emacs-elpa-diffs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[elpa] externals/nftables-mode fb87ee1e07 24/41: Use stateful ICMP/ICMPv

From: Stefan Monnier
Subject: [elpa] externals/nftables-mode fb87ee1e07 24/41: Use stateful ICMP/ICMPv6 filtering by default (but leave the vmaps as documentation)
Date: Mon, 23 May 2022 09:27:24 -0400 (EDT) 
branch: externals/nftables-mode
commit fb87ee1e07aaecd1dbf5d616de29a4d7c3d2f117
Author: Trent W. Buck <trentbuck@gmail.com>
Commit: Trent W. Buck <trentbuck@gmail.com>

    Use stateful ICMP/ICMPv6 filtering by default (but leave the vmaps as 
documentation)
---
 nftables-router.nft | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/nftables-router.nft b/nftables-router.nft
index 95725d612a..d3ed4f134d 100644
--- a/nftables-router.nft
+++ b/nftables-router.nft
@@ -327,8 +327,11 @@ table inet my_filter {
         # FIXME: are "ip protocol icmp" and "ip6 nexthdr icmpv6" needed?
         #
         # NOTE: see also "sysctl net.ipv4.icmp_ratelimit=1000".
-        ip protocol icmp  icmp type vmap @ICMP_policy
-        ip6 nexthdr icmpv6  icmpv6 type vmap @ICMPv6_RFC4890_policy
+        #ip protocol icmp  icmp type vmap @ICMP_policy
+        #ip6 nexthdr icmpv6  icmpv6 type vmap @ICMPv6_RFC4890_policy
+        # Simpler version that relies on "ct state" and is PROBABLY good 
enough.
+        icmp type echo-request  accept
+        icmpv6 type { echo-request, nd-neighbor-solicit, nd-router-advert, 
nd-neighbor-advert }  accept
 
         jump my_IPS
     }
reply via email to
[Prev in Thread] Current Thread [Next in Thread]