nftables.conf tidyup

This commit is contained in:
cronekorkn 2022-09-11 15:43:20 +02:00
parent bc1d3bdec3
commit f19d604213
Signed by: cronekorkn
SSH key fingerprint: SHA256:v0410ZKfuO1QHdgKBsdQNF64xmTxOF8osF1LIqwTcVw

View file

@ -6,60 +6,47 @@ table inet filter {
# INPUT
chain input {
type filter hook input priority 0;
policy drop;
chain input {
type filter hook input priority 0
policy drop
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# Allow loopback traffic.
# allow loopback
iifname lo accept
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept
# allow established
ct state vmap { established : accept, related : accept, invalid : drop }
# allow ping
icmp type echo-request accept
icmpv6 type echo-request accept
# allow neighbour discovery
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# Jump to chain according to layer 3 protocol using a verdict map
meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
#rules
# rules
% for rule in sorted(input):
${rule}
% endfor
}
chain inbound_ipv4 {
# accepting ping (icmp-echo-request) for diagnostic purposes.
icmp type echo-request limit rate 5/second accept
}
chain inbound_ipv6 {
# accept neighbour discovery otherwise connectivity breaks
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# accepting ping (icmpv6-echo-request) for diagnostic purposes.
icmpv6 type echo-request limit rate 5/second accept
}
# FORWARD
chain forward {
type filter hook forward priority 0;
chain forward {
type filter hook forward priority 0
policy accept
#rules
# rules
% for rule in sorted(forward):
${rule}
% endfor
}
}
# OUTPUT
chain output {
type filter hook output priority 0;
chain output {
type filter hook output priority 0
policy accept
# rules
% for rule in sorted(output):
${rule}
% endfor
}
}
}