From 78d223a839071fa35236194112e58a5cf5489c02 Mon Sep 17 00:00:00 2001 From: Daniel Barlow Date: Tue, 27 Jun 2023 21:23:15 +0100 Subject: [PATCH] move nftables fib rule to the prerouting hook --- examples/rotuer-firewall.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/rotuer-firewall.nix b/examples/rotuer-firewall.nix index d5fe5de..a07baaf 100644 --- a/examples/rotuer-firewall.nix +++ b/examples/rotuer-firewall.nix @@ -6,6 +6,8 @@ let bogons-ip6 = { type = "filter"; family = "ip6"; + policy = "accept"; + hook = "prerouting"; rules = [ (drop "ip6 saddr ff00::/8") # multicast saddr is illegal @@ -38,7 +40,6 @@ let policy = "drop"; hook = "forward"; rules = [ - "jump bogons-ip6" (drop "ip6 saddr ::1/128") # loopback address [RFC4291] (drop "ip6 daddr ::1/128") (drop "ip6 saddr ::FFFF:0:0/96")# IPv4-mapped addresses @@ -101,7 +102,6 @@ let policy = "drop"; hook = "input"; rules = [ - "jump bogons-ip6" (accept "meta l4proto icmpv6") (if allow-incoming then accept "oifname \"int\" iifname \"ppp0\""