branch: externals/nftables-mode
commit 9058451303b3d05b544c51de14d57a78caf05a00
Author: Trent W. Buck <trentb...@gmail.com>
Commit: Trent W. Buck <trentb...@gmail.com>
correct for Towards a Perfect Ruleset number
---
nftables-host.nft | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/nftables-host.nft b/nftables-host.nft
index 53082bd3ca..38fdef5cdc 100644
--- a/nftables-host.nft
+++ b/nftables-host.nft
@@ -70,7 +70,7 @@ table inet my_filter {
chain my_input {
type filter hook input priority filter
policy drop
- # Typically 95%+ of packets are part of an already-established flow.
+ # Typically 99%+ of packets are part of an already-established flow.
# Allow those first, so we're a fast, stateful firewall.
# The rest SHOULD be "ct state new" (or untracked).
# FIXME: is a vmap here better (more efficient) than two separate
rules?
