forked from DGNum/liminix
move nftables fib rule to the prerouting hook
This commit is contained in:
parent
6101f3f3d8
commit
78d223a839
1 changed files with 2 additions and 2 deletions
|
@ -6,6 +6,8 @@ let
|
||||||
bogons-ip6 = {
|
bogons-ip6 = {
|
||||||
type = "filter";
|
type = "filter";
|
||||||
family = "ip6";
|
family = "ip6";
|
||||||
|
policy = "accept";
|
||||||
|
hook = "prerouting";
|
||||||
rules = [
|
rules = [
|
||||||
(drop "ip6 saddr ff00::/8") # multicast saddr is illegal
|
(drop "ip6 saddr ff00::/8") # multicast saddr is illegal
|
||||||
|
|
||||||
|
@ -38,7 +40,6 @@ let
|
||||||
policy = "drop";
|
policy = "drop";
|
||||||
hook = "forward";
|
hook = "forward";
|
||||||
rules = [
|
rules = [
|
||||||
"jump bogons-ip6"
|
|
||||||
(drop "ip6 saddr ::1/128") # loopback address [RFC4291]
|
(drop "ip6 saddr ::1/128") # loopback address [RFC4291]
|
||||||
(drop "ip6 daddr ::1/128")
|
(drop "ip6 daddr ::1/128")
|
||||||
(drop "ip6 saddr ::FFFF:0:0/96")# IPv4-mapped addresses
|
(drop "ip6 saddr ::FFFF:0:0/96")# IPv4-mapped addresses
|
||||||
|
@ -101,7 +102,6 @@ let
|
||||||
policy = "drop";
|
policy = "drop";
|
||||||
hook = "input";
|
hook = "input";
|
||||||
rules = [
|
rules = [
|
||||||
"jump bogons-ip6"
|
|
||||||
(accept "meta l4proto icmpv6")
|
(accept "meta l4proto icmpv6")
|
||||||
(if allow-incoming
|
(if allow-incoming
|
||||||
then accept "oifname \"int\" iifname \"ppp0\""
|
then accept "oifname \"int\" iifname \"ppp0\""
|
||||||
|
|
Loading…
Reference in a new issue