From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id +Pt5KO1l2WQoSQEASxT56A (envelope-from ) for ; Mon, 14 Aug 2023 01:23:25 +0200 Received: from aspmx1.migadu.com ([2001:41d0:403:4789::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id qFxzKO1l2WQsAgAAauVa8A (envelope-from ) for ; Mon, 14 Aug 2023 01:23:25 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 52E02508F0 for ; Mon, 14 Aug 2023 01:23:25 +0200 (CEST) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=wolfsden.cz header.s=mail header.b=UOVodJjg; dkim=fail ("headers rsa verify failed") header.d=wolfsden.cz header.s=mail header.b=CjJJpbdt; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=wolfsden.cz (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1691969005; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=bEPWGR5kwOIpOOq8SbTSso2M+F7mARRL/feZ/9HfDFo=; b=lWsG4nraNHisE92EYcOPycCAnsHjr1qZG3YODcZXzz+3gKV4xy/WTdS1wbanmjoVeX9HZd Hc1OrBfpg/+Kh5FBA0Shwg+RPdZy/5PAhuL2t2S3CeBb4iPyHV8+1cvOQLjIdhkpZEU5fg Edi1Vzvw6mTHsVD6Omm8Z07zl7qXXEGA0VFZW+GmcmgOIw+9Mbe4roqbK1SR6hJglSFtQT SgI7+mZ94dGlQQTF+6ALooFVk4OdBQWuXbgLYAWU5xScOrQjbMEkcV9mENM/XCukXZPCsT gXHrDLag4p9UlwxBGboGxlLP7kqt6h6qjoVZh/XyuoR5vgFMkCmO4oLTd6nU6Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=wolfsden.cz header.s=mail header.b=UOVodJjg; dkim=fail ("headers rsa verify failed") header.d=wolfsden.cz header.s=mail header.b=CjJJpbdt; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=wolfsden.cz (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1691969005; a=rsa-sha256; cv=none; b=H/hJgy+BjWEl41EmvVcv7Ad6Jhw3oHQYgQ3un47DHa0qvp/QtzUHcryqmyglMscZ6uNzp8 Js05v9koSs0o8TBOMiD2UH/2F2ErtKYDHKqRviFc+7JvQ7INCm+8BPp7QbYZJrr4z+FTjc Doiomfe8MxKS9XCCoVASItequkRApNwJpqN980x0TVZP12znQzxMMs+CQFqeWylLCm6tSY l/r6IccpH64XTaCRN0ANnWwk38OR/zBYTh4NGhEsshjWURJKIEYzMTH8Ajw8ZA7Pjb8bjn u9Nf7kyPa4MwLUI7xZy6NpP4ZkQJhCtV0E2NOEkbRPP4nZnZDqyI3yHc/4UiAQ== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qVKQP-0007pS-B8; Sun, 13 Aug 2023 19:23:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qVKQI-0007pC-T0 for guix-patches@gnu.org; Sun, 13 Aug 2023 19:23:03 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qVKQI-0000xI-Ky for guix-patches@gnu.org; Sun, 13 Aug 2023 19:23:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qVKQI-0000Xl-Gl for guix-patches@gnu.org; Sun, 13 Aug 2023 19:23:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#65275] [PATCH] services: %default-nftables-ruleset: Tighten the rules. Resent-From: Tomas Volf Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 13 Aug 2023 23:23:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 65275 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65275@debbugs.gnu.org Cc: Tomas Volf X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16919689251981 (code B ref -1); Sun, 13 Aug 2023 23:23:02 +0000 Received: (at submit) by debbugs.gnu.org; 13 Aug 2023 23:22:05 +0000 Received: from localhost ([127.0.0.1]:60422 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qVKPM-0000Vs-M8 for submit@debbugs.gnu.org; Sun, 13 Aug 2023 19:22:04 -0400 Received: from lists.gnu.org ([2001:470:142::17]:41380) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qVKPL-0000VO-5s for submit@debbugs.gnu.org; Sun, 13 Aug 2023 19:22:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qVKPF-0007iy-Vj for guix-patches@gnu.org; Sun, 13 Aug 2023 19:21:58 -0400 