From a6a9ef6c1b2480227d6ac614903777107802eac8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thibaut=20VAR=C3=88NE?= <hacks@slashdirt.org>
Date: Wed, 24 May 2023 12:04:31 +0200
Subject: [PATCH] uspot: add nftables firewall snippet
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This enables CONNMARK'ing allowed traffic, and is used by accounting to
selectively delete conntrack entries on client removal.

To be used with the following fw4 config:

config include
	option type 'nftables'
	option path '/usr/share/uspot/firewall.nft'
	option position 'chain-post'
	option chain 'mangle_postrouting'

Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
---
 feeds/ucentral/uspot/files/usr/share/uspot/firewall.nft | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 feeds/ucentral/uspot/files/usr/share/uspot/firewall.nft

diff --git a/feeds/ucentral/uspot/files/usr/share/uspot/firewall.nft b/feeds/ucentral/uspot/files/usr/share/uspot/firewall.nft
new file mode 100644
index 000000000..993a48004
--- /dev/null
+++ b/feeds/ucentral/uspot/files/usr/share/uspot/firewall.nft
@@ -0,0 +1 @@
+mark 0x2 ct mark set 0x2