diff mbox series

[bug#65275] services: %default-nftables-ruleset: Tighten the rules.

Message ID cff119b8c775d3a4ae016e66047cd2228cc88278.1691968893.git.wolf@wolfsden.cz
State New
Headers show
Series [bug#65275] services: %default-nftables-ruleset: Tighten the rules. | expand

Commit Message

Tomas Volf Aug. 13, 2023, 11:21 p.m. UTC 
Packets for local host IP ranges should be coming only over lo.  If that is
not the case, we should drop them.  Use iif for the check instead of iifname,
lo is guaranteed to exists, and iif is faster.

* gnu/services/networking.scm: Tighten the rules.
---
 gnu/services/networking.scm | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)


base-commit: be6f5edd445850720dfcec2642db643b84fc0645

Comments

Ludovic Courtès Oct. 19, 2023, 8 p.m. UTC | #1 
Hi,

Tomas Volf <wolf@wolfsden.cz> skribis:

> Packets for local host IP ranges should be coming only over lo.  If that is
> not the case, we should drop them.  Use iif for the check instead of iifname,
> lo is guaranteed to exists, and iif is faster.
>
> * gnu/services/networking.scm: Tighten the rules.

I tweaked the commit log and finally applied it, thanks!

Ludo’.
diff mbox series

Patch

diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 5657b141d9..e24d2a876a 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -1804,7 +1804,10 @@  (define %default-nftables-ruleset
     ct state { established, related } accept
 
     # allow from loopback
-    iifname lo accept
+    iif lo accept
+    # drop connections to lo not coming from lo
+    iif != lo ip daddr 127.0.0.1/8 drop
+    iif != lo ip6 daddr ::1/128 drop
 
     # allow icmp
     ip protocol icmp accept