From d12b470c4fa50fe72efd1957c0289040eb372c6c Mon Sep 17 00:00:00 2001
From: Patrick Spek
Date: Wed, 28 Feb 2024 09:58:37 +0100
Subject: Update nftable's icmp rules
---
playbooks.d/fw-nftables/playbook.bash | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
(limited to 'playbooks.d')
diff --git a/playbooks.d/fw-nftables/playbook.bash b/playbooks.d/fw-nftables/playbook.bash
index 1e52680..c0b366c 100644
--- a/playbooks.d/fw-nftables/playbook.bash
+++ b/playbooks.d/fw-nftables/playbook.bash
@@ -38,12 +38,18 @@ playbook_sync() {
# Add ICMP rules
info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for ICMP"
printf "\n"
- printf "\t\tip protocol icmp icmp type echo-request" \ # IPv4
- printf " limit rate %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.rate" "2/second")"
+ printf "\t\tmeta l4proto icmp" \ # IPv4
+ if [[ "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.rate" "")" != "" ]]
+ then
+ printf " limit rate %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.rate" "2/second")"
+ fi
printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.policy" "accept")"
printf ";\n"
- printf "\t\tip6 nexthdr icmpv6 icmpv6 type echo-request" \ # IPv6
- printf " limit rate %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.rate" "2/second")"
+ printf "\t\tmeta l4proto ipv6-icmp" \ # IPv6
+ if [[ "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.rate" "")" != "" ]]
+ then
+ printf " limit rate %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.rate")"
+ fi
printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.policy" "accept")"
printf ";\n"
--
cgit v1.1