[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[elpa] externals/nftables-mode 242fae1e71 11/41: limit ICMP by type, tw
|
From: |
Stefan Monnier |
|
Subject: |
[elpa] externals/nftables-mode 242fae1e71 11/41: limit ICMP by type, tweak notes, expand on iif vs iifname, document "flush table" gotcha |
|
Date: |
Mon, 23 May 2022 09:27:22 -0400 (EDT) |
branch: externals/nftables-mode
commit 242fae1e7171012c0fb7ceb9a2d8b10faa5ddfa8
Author: Trent W. Buck <trentbuck@gmail.com>
Commit: Trent W. Buck <trentbuck@gmail.com>
limit ICMP by type, tweak notes, expand on iif vs iifname, document "flush
table" gotcha
---
nftables-host.nft | 27 ++++++++++++++++-----------
1 file changed, 16 insertions(+), 11 deletions(-)
diff --git a/nftables-host.nft b/nftables-host.nft
index d218446a4f..842ee961b4 100644
--- a/nftables-host.nft
+++ b/nftables-host.nft
@@ -204,17 +204,22 @@ table inet my_filter {
map ICMP_policy {
type icmp_type : verdict
flags interval
- elements = { #FIXME: icmp type 5 12 13 14 40
- destination-unreachable: accept, # RFC 4890 4.3.1 essential errors
- time-exceeded: accept, # RFC 4890 4.3.1 essential errors
- parameter-problem: accept, # RFC 4890 4.3.1 essential errors
- echo-request: accept, # RFC 4890 4.3.1 echo (ping)
- echo-reply: accept, # RFC 4890 4.3.1 echo (ping)
- source-quench: drop, # deprecated
- 1 - 2: drop, # unassigned
- 6 - 7: drop, # deprecated / unassigned
- 9 - 10: accept, # RFC 4890 4.3.3 & 4.4.1 (IRDP -
alternative to DHCPv4??)
- 15 - 255: drop, # deprecated / unassigned /
reserved / experimental
+ elements = {
+ destination-unreachable: accept, # RFC 4890 4.3.1 essential
errors
+ time-exceeded: accept, # RFC 4890 4.3.1 essential
errors
+ parameter-problem: accept, # RFC 4890 4.3.1 essential
errors
+ echo-request: accept, # RFC 4890 4.3.1 echo (ping)
+ echo-reply: accept, # RFC 4890 4.3.1 echo (ping)
+ router-advertisement: accept, # RFC 4890 4.3.3 & 4.4.1 (IRDP
- alternative to DHCPv4??)
+ router-solicitation: accept, # RFC 4890 4.3.3 & 4.4.1 (IRDP
- alternative to DHCPv4??)
+ redirect: drop, # RFC 4890 4.3.3 & 4.4.4
Redirect
+ source-quench: drop, # deprecated
+ 1 - 2: drop, # unassigned
+ 6 - 7: drop, # deprecated / unassigned
+ 15 - 39: drop, # deprecated / unassigned /
reserved / experimental
+ 41 - 255: drop, # deprecated / unassigned /
reserved / experimental
+ 13 - 14: continue, # FIXME Timestamp / Timestamp
Reply???
+ 40: continue, # FIXME Photuris???
}
}
- [elpa] externals/nftables-mode e47799589c 16/41: add remaining allow/deny rules from alpha as an example, (continued)
- [elpa] externals/nftables-mode e47799589c 16/41: add remaining allow/deny rules from alpha as an example, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode fb87ee1e07 24/41: Use stateful ICMP/ICMPv6 filtering by default (but leave the vmaps as documentation), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode d04e123fc3 29/41: fixup! reference nftables ruleset, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 4974259919 30/41: typo fixes (thanks mattcen), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 3e9c8cf907 32/41: fixup! typo fixes (thanks mattcen), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 70910dbc2a 35/41: Merge remote-tracking branch 'KB/master', Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 109dfa382a 33/41: Remove "list ruleset" due to https://bugs.debian.org/982576, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 7f924acbac 37/41: basic README for github, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode a207b02bd6 40/41: Lightly edited, adding some of the normal conventions for .el files, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 1817c43fb9 02/41: Initial example nftables ruleset, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 242fae1e71 11/41: limit ICMP by type, tweak notes, expand on iif vs iifname, document "flush table" gotcha,
Stefan Monnier <=
- [elpa] externals/nftables-mode 794a6e6774 10/41: limit ICMP by type, tweak notes, expand on iif vs iifname, document "flush table" gotcha, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 8fcd04379c 08/41: bugfix and tweak, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode f00cf640fb 15/41: nftables - glob gotcha; HOW to rename ifaces; gateway (-i/-o) policy; mail reputation protection, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 6e908b1d67 17/41: Got the IPS working at last (inc IPv6), mua ha ha!, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 16adfabcec 21/41: add reminder re IPv6 ranges for SSH IPS, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 34ffd618ac 19/41: fixup! Got the IPS working at last (inc IPv6), mua ha ha!, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 166b789260 22/41: old comments, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 9bc4a6f589 25/41: Don't do "flush ruleset" (i.e. expect auxiliary tables w/ race conditions), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 94f54f52ec 28/41: reference nftables ruleset, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 3fd8b3f79e 26/41: comment tweaks, Stefan Monnier, 2022/05/23