From: Antonio Ospite <ao2@ao2.it>
Date: Thu, 26 Apr 2018 15:40:34 +0000 (+0200)
Subject: nftables-workstation.nft: perform stateful filtering after the static rules
X-Git-Url: https://git.ao2.it/config/nftables.git/commitdiff_plain/12e93e43f784d94c08d802bab7183587d069cf17?ds=sidebyside

nftables-workstation.nft: perform stateful filtering after the static rules
---

diff --git a/nftables-workstation.nft b/nftables-workstation.nft
index ecfb200..c227df2 100644
--- a/nftables-workstation.nft
+++ b/nftables-workstation.nft
@@ -42,10 +42,6 @@ table inet filter {
         type filter hook input priority 0
         policy drop
 
-        ct state established,related accept
-        ct state invalid drop
-        ct state new jump in-new
-
         iif lo accept
 
         ip protocol icmp icmp type {
@@ -92,6 +88,11 @@ table inet filter {
         # Allow IGMPv3 queries.
         ip protocol igmp ip daddr 224.0.0.1 accept
 
+        # Stateful filtering for anything else.
+        ct state established,related accept
+        ct state invalid drop
+        ct state new jump in-new
+
         # Silently drop other incoming broadcast and multicast traffic.
         meta pkttype {broadcast, multicast} drop