Commit 37d207ea authored by Wágner Ferenc's avatar Wágner Ferenc
Browse files

Don't log new connections from the temporary nftables ruleset

This sidesteps a DoS possibility and does not lie to our usual
firewall check (which considers kernel log freshness).
parent 51efe95f
......@@ -34,7 +34,7 @@
table inet ansible_temporary {
chain ansible_temporary {
type filter hook input priority 0; policy accept;
ct state new log prefix "New connection: " level info
ct state new comment "Activate connection tracking, pick up active connections"
}
}
when: nf_conntrack_head.stdout == ''
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment