From d0f7d224da3c01b487094d6f5071ebd6a8c30437 Mon Sep 17 00:00:00 2001 From: K900 Date: Wed, 22 Mar 2023 17:45:05 +0300 Subject: [PATCH] nixos/firewall-nftables: avoid using wildcards Those were added in kernel 5.13, which is newer than our oldest supported. --- .../services/networking/firewall-nftables.nix | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/networking/firewall-nftables.nix b/nixos/modules/services/networking/firewall-nftables.nix index 0ed3c228075d..452dd97d89d2 100644 --- a/nixos/modules/services/networking/firewall-nftables.nix +++ b/nixos/modules/services/networking/firewall-nftables.nix @@ -94,7 +94,13 @@ in ${optionalString (ifaceSet != "") ''iifname { ${ifaceSet} } accept comment "trusted interfaces"''} # Some ICMPv6 types like NDP is untracked - ct state vmap { invalid : drop, established : accept, related : accept, * : jump input-allow } comment "*: new and untracked" + ct state vmap { + invalid : drop, + established : accept, + related : accept, + new : jump input-allow, + untracked: jump input-allow, + } ${optionalString cfg.logRefusedConnections '' tcp flags syn / fin,syn,rst,ack log level info prefix "refused connection: " @@ -143,7 +149,13 @@ in chain forward { type filter hook forward priority filter; policy drop; - ct state vmap { invalid : drop, established : accept, related : accept, * : jump forward-allow } comment "*: new and untracked" + ct state vmap { + invalid : drop, + established : accept, + related : accept, + new : jump forward-allow, + untracked : jump forward-allow, + } }