projects
/
config
/
nftables.git
/ blobdiff
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
nftables-workstation.nft: mention the IPv6 Neighbor Discovery RFC
[config/nftables.git]
/
nftables-workstation.nft
diff --git
a/nftables-workstation.nft
b/nftables-workstation.nft
index
7261291
..
c1ffd80
100644
(file)
--- a/
nftables-workstation.nft
+++ b/
nftables-workstation.nft
@@
-40,10
+40,7
@@
table inet filter {
chain input {
type filter hook input priority 0
chain input {
type filter hook input priority 0
-
- ct state established,related accept
- ct state invalid drop
- ct state new jump in-new
+ policy drop
iif lo accept
iif lo accept
@@
-66,7
+63,7
@@
table inet filter {
packet-too-big
} accept
packet-too-big
} accept
- # Allow
auto configuration support
.
+ # Allow
IPv6 Neighbor Discovery (RFC4861)
.
ip6 nexthdr ipv6-icmp icmpv6 type {
nd-router-advert,
nd-router-solicit,
ip6 nexthdr ipv6-icmp icmpv6 type {
nd-router-advert,
nd-router-solicit,
@@
-91,6
+88,11
@@
table inet filter {
# Allow IGMPv3 queries.
ip protocol igmp ip daddr 224.0.0.1 accept
# Allow IGMPv3 queries.
ip protocol igmp ip daddr 224.0.0.1 accept
+ # Stateful filtering for anything else.
+ ct state established,related accept
+ ct state invalid drop
+ ct state new jump in-new
+
# Silently drop other incoming broadcast and multicast traffic.
meta pkttype {broadcast, multicast} drop
# Silently drop other incoming broadcast and multicast traffic.
meta pkttype {broadcast, multicast} drop
@@
-124,12
+126,16
@@
table inet filter {
chain forward {
type filter hook forward priority 0
chain forward {
type filter hook forward priority 0
+ policy drop
+
limit rate 3/minute burst 10 packets log prefix "[FORWARD]: "
counter reject
}
chain output {
type filter hook output priority 0
limit rate 3/minute burst 10 packets log prefix "[FORWARD]: "
counter reject
}
chain output {
type filter hook output priority 0
+ policy drop
+
counter accept
}
}
counter accept
}
}