branch: externals/nftables-mode
commit fb87ee1e07aaecd1dbf5d616de29a4d7c3d2f117
Author: Trent W. Buck <trentb...@gmail.com>
Commit: Trent W. Buck <trentb...@gmail.com>
Use stateful ICMP/ICMPv6 filtering by default (but leave the vmaps as
documentation)
---
nftables-router.nft | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/nftables-router.nft b/nftables-router.nft
index 95725d612a..d3ed4f134d 100644
--- a/nftables-router.nft
+++ b/nftables-router.nft
@@ -327,8 +327,11 @@ table inet my_filter {
# FIXME: are "ip protocol icmp" and "ip6 nexthdr icmpv6" needed?
#
# NOTE: see also "sysctl net.ipv4.icmp_ratelimit=1000".
- ip protocol icmp icmp type vmap @ICMP_policy
- ip6 nexthdr icmpv6 icmpv6 type vmap @ICMPv6_RFC4890_policy
+ #ip protocol icmp icmp type vmap @ICMP_policy
+ #ip6 nexthdr icmpv6 icmpv6 type vmap @ICMPv6_RFC4890_policy
+ # Simpler version that relies on "ct state" and is PROBABLY good
enough.
+ icmp type echo-request accept
+ icmpv6 type { echo-request, nd-neighbor-solicit, nd-router-advert,
nd-neighbor-advert } accept
jump my_IPS
}
