From 12e93e43f784d94c08d802bab7183587d069cf17 Mon Sep 17 00:00:00 2001
From: Antonio Ospite <ao2@ao2.it>
Date: Thu, 26 Apr 2018 17:40:34 +0200
Subject: [PATCH] nftables-workstation.nft: perform stateful filtering after
 the static rules

---
 nftables-workstation.nft | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/nftables-workstation.nft b/nftables-workstation.nft
index ecfb200..c227df2 100644
--- a/nftables-workstation.nft
+++ b/nftables-workstation.nft
@@ -42,10 +42,6 @@ table inet filter {
         type filter hook input priority 0
         policy drop
 
-        ct state established,related accept
-        ct state invalid drop
-        ct state new jump in-new
-
         iif lo accept
 
         ip protocol icmp icmp type {
@@ -92,6 +88,11 @@ table inet filter {
         # Allow IGMPv3 queries.
         ip protocol igmp ip daddr 224.0.0.1 accept
 
+        # Stateful filtering for anything else.
+        ct state established,related accept
+        ct state invalid drop
+        ct state new jump in-new
+
         # Silently drop other incoming broadcast and multicast traffic.
         meta pkttype {broadcast, multicast} drop
 
-- 
2.1.4