From a3f13ff8dac54bba46d7aaa5c6e5c75de60e718c Mon Sep 17 00:00:00 2001
From: nd <git@notandy.de>
Date: Sun, 2 Aug 2020 21:26:17 +0200
Subject: [PATCH] forward statefull

---
 templates/nftables.conf.j2 | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/templates/nftables.conf.j2 b/templates/nftables.conf.j2
index b09491f..fb9c250 100644
--- a/templates/nftables.conf.j2
+++ b/templates/nftables.conf.j2
@@ -30,7 +30,7 @@ table inet filter {
 
 		iif lo accept comment "Accept any localhost traffic"
 		ct state invalid drop comment "Drop invalid connections"
-		ct state established,related accept comment "Accept traffic originated from us"
+		ct state established,related accept comment "Accept established (statefull)"
 
 		ip6 nexthdr icmpv6 accept comment "Accept ICMPv6"
 		ip protocol icmp accept comment "Accept ICMP"
@@ -45,6 +45,9 @@ table inet filter {
 		type filter hook forward priority 0;
 		policy {{ firewall.policies.forward }};
 
+		ct state invalid drop comment "Drop invalid connections"
+		ct state established,related accept comment "Accept established (statefull)"
+
 {{ nftchain('forward') }}
 
 		counter comment "Count dropped"