On 11/29/25 14:08, Alyssa Ross wrote:
Yureka Lilian <yureka@cyberchaos.dev> writes:
diff --git a/vm/sys/net/image/etc/nftables.conf b/vm/sys/net/image/etc/nftables.conf index 296d92c..cc8e462 100644 --- a/vm/sys/net/image/etc/nftables.conf +++ b/vm/sys/net/image/etc/nftables.conf @@ -1,8 +1,16 @@ # SPDX-License-Identifier: EUPL-1.2+ -# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is> +# SPDX-FileCopyrightText: 2025 Yureka Lilian <yureka@cyberchaos.dev>
-table nat { - chain postrouting { - type nat hook postrouting priority 100; +table driver-fw { + chain input { + type filter hook input priority filter; policy drop; + } + + chain output { + type filter hook output priority filter; policy drop; + } + + chain forward { + type filter hook forward priority filter; policy drop; } } Just checking: did you see my question about the formatting of this last time?
https://spectrum-os.org/lists/archives/spectrum-devel/87see1t69a.fsf@alyssa....
I saw the question but forgot to answer it. Thanks for reminding me. At least inside nixpkgs all nftables chains are declared in this style, so yes it is a common way of writing it. I suppose because the policy is semantically part of the chain "declaration" as opposed to the rules following it.