mirror of
https://github.com/GrapheneOS/infrastructure.git
synced 2024-12-22 21:49:22 -05:00
nftables: simplify ICMP handling
This commit is contained in:
parent
494247747c
commit
f7da683012
@ -8,8 +8,7 @@ table inet filter {
|
||||
|
||||
iif lo notrack
|
||||
tcp dport {22, 80, 443} notrack
|
||||
ip protocol icmp notrack
|
||||
meta l4proto ipv6-icmp notrack
|
||||
meta l4proto {icmp, ipv6-icmp} notrack
|
||||
}
|
||||
|
||||
chain output-raw {
|
||||
@ -17,8 +16,7 @@ table inet filter {
|
||||
|
||||
oif lo notrack
|
||||
tcp sport {22, 80, 443} notrack
|
||||
ip protocol icmp notrack
|
||||
meta l4proto ipv6-icmp notrack
|
||||
meta l4proto {icmp, ipv6-icmp} notrack
|
||||
}
|
||||
|
||||
chain input {
|
||||
@ -27,8 +25,7 @@ table inet filter {
|
||||
|
||||
iif lo accept
|
||||
tcp dport {22, 80, 443} accept
|
||||
ip protocol icmp accept
|
||||
meta l4proto ipv6-icmp accept
|
||||
meta l4proto {icmp, ipv6-icmp} accept
|
||||
|
||||
ct state vmap { invalid : drop, established : accept, related : accept }
|
||||
|
||||
|
@ -8,8 +8,7 @@ table inet filter {
|
||||
|
||||
iif lo notrack
|
||||
tcp dport {22, 80, 443} notrack
|
||||
ip protocol icmp notrack
|
||||
meta l4proto ipv6-icmp notrack
|
||||
meta l4proto {icmp, ipv6-icmp} notrack
|
||||
}
|
||||
|
||||
chain output-raw {
|
||||
@ -17,8 +16,7 @@ table inet filter {
|
||||
|
||||
oif lo notrack
|
||||
tcp sport {22, 80, 443} notrack
|
||||
ip protocol icmp notrack
|
||||
meta l4proto ipv6-icmp notrack
|
||||
meta l4proto {icmp, ipv6-icmp} notrack
|
||||
}
|
||||
|
||||
chain input {
|
||||
@ -27,8 +25,7 @@ table inet filter {
|
||||
|
||||
iif lo accept
|
||||
tcp dport {22, 80, 443} accept
|
||||
ip protocol icmp accept
|
||||
meta l4proto ipv6-icmp accept
|
||||
meta l4proto {icmp, ipv6-icmp} accept
|
||||
|
||||
ct state vmap { invalid : drop, established : accept, related : accept }
|
||||
|
||||
|
@ -9,8 +9,7 @@ table inet filter {
|
||||
iif lo notrack
|
||||
udp dport 53 notrack
|
||||
tcp dport {22, 53} notrack
|
||||
ip protocol icmp notrack
|
||||
meta l4proto ipv6-icmp notrack
|
||||
meta l4proto {icmp, ipv6-icmp} notrack
|
||||
}
|
||||
|
||||
chain output-raw {
|
||||
@ -19,8 +18,7 @@ table inet filter {
|
||||
oif lo notrack
|
||||
udp sport 53 notrack
|
||||
tcp sport {22, 53} notrack
|
||||
ip protocol icmp notrack
|
||||
meta l4proto ipv6-icmp notrack
|
||||
meta l4proto {icmp, ipv6-icmp} notrack
|
||||
}
|
||||
|
||||
chain input {
|
||||
@ -30,8 +28,7 @@ table inet filter {
|
||||
iif lo accept
|
||||
udp dport 53 accept
|
||||
tcp dport {22, 53} accept
|
||||
ip protocol icmp accept
|
||||
meta l4proto ipv6-icmp accept
|
||||
meta l4proto {icmp, ipv6-icmp} accept
|
||||
|
||||
