From 19acb4cb22e2d91777e8f52f1a1a9ec612a2d47a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?=
 <jeremy.gardais@univ-rennes1.fr>
Date: Tue, 8 Aug 2017 14:53:29 +0200
Subject: [PATCH] Allow SSH input by default.

---
 README.md         | 3 +++
 defaults/main.yml | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/README.md b/README.md
index 3838b2a..d350f85 100644
--- a/README.md
+++ b/README.md
@@ -71,6 +71,8 @@ nft_input_default_rules:
     - jump global
   010 drop unwanted:
     - ip daddr @blackhole counter drop
+  022 ssh:
+    - tcp dport ssh ct state new counter accept
 nft_input_group_rules: {}
 nft_input_host_rules: {}
 
@@ -133,6 +135,7 @@ table inet firewall {
 		type filter hook input priority 0; policy drop;
 		jump global
 		ip daddr @blackhole counter packets 3 bytes 204 drop
+		tcp dport ssh ct state new counter packets 0 bytes 0 accept
 	}
 
 	chain output {
diff --git a/defaults/main.yml b/defaults/main.yml
index e8b0390..1affc1c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -22,6 +22,7 @@ nft_global_default_rules:
     - ct state invalid drop
 nft_global_group_rules: {}
 nft_global_host_rules: {}
+
 nft_input_default_rules:
   000 policy:
     - type filter hook input priority 0; policy drop;
@@ -29,6 +30,8 @@ nft_input_default_rules:
     - jump global
   010 drop unwanted:
     - ip daddr @blackhole counter drop
+  022 ssh:
+    - tcp dport ssh ct state new counter accept
 nft_input_group_rules: {}
 nft_input_host_rules: {}
 
@@ -40,6 +43,7 @@ nft_define_default:
     value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
 nft_define_group: {}
 nft_define_host: {}
+
 nft_set_default:
   blackhole:
     - type ipv4_addr;