From ac0654daf06a9d01fd264d96c00c8ab47b90cb73 Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Wed, 13 May 2026 13:43:22 +0100
Subject: feat(net): nftables laptop firewall

Default-deny inbound, allow outbound. Scoped to 'inet filter' with
'destroy table' on reload so podman/netavark tables are preserved.

- meta/base.txt: add nftables
- systemd-units/system/base.txt: enable nftables.service
- etc/nftables.conf: laptop ruleset (loopback, ct state, ICMP/ICMPv6
  essentials, DHCPv6 client, default-drop input/forward, accept output)
- etc/sysctl.d/99-sysctl.conf: rp_filter=2, no redirects, no source-route,
  log_martians
- README.md: firewall section with reload caveat
---
 systemd-units/system/base.txt | 1 +
 1 file changed, 1 insertion(+)

(limited to 'systemd-units')

diff --git a/systemd-units/system/base.txt b/systemd-units/system/base.txt
index 6f8582a..1e3af9b 100644
--- a/systemd-units/system/base.txt
+++ b/systemd-units/system/base.txt
@@ -9,6 +9,7 @@ paccache.timer
 acpid.service
 cpupower.service
 iwd.service
+nftables.service
 systemd-networkd.service
 systemd-networkd-wait-online.service
 tlp.service
-- 
cgit v1.3.1