From f2e4e77d731ce3e132662487797d2e5fdcf09c77 Mon Sep 17 00:00:00 2001
From: Daniel Barlow <dan@telent.net>
Date: Sun, 29 Dec 2024 23:17:31 +0000
Subject: [PATCH] firewall: don't use oifname in input rules

because it's empty, these are input rules for the local machine
---
 modules/firewall/default-rules.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/firewall/default-rules.nix b/modules/firewall/default-rules.nix
index 8fa4d3b..54c68be 100644
--- a/modules/firewall/default-rules.nix
+++ b/modules/firewall/default-rules.nix
@@ -131,12 +131,12 @@ in {
       "iifname int jump input-ip6-lan"
       "iifname ppp0 jump input-ip6-wan"
       (if allow-incoming
-       then accept "oifname \"int\" iifname \"ppp0\""
-       else "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip6"
+       then accept "iifname \"ppp0\""
+       else "iifname \"ppp0\" jump incoming-allowed-ip6"
       )
       # how does this even make sense in an input chain?
-      (accept "oifname \"int\" iifname \"ppp0\"  ct state established,related")
-      (accept "iifname \"int\" oifname \"ppp0\" ")
+      (accept "iifname \"ppp0\"  ct state established,related")
+      (accept "iifname \"int\" ")
       "log prefix \"DENIED CHAIN=input-ip6 \""
     ];
   };