Message ID | cff119b8c775d3a4ae016e66047cd2228cc88278.1691968893.git.wolf@wolfsden.cz |
---|---|
State | New |
Headers | show |
Series | [bug#65275] services: %default-nftables-ruleset: Tighten the rules. | expand |
Hi, Tomas Volf <wolf@wolfsden.cz> skribis: > Packets for local host IP ranges should be coming only over lo. If that is > not the case, we should drop them. Use iif for the check instead of iifname, > lo is guaranteed to exists, and iif is faster. > > * gnu/services/networking.scm: Tighten the rules. I tweaked the commit log and finally applied it, thanks! Ludo’.
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 5657b141d9..e24d2a876a 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -1804,7 +1804,10 @@ (define %default-nftables-ruleset ct state { established, related } accept # allow from loopback - iifname lo accept + iif lo accept + # drop connections to lo not coming from lo + iif != lo ip daddr 127.0.0.1/8 drop + iif != lo ip6 daddr ::1/128 drop # allow icmp ip protocol icmp accept