ct state vmap { invalid : drop, established : accept, related : accept }
|
||||
|
||||
|
@ -8,8 +8,7 @@ table inet filter {
|
||||
|
||||
iif lo notrack
|
||||
tcp dport {22, 25, 80, 465, 993} notrack
|
||||
ip protocol icmp notrack
|
||||
meta l4proto ipv6-icmp notrack
|
||||
meta l4proto {icmp, ipv6-icmp} notrack
|
||||
}
|
||||
|
||||
chain output-raw {
|
||||
@ -17,8 +16,7 @@ table inet filter {
|
||||
|
||||
oif lo notrack
|
||||
tcp sport {22, 25, 80, 465, 993} notrack
|
||||
ip protocol icmp notrack
|
||||
meta l4proto ipv6-icmp notrack
|
||||
meta l4proto {icmp, ipv6-icmp} notrack
|
||||
}
|
||||
|
||||
chain input {
|
||||
@ -27,8 +25,7 @@ table inet filter {
|
||||
|
||||
iif lo accept
|
||||
tcp dport {22, 25, 80, 465, 993} accept
|
||||
ip protocol icmp accept
|
||||
meta l4proto ipv6-icmp accept
|
||||
meta l4proto {icmp, ipv6-icmp} accept
|
||||
|
||||
ct state vmap { invalid : drop, established : accept, related : accept }
|
||||
|
||||
|
@ -8,8 +8,7 @@ table inet filter {
|
||||
|
||||
iif lo notrack
|
||||
tcp dport {22, 80, 443} notrack
|
||||
ip protocol icmp notrack
|
||||
meta l4proto ipv6-icmp notrack
|
||||
meta l4proto {icmp, ipv6-icmp} notrack
|
||||
}
|
||||
|
||||
chain output-raw {
|
||||
@ -17,8 +16,7 @@ table inet filter {
|
||||
|
||||
oif lo notrack
|
||||
tcp sport {22, 80, 443} notrack
|
||||
ip protocol icmp notrack
|
||||
meta l4proto ipv6-icmp notrack
|
||||
meta l4proto {icmp, ipv6-icmp} notrack
|
||||
}
|
||||
|
||||
chain input {
|
||||
@ -27,8 +25,7 @@ table inet filter {
|
||||
|
||||
iif lo accept
|
||||
tcp dport {22, 80, 443} accept
|
||||
ip protocol icmp accept
|
||||
meta l4proto ipv6-icmp accept
|
||||
meta l4proto {icmp, ipv6-icmp} accept
|
||||
|
||||
ct state vmap { invalid : drop, established : accept, related : accept }
|
||||
|
||||
|
@ -8,8 +8,7 @@ table inet filter {
|
||||
|
||||
iif lo notrack
|
||||
tcp dport {22, 80, 443} notrack
|
||||
ip protocol icmp notrack
|
||||
meta l4proto ipv6-icmp notrack
|
||||
meta l4proto {icmp, ipv6-icmp} notrack
|
||||
}
|
||||
|
||||
chain output-raw {
|
||||
@ -17,8 +16,7 @@ table inet filter {
|
||||
|
||||
oif lo notrack
|
||||
tcp sport {22, 80, 443} notrack
|
||||
ip protocol icmp notrack
|
||||
meta l4proto ipv6-icmp notrack
|
||||
meta l4proto {icmp, ipv6-icmp} notrack
|
||||
}
|
||||
|
||||
chain input {
|
||||
@ -27,8 +25,7 @@ table inet filter {
|
||||
|
||||
iif lo accept
|
||||
tcp dport {22, 80, 443} accept
|
||||
ip protocol icmp accept
|
||||
meta l4proto ipv6-icmp accept
|
||||
meta l4proto {icmp, ipv6-icmp} accept
|
||||
|
||||
ct state vmap { invalid : drop, established : accept, related : accept }
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user