Skip to content

Commit

Permalink
Add conntrack chain to snippet for a hook point
Browse files Browse the repository at this point in the history
  • Loading branch information
@thelegy
thelegy committed Mar 2, 2024
1 parent 3bf23ae commit 133a8f0
Show file tree
Hide file tree
Showing 5 changed files with 17 additions and 9 deletions.
4 changes: 2 additions & 2 deletions checks/testCommon.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,15 +18,15 @@ machineTest ({config, ...}: {
chain forward {
type filter hook forward priority 0; policy drop;
ct state {established, related} accept
ct state {established, related} accept # inlined: conntrack
ct state invalid drop
counter drop
}
chain input {
type filter hook input priority 0; policy drop
iifname { lo } accept
ct state {established, related} accept
ct state {established, related} accept # inlined: conntrack
ct state invalid drop
jump traverse-from-all-zone-to-fw-zone-rule
counter drop
Expand Down
4 changes: 2 additions & 2 deletions checks/testNat.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,15 +26,15 @@ machineTest ({config, ...}: {
chain forward {
type filter hook forward priority 0; policy drop;
ct state {established, related} accept
ct state {established, related} accept # inlined: conntrack
ct state invalid drop
counter drop
}
chain input {
type filter hook input priority 0; policy drop
iifname { lo } accept
ct state {established, related} accept
ct state {established, related} accept # inlined: conntrack
ct state invalid drop
jump traverse-from-all-zone-to-fw-zone-rule
counter drop
Expand Down
4 changes: 2 additions & 2 deletions checks/testWebserver.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,15 +23,15 @@ machineTest ({config, ...}: {
chain forward {
type filter hook forward priority 0; policy drop;
ct state {established, related} accept
ct state {established, related} accept # inlined: conntrack
ct state invalid drop
counter drop
}
chain input {
type filter hook input priority 0; policy drop
iifname { lo } accept
ct state {established, related} accept
ct state {established, related} accept # inlined: conntrack
ct state invalid drop
jump traverse-from-all-zone-to-fw-zone-rule
counter drop
Expand Down
4 changes: 2 additions & 2 deletions checks/testZoneExpressions.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ machineTest ({config, ...}: {
chain forward {
type filter hook forward priority 0; policy drop;
ct state {established, related} accept
ct state {established, related} accept # inlined: conntrack
ct state invalid drop
jump traverse-from-all-subzones-to-all-subzones-rule
counter drop
Expand All @@ -36,7 +36,7 @@ machineTest ({config, ...}: {
chain input {
type filter hook input priority 0; policy drop
iifname { lo } accept
ct state {established, related} accept
ct state {established, related} accept # inlined: conntrack
ct state invalid drop
jump traverse-from-all-zone-to-fw-zone-rule
counter drop
Expand Down
10 changes: 9 additions & 1 deletion modules/snippets/nnf-conntrack.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,21 @@ in
after = mkForce ["veryEarly"];
before = ["early"];
rules = [
"ct state {established, related} accept"
{
onExpression = "ct state {established, related}";
jump = "conntrack";
}
"ct state invalid drop"
];
};
in {
input.conntrack = conntrackRule;
forward.conntrack = conntrackRule;
conntrack.accept = {
after = ["late"];
before = mkForce ["veryLate"];
rules = ["accept"];
};
};
};
}

0 comments on commit 133a8f0

Please sign in to comment.