[elpa] externals/nftables-mode 8fcd04379c 08/41: bugfix and tweak

emacs-elpa-diffs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[elpa] externals/nftables-mode 8fcd04379c 08/41: bugfix and tweak

From:	Stefan Monnier
Subject:	[elpa] externals/nftables-mode 8fcd04379c 08/41: bugfix and tweak
Date:	Mon, 23 May 2022 09:27:22 -0400 (EDT)

branch: externals/nftables-mode
commit 8fcd04379c795ce6d0e9ef8b825c15358822baf6
Author: Trent W. Buck <trentbuck@gmail.com>
Commit: Trent W. Buck <trentbuck@gmail.com>

    bugfix and tweak
---
 nftables-host.nft | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/nftables-host.nft b/nftables-host.nft
index 01ddc68e2f..53082bd3ca 100644
--- a/nftables-host.nft
+++ b/nftables-host.nft
@@ -74,18 +74,19 @@ table inet my_filter {
         # Allow those first, so we're a fast, stateful firewall.
         # The rest SHOULD be "ct state new" (or untracked).
         # FIXME: is a vmap here better (more efficient) than two separate 
rules?
-        ct state vmap { established or related: accept, invalid: drop }
+        # FIXME: {established or related: accept} does not match correctly!
+        ct state vmap { established: accept, related: accept, invalid: drop }
         # Loopback traffic is needed for e.g. NFS RPC, and for debugging.
         # NOTE: assumes exactly one loopback interface named "lo" that already 
exists.
         # FIXME: why "iif lo" not "ifftype loopback"?  Is it just inertia?
-        iiftype loopback  accept
+        iiftype loopback accept
 
         # Allow arbitrary IPv4/ICMP and IPv6/ICMPv6.
         # FIXME: this is too broad -- narrow this!
         # FIXME: rate-limit (some) ICMPv4 by source IP?
-        ip protocol icmp  accept
+        ip protocol icmp accept
         # FIXME: should we limit to "ip6 nexthdr icmpv6"?
-        icmpv6 type vmap  @ICMPv6_RFC4890_policy
+        icmpv6 type vmap @ICMPv6_RFC4890_policy
 
         # YOUR RULES HERE.
         # NOTE: service names resolve via nss (/etc/hosts) only in nft 0.9.1+!
@@ -130,6 +131,12 @@ table inet my_filter {
     #   ip6 hoplimit 1          # for LLMNR
     #   ip6 hoplimit 255        # for RA/RS/NA/NS
     #   ip6 saddr fe80::/10     # for LLMNR and MLD
+    #
+    # NOTE: I was going to use named types, but "nft describe icmpv6 type" 
doesn't have them all.
+    #       Also, using bare numbers makes it possible to use intervals 
intuitively.
+    #
+    # FIXME: add "auto-merge" when possible
+    #        (nft 0.9.1 has set auto-merge, but not map auto-merge).
     map ICMPv6_RFC4890_policy {
         type icmpv6_type : verdict
         flags interval

[Prev in Thread]

Current Thread

[Next in Thread]

[elpa] externals/nftables-mode d04e123fc3 29/41: fixup! reference nftables ruleset, (continued)
- [elpa] externals/nftables-mode d04e123fc3 29/41: fixup! reference nftables ruleset, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 4974259919 30/41: typo fixes (thanks mattcen), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 3e9c8cf907 32/41: fixup! typo fixes (thanks mattcen), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 70910dbc2a 35/41: Merge remote-tracking branch 'KB/master', Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 109dfa382a 33/41: Remove "list ruleset" due to https://bugs.debian.org/982576, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 7f924acbac 37/41: basic README for github, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode a207b02bd6 40/41: Lightly edited, adding some of the normal conventions for .el files, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 1817c43fb9 02/41: Initial example nftables ruleset, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 242fae1e71 11/41: limit ICMP by type, tweak notes, expand on iif vs iifname, document "flush table" gotcha, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 794a6e6774 10/41: limit ICMP by type, tweak notes, expand on iif vs iifname, document "flush table" gotcha, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 8fcd04379c 08/41: bugfix and tweak, Stefan Monnier <=
- [elpa] externals/nftables-mode f00cf640fb 15/41: nftables - glob gotcha; HOW to rename ifaces; gateway (-i/-o) policy; mail reputation protection, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 6e908b1d67 17/41: Got the IPS working at last (inc IPv6), mua ha ha!, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 16adfabcec 21/41: add reminder re IPv6 ranges for SSH IPS, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 34ffd618ac 19/41: fixup! Got the IPS working at last (inc IPv6), mua ha ha!, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 166b789260 22/41: old comments, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 9bc4a6f589 25/41: Don't do "flush ruleset" (i.e. expect auxiliary tables w/ race conditions), Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 94f54f52ec 28/41: reference nftables ruleset, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 3fd8b3f79e 26/41: comment tweaks, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 760486c219 27/41: update note from sshguard, Stefan Monnier, 2022/05/23
- [elpa] externals/nftables-mode 70b0e577a6 31/41: Debian doesn't have "pptp" in /etc/services, Stefan Monnier, 2022/05/23