aboutsummaryrefslogtreecommitdiff
path: root/gnu
diff options
context:
space:
mode:
authorTomas Volf <wolf@wolfsden.cz>2023-08-14 01:21:33 +0200
committerLudovic Courtès <ludo@gnu.org>2023-10-20 00:33:26 +0200
commit82f9e5ac97e076d57b8502c920ac770a82879b9a (patch)
tree9eeed3200a00529e20c2e4bf706b1ff26e50ca67 /gnu
parent6156bf9078e52483cad01ca3fad2ad793773d0bc (diff)
downloadguix-82f9e5ac97e076d57b8502c920ac770a82879b9a.tar
guix-82f9e5ac97e076d57b8502c920ac770a82879b9a.tar.gz
services: nftables: Tighten the default rules.
Packets for local host IP ranges should be coming only over lo. If that is not the case, we should drop them. Use iif for the check instead of iifname, lo is guaranteed to exists, and iif is faster. * gnu/services/networking.scm (%default-nftables-ruleset): Tighten the rules. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Diffstat (limited to 'gnu')
-rw-r--r--gnu/services/networking.scm5
1 files changed, 4 insertions, 1 deletions
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 99889e3072..0508a4282c 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -1813,7 +1813,10 @@ table inet filter {
ct state { established, related } accept
# allow from loopback
- iifname lo accept
+ iif lo accept
+ # drop connections to lo not coming from lo
+ iif != lo ip daddr 127.0.0.1/8 drop
+ iif != lo ip6 daddr ::1/128 drop
# allow icmp
ip protocol icmp accept