Received: from wolfsden.cz ([37.205.8.62]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qVKPB-0000fo-DV for guix-patches@gnu.org; Sun, 13 Aug 2023 19:21:56 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id 2A7AF26BD74; Sun, 13 Aug 2023 23:21:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1691968907; bh=Q6gk0PTPOy5vg6Ob7NRAD+qHutfhBV30iG2nlJEDiuM=; h=From:To:Cc:Subject:Date; b=UOVodJjgQLtztSRndTeXEw8JipKfiUkYCUlvakqW1FtB7g7xxdIPqTR1Fj5JUF+CA S/99ZUMneOxkBvNFvd2Ah9YyquSf52Juv1xOqx+jCrDrNRdb51vrU+1KT71nAyobBW kGFfBddaIw41OsCtWWpCDa6KkFwcxoiVl6LiwlS2imD9+t9KVkz1gQBEq98nUAKB0F ZgSkM7VUvTbn1FSZvZkBqmNByXYtAHxv+ONhU0v1B9ouAnNjKvOAewpVktBZZypiDD iEuWfakfGBER5eZ2J+juEEg/pQOG2Vr9UBc/V7tZrokXqg+EON5qdaheCis7TWh2Fm eN2uVhp3rNC2a0MDKUtmzzj9jgrNLKrjHYZnBdvADNc4It0tNtMhy9ibx1deNwauCf bNxY3oUaOmmsF/PvS/GTTxCXG/aDavSF5oZGsCcrf3bBSqlhcFUfw+XVMwI028rzyc zGGz0+nvncoNe+TWhZNpilMwr90lnPPYf1/AFafeSavUIHdkbptLhDlOQfp7PxMpEd J6kTLJIKfzBNwpW/7+DYx3HcLZraMAsNqzsoOI2hDNf/ge6OvuuhD1rKDTaJeWLUoh ESOnvoJmVAHMpBKBmay0jNsPkDhQdaU0Bem4TdOOeUHslHTCcHi0ttISkeReeau/cS SS2jE1Zcvr1kyNwazSWQeKUA= Received: from localhost (unknown [193.32.127.142]) by wolfsden.cz (Postfix) with ESMTPSA id 6D62A273D95; Sun, 13 Aug 2023 23:21:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1691968906; bh=Q6gk0PTPOy5vg6Ob7NRAD+qHutfhBV30iG2nlJEDiuM=; h=From:To:Cc:Subject:Date; b=CjJJpbdtao8/s8rd6nQHWNh/5rEIJZ+mSlM3yqEtTRAi89nAQkSf1PeY2OofDzZbC zUw3Tz9GaRcsi/UioVCZVcZeszFcKAdOCDhCDLLxISBNcbzsGVBR2E4RhC6ELpRaBP uF66ocHlGFqgkBSASCkKFiKOdsX/aqCLj/5s5VNfCHetOzMHIGuPwhrGmKnvrx34Ms mGF7fF2ANEzk8p3uE7AXCu4dQplenSj661d3D8t9/gRA5OQC2gf9Hgp+heea6+0E2J f+CwVMLiJHXhh4m09taGoWotdny2izq9RTawGyeDLAl9kxE+IdQJwWWfFrAxYeYAu5 K7rf4oPHZaA/jdQBuJqNy0vcL3tK/eXAFzjX9Sp0PDqGGSLpnmzMW7nqW7iCKxbIX7 MQxRuUIu6VWnIP30VbzngKXcP6so93ZiDWkHGguhaeTFi4hs1rdlcPBLqGfaC2JFlo hMuEXxdns0tFQxgyLPUSbaiaGXOR14KszLljJtd4vGQp7LREmcClwa+9N4zwC0U0E9 tAhJEPwrRqHp0HQxPoF8rZutbXLuzE1BHOsaT98gCb+wxSKK8z/TRiSSrk6mjq6DmK o3w8/5F9sLyx9PBdZETfyO02U2N98N1vaCWOe9lUKS0S30jFR9QBpnKNd01EYcHjlw ouVfnHHCUv9/JglRyFnYcWGM= Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id 3b4867b5; Sun, 13 Aug 2023 23:21:45 +0000 (UTC) From: Tomas Volf Date: Mon, 14 Aug 2023 01:21:33 +0200 Message-ID: X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: none client-ip=37.205.8.62; envelope-from=ws@wolfsnet.cz; helo=wolfsden.cz X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_PASS=-0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Queue-Id: 52E02508F0 X-Migadu-Scanner: mx1.migadu.com X-Spam-Score: 4.31 X-Migadu-Spam-Score: 4.31 X-TUID: 19sBF4t7QDzn Packets for local host IP ranges should be coming only over lo. If that is not the case, we should drop them. Use iif for the check instead of iifname, lo is guaranteed to exists, and iif is faster. * gnu/services/networking.scm: Tighten the rules. --- gnu/services/networking.scm | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 5657b141d9..e24d2a876a 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -1804,7 +1804,10 @@ (define %default-nftables-ruleset ct state { established, related } accept # allow from loopback - iifname lo accept + iif lo accept + # drop connections to lo not coming from lo + iif != lo ip daddr 127.0.0.1/8 drop + iif != lo ip6 daddr ::1/128 drop # allow icmp ip protocol icmp accept base-commit: be6f5edd445850720dfcec2642db643b84fc0645 -- 2.41.0