paulbsd/paulbsd-salt
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updated nftables state
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Paul 2024-07-21 23:03:36 +02:00
parent 63c1df90e7
commit e2b1bf4cda
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
states/nftables/templates/rules.nft.j2
View File

@ -11,6 +11,7 @@ add chain ip filter OUTPUT { type filter hook output priority 0; policy accept;
add chain ip filter DOCKER add chain ip filter DOCKER
add rule ip filter INPUT iifname lo counter accept add rule ip filter INPUT iifname lo counter accept
add rule ip filter INPUT iifname tun* counter accept add rule ip filter INPUT iifname tun* counter accept
add rule ip filter INPUT iifname tailscale* counter accept
add rule ip filter INPUT iifname br* counter accept add rule ip filter INPUT iifname br* counter accept
add rule ip filter INPUT iifname veth* counter accept add rule ip filter INPUT iifname veth* counter accept
add rule ip filter INPUT iifname lxc* counter accept add rule ip filter INPUT iifname lxc* counter accept
@ -60,6 +61,7 @@ add chain ip6 filter6 FORWARD { type filter hook forward priority 0; policy acce
add chain ip6 filter6 OUTPUT { type filter hook output priority 0; policy accept; } add chain ip6 filter6 OUTPUT { type filter hook output priority 0; policy accept; }
add rule ip6 filter6 INPUT iifname lo counter accept add rule ip6 filter6 INPUT iifname lo counter accept
add rule ip6 filter6 INPUT iifname tun* counter accept add rule ip6 filter6 INPUT iifname tun* counter accept
add rule ip6 filter6 INPUT iifname tailscale* counter accept
add rule ip6 filter6 INPUT ct state related,established counter accept add rule ip6 filter6 INPUT ct state related,established counter accept
add rule ip6 filter6 INPUT icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect, parameter-problem, router-renumbering} accept add rule ip6 filter6 INPUT icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect, parameter-problem, router-renumbering} accept
{%- for network in net.ip_networks %} {%- for network in net.ip_networks %}