My expectation is that traffic will be dropped appropriately at the "priority filter" level when the VPN is active, but that when the VPN firewall rules are removed, the defaults will kick in, even though they are "priority +1."
Is this correct, or I have I poorly implemented this?
These are my default nftables rules without the VPN killswitch:
Code: Select all
table inet firewall {
chain incoming {
type filter hook input priority filter + 1; policy drop;
iif "lo" accept
iif "lo" ip saddr != 127.0.0.0/8 drop
ct state established accept
}
chain forwarding {
type filter hook forward priority filter + 1; policy drop;
}
}
Code: Select all
table inet firewall {
chain incoming {
type filter hook input priority filter + 1; policy drop;
iif "lo" accept
iif "lo" ip saddr != 127.0.0.0/8 drop
ct state established accept
}
chain forwarding {
type filter hook forward priority filter + 1; policy drop;
}
}
table inet vpn {
chain prerouting {
type filter hook prerouting priority -199; policy accept;
}
chain output {
type filter hook output priority filter; policy drop;
oif "lo" accept
ct mark XXX accept
[edit]
udp dport 53 reject
tcp dport 53 reject with tcp reset
reject
}
chain input {
type filter hook input priority filter; policy drop;
iif "lo" accept
[edit]
}
chain forward {
type filter hook forward priority filter; policy drop;
[edit]
udp dport 53 reject
tcp dport 53 reject with tcp reset
reject
}
}
Networking: Forwarding is turned off in sysctl.conf (net.ipv4.ip_forward = 0)