
iif lo accept iif lo accept
tcp dport {22, 80, 443} accept tcp dport {22, 80, 443} accept
ip protocol icmp accept meta l4proto {icmp, ipv6-icmp} accept
meta l4proto ipv6-icmp accept
ct state vmap { invalid : drop, established : accept, related : accept } ct state vmap { invalid : drop, established : accept, related : accept }