X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/0e74e2f70ceb291199499bcd7aa1828e1908fa65..d3a2e51da96cc65a58e58e0ac21e92635473ef05:/cookbooks/networking/templates/default/nftables.conf.erb

diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb
index d98237d6e..f1773f384 100644
--- a/cookbooks/networking/templates/default/nftables.conf.erb
+++ b/cookbooks/networking/templates/default/nftables.conf.erb
@@ -24,12 +24,12 @@ table inet chef-filter {
 
   set ip-blocklist {
     type ipv4_addr
-    flags dynamic
+    flags interval
   }
 
   set ip6-blocklist {
     type ipv6_addr
-    flags dynamic
+    flags interval
   }
 
   set ratelimit-icmp-echo-ip {
@@ -57,6 +57,13 @@ table inet chef-filter {
 <%- end %>
   }
 
+<%- end %>
+
+<%- node[:networking][:firewall][:helpers].each do |helper| %>
+  ct helper <%= helper[:name] %> {
+    type "<%= helper[:helper] %>" protocol <%= helper[:protocol] %>
+  }
+
 <%- end %>
   chain log-and-drop {
     limit rate 1/second log
@@ -79,9 +86,6 @@ table inet chef-filter {
     ip saddr @ip-blocklist jump log-and-drop
     ip6 saddr @ip6-blocklist jump log-and-drop
 
-    ct state { established, related } accept
-
-    icmp type { destination-unreachable } accept
     icmp type { echo-request } update @ratelimit-icmp-echo-ip { ip saddr limit rate 1/second } accept
     icmp type { echo-request } drop
 
@@ -89,6 +93,8 @@ table inet chef-filter {
     icmpv6 type { echo-request } update @ratelimit-icmp-echo-ip6 { ip6 saddr limit rate 1/second } accept
     icmpv6 type { echo-request } drop
 
+    ct state { established, related } accept
+
     meta l4proto { icmp, icmpv6 } jump log-and-drop
 
     tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg jump log-and-drop