Fix flag matches to work on 20.04

diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb
index 426c102ee8c36b60b3cacfb5a290ed52d13dc6a9..55c4a1c18d2bd7a18b0385e3d511098e125ec60e 100644 (file)
--- a/cookbooks/networking/templates/default/nftables.conf.erb
+++ b/cookbooks/networking/templates/default/nftables.conf.erb
@@ -82,13 +82,13 @@ table inet filter {
 
     meta l4proto { icmp, icmpv6 } jump log-and-drop
 
-    tcp flags fin,psh,urg / fin,syn,rst,psh,ack,urg jump log-and-drop
-    tcp flags ! fin,syn,rst,psh,ack,urg jump log-and-drop
-    tcp flags syn,rst / syn,rst jump log-and-drop
-    tcp flags fin,rst / fin,rst jump log-and-drop
-    tcp flags fin,syn / fin,syn jump log-and-drop
-    tcp flags fin,psh / fin,psh,ack jump log-and-drop
-    tcp sport 0 tcp flags syn / fin,syn,rst,ack jump log-and-drop
+    tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg jump log-and-drop
+    tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 jump log-and-drop
+    tcp flags & (syn|rst) == syn|rst jump log-and-drop
+    tcp flags & (fin|rst) == fin|rst jump log-and-drop
+    tcp flags & (fin|syn) == fin|syn jump log-and-drop
+    tcp flags & (fin|psh|ack) == fin|psh jump log-and-drop
+    tcp sport 0 tcp flags & (fin|syn|rst|ack) == syn jump log-and-drop
 
 <%- node[:networking][:firewall][:incoming].uniq.each do |rule| %>
     <%= rule %>