On Sat, Nov 29, 2025 at 02:15:23PM +0100, Yureka wrote:
> On 11/29/25 14:08, Alyssa Ross wrote:
> > Yureka Lilian <yureka@cyberchaos.dev> writes:
> >
> > > diff --git a/vm/sys/net/image/etc/nftables.conf b/vm/sys/net/image/etc/nftables.conf
> > > index 296d92c..cc8e462 100644
> > > --- a/vm/sys/net/image/etc/nftables.conf
> > > +++ b/vm/sys/net/image/etc/nftables.conf
> > > @@ -1,8 +1,16 @@
> > >   # SPDX-License-Identifier: EUPL-1.2+
> > > -# SPDX-FileCopyrightText: 2021 Alyssa Ross <hi@alyssa.is>
> > > +# SPDX-FileCopyrightText: 2025 Yureka Lilian <yureka@cyberchaos.dev>
> > > -table nat {
> > > -	chain postrouting {
> > > -		type nat hook postrouting priority 100;
> > > +table driver-fw {
> > > +	chain input {
> > > +		type filter hook input priority filter; policy drop;
> > > +	}
> > > +
> > > +	chain output {
> > > +		type filter hook output priority filter; policy drop;
> > > +	}
> > > +
> > > +	chain forward {
> > > +		type filter hook forward priority filter; policy drop;
> > >   	}
> > >   }
> > Just checking: did you see my question about the formatting of this last
> > time?
> >
> > https://spectrum-os.org/lists/archives/spectrum-devel/87see1t69a.fsf@alyssa.is/
>
> I saw the question but forgot to answer it. Thanks for reminding me.
>
> At least inside nixpkgs all nftables chains are declared in this style, so
> yes it is a common way of writing it. I suppose because the policy is
> semantically part of the chain "declaration" as opposed to the rules
> following it.

Cool, then:

Reviewed-by: Alyssa Ross <hi@alyssa.is>