mDNS queries and replies are sent to port 5353.
Update firewall rule in order to make it as tight as possible.
[ci:skip-build]: already built successfully in CI
There is "iifname "wwan*" drop" defined in 01_wwan.nft, which drops
any not "established, related" incoming packet from WWAN.
[ci:skip-build]: already built successfully in CI
Prepare to drop anbox from pmaports in favor of waydroid. For waydroid,
there's an nftables rule packaged as waydroid-nftables subpackage of the
waydroid package in Alpine (see pmaports issue 1280).
This seems to fix the last missing piece to getting the hotspot stuff
working, at least when it's set up with networkmanager (I haven't tested
other methods, but assume this rule is still needed there too...)
fixes#1198
This fixes DNS when a system is connected to a pmOS device as a hotspot.
The rule is in the default set of firewall rules, instead of a
subpackage.. I think this is OK. I don't believe anything should be
listening on port 53 except when the hotspot is running...
The networkmanager hotspot needs to have DHCP input enabled on the wifi
interfaces so the temporary dnsmasq instance can work. The
networkmanager backend is also switched to the nftables one so it can
create the ad-hoc hotspot forwarding/masquerade table.
This rule is installed by default, since users that need usb inet won't
have an easy way to install a subpackage.
This is meant to facilitate:
https://wiki.postmarketos.org/wiki/USB_Internet
The old rule would result in nftables failing to load if the iface
doesn't exist. Using `iifname` will match on any future ifaces if they
don't exist when the firewall starts.
Anbox needs a specific set of nftables rules to allow incoming and
outgoing traffic. Anbox makes it easy to allow the specific traffic due
to the established `anbox0` bridge network interface.
Installs nftables config useful for pmOS::
1) drop all connections to wwan* (wildcard matching supported, are there
any other wwan iface names that wouldn't match this?)
2) allow ssh, drop from wwan (kinda redundant w/ the first rule, but
doesn't hurt..), allow DHCP on usb*
3) allow all incoming connections on usb* (with the -openusb subpackage)
4) enable logging all nftable events (with the -log subpackage), very
useful for debugging
fixes#1024
