Startseite Erkunden Hilfe
Registrieren Anmelden
FreifunkHochstift
/
ffho-salt-public
2
0
Fork 2
Dateien Issues 0 Pull-Requests 0
Quellcode durchsuchen

nftables: Unify counters

Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
Maximilian Wilhelm vor 2 Jahren
Ursprung
ef8c13534b
Commit
ea5aef8de8
1 geänderte Dateien mit 9 neuen und 9 gelöschten Zeilen
Geteilte Ansicht Diff-Statistik anzeigen
  1. 9 9
      nftables/nftables.conf.tmpl

+ 9 - 9
nftables/nftables.conf.tmpl
Datei anzeigen 

@@ -39,17 +39,17 @@ table ip filter {
 
 		tcp dport 7 counter drop comment "Ignore echo protocol queries"
 
 		udp dport 4789 jump vxlan
 
 		jump urpf
 
-		ip protocol icmp counter jump icmp_chain
 
+		ip protocol icmp jump icmp_chain
 
 		ct state invalid counter drop
 
-		counter jump admin_access
 
-		counter jump monitoring
 
+		jump admin_access
 
+		jump monitoring
 
 		tcp dport 22 counter jump ssh
 
 {%- if 'router' in roles %}
 
-		ip daddr { 224.0.0.5, 224.0.0.6 } meta l4proto ospf accept
 
+		ip daddr { 224.0.0.5, 224.0.0.6 } meta l4proto ospf counter accept
 
 		tcp dport 179 counter jump bgp
 
 {%- endif %}
 
 		ct state related,established counter accept
 
-		counter jump services
 
+		jump services
 
 		meta pkttype broadcast counter drop comment "Drop broadcasts before logging"
 
 		limit rate 1/second burst 3 packets counter log prefix "nf input: "
 
 		limit rate 1/second burst 3 packets counter reject with icmp type admin-prohibited
 
@@ -158,13 +158,13 @@ table ip6 filter {
 
 		tcp dport 7 counter drop comment "Ignore echo protocol queries"
 
 		udp dport 4789 jump vxlan
 
 		jump urpf
 
-		meta l4proto icmpv6 counter jump icmp_chain
 
+		meta l4proto icmpv6 jump icmp_chain
 
 		ct state invalid counter drop
 
-		counter jump admin_access
 
-		counter jump monitoring
 
+		jump admin_access
 
+		jump monitoring
 
 		tcp dport 22 counter jump ssh
 
 {%- if 'router' in roles %}
 
-		ip6 saddr fe80::/64 ip6 daddr { fe80::/10, ff02::5, ff02::6 } meta l4proto ospf accept
 
+		ip6 saddr fe80::/64 ip6 daddr { fe80::/10, ff02::5, ff02::6 } meta l4proto ospf counter accept
 
 		tcp dport 179 counter jump bgp
 
 {%- endif %}
 
 		ct state related,established counter accept comment "Allow established connections."