From a4c4a8a5a8cde7f9bf91ae49a9dc1ce23e77293b Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Sat, 4 Mar 2023 15:53:25 +0000
Subject: [PATCH] Fix flag matches to work on 20.04

---
 .../networking/templates/default/nftables.conf.erb | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb
index 426c102ee..55c4a1c18 100644
--- a/cookbooks/networking/templates/default/nftables.conf.erb
+++ b/cookbooks/networking/templates/default/nftables.conf.erb
@@ -82,13 +82,13 @@ table inet filter {
 
     meta l4proto { icmp, icmpv6 } jump log-and-drop
 
-    tcp flags fin,psh,urg / fin,syn,rst,psh,ack,urg jump log-and-drop
-    tcp flags ! fin,syn,rst,psh,ack,urg jump log-and-drop
-    tcp flags syn,rst / syn,rst jump log-and-drop
-    tcp flags fin,rst / fin,rst jump log-and-drop
-    tcp flags fin,syn / fin,syn jump log-and-drop
-    tcp flags fin,psh / fin,psh,ack jump log-and-drop
-    tcp sport 0 tcp flags syn / fin,syn,rst,ack jump log-and-drop
+    tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg jump log-and-drop
+    tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 jump log-and-drop
+    tcp flags & (syn|rst) == syn|rst jump log-and-drop
+    tcp flags & (fin|rst) == fin|rst jump log-and-drop
+    tcp flags & (fin|syn) == fin|syn jump log-and-drop
+    tcp flags & (fin|psh|ack) == fin|psh jump log-and-drop
+    tcp sport 0 tcp flags & (fin|syn|rst|ack) == syn jump log-and-drop
 
 <%- node[:networking][:firewall][:incoming].uniq.each do |rule| %>
     <%= rule %>
-- 
2.39.5