From e018e439bbc59683421c80d26cf8425b9a4683f4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?=
 <jeremy.gardais@univ-rennes1.fr>
Date: Wed, 9 Aug 2017 10:34:29 +0200
Subject: [PATCH] Set output default policy to drop and allow DNS request.

---
 README.md         | 7 +++++--
 defaults/main.yml | 4 +++-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 21e00cf..020d607 100644
--- a/README.md
+++ b/README.md
@@ -83,9 +83,11 @@ nft_input_host_rules: {}
 
 nft_output_default_rules:
   000 policy:
-    - type filter hook output priority 0; policy accept;
+    - type filter hook output priority 0; policy drop;
   005 global:
     - jump global
+  050 domain:
+    - udp dport domain ct state new counter accept
 nft_output_group_rules: {}
 nft_output_host_rules: {}
 
@@ -149,8 +151,9 @@ table inet firewall {
 	}
 
 	chain output {
-		type filter hook output priority 0; policy accept;
+		type filter hook output priority 0; policy drop;
 		jump global
+		udp dport domain ct state new counter packets 0 bytes 0 accept
 	}
 }
 ```
diff --git a/defaults/main.yml b/defaults/main.yml
index d524077..979b1d3 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -39,9 +39,11 @@ nft_input_host_rules: {}
 
 nft_output_default_rules:
   000 policy:
-    - type filter hook output priority 0; policy accept;
+    - type filter hook output priority 0; policy drop;
   005 global:
     - jump global
+  050 domain:
+    - udp dport domain ct state new counter accept
 nft_output_group_rules: {}
 nft_output_host_rules: {}