From 84fd89f6e659046e5204544c48ced44b445ad0eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?=
 <jeremy.gardais@univ-rennes1.fr>
Date: Tue, 8 Aug 2017 14:37:54 +0200
Subject: [PATCH] Block all input packets destinate to blackhole set by
 default.

---
 README.md         | 3 +++
 defaults/main.yml | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/README.md b/README.md
index 8660157..3838b2a 100644
--- a/README.md
+++ b/README.md
@@ -69,6 +69,8 @@ nft_input_default_rules:
     - type filter hook input priority 0; policy drop;
   005 global:
     - jump global
+  010 drop unwanted:
+    - ip daddr @blackhole counter drop
 nft_input_group_rules: {}
 nft_input_host_rules: {}
 
@@ -130,6 +132,7 @@ table inet firewall {
 	chain input {
 		type filter hook input priority 0; policy drop;
 		jump global
+		ip daddr @blackhole counter packets 3 bytes 204 drop
 	}
 
 	chain output {
diff --git a/defaults/main.yml b/defaults/main.yml
index 103332f..e8b0390 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -27,6 +27,8 @@ nft_input_default_rules:
     - type filter hook input priority 0; policy drop;
   005 global:
     - jump global
+  010 drop unwanted:
+    - ip daddr @blackhole counter drop
 nft_input_group_rules: {}
 nft_input_host_rules: {}