branch: externals/nftables-mode
commit 3fd8b3f79ed8040a8defe9551ab1cc22acdec708
Author: Trent W. Buck <trentb...@gmail.com>
Commit: Trent W. Buck <trentb...@gmail.com>
comment tweaks
---
nftables-host.nft | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/nftables-host.nft b/nftables-host.nft
index 166f7cd52c..aae3681b38 100644
--- a/nftables-host.nft
+++ b/nftables-host.nft
@@ -101,11 +101,10 @@ table inet my_filter {
# Allow those first, so we're a fast, stateful firewall.
# After this only "ct state new" (or "ct state untracked") will remain.
# FIXME: is a vmap here better (more efficient) than two separate
rules?
- # FIXME: {established or related: accept} does not match correctly!
+ # NOTE: {established or related: accept} does not match correctly!
ct state vmap { established: accept, related: accept, invalid: drop }
# Loopback traffic is needed for e.g. NFS RPC, and for debugging.
- # FIXME: is iiftype here better than iif/iifname?
iiftype loopback accept
# Allow *some* kinds of IPv4/ICMP and IPv6/ICMPv6.
