Remove icmp echo rate limits; Copy nftables config

For at least some distributions, /etc/sysconfig/nftables.conf is
persistent while /etc/nftables.conf is not.

diff --git a/firewall.sh b/firewall.sh
index 91f4bccb4f544e044ce9c9f1eafb178b10100095..3fa3c831cb6d869ec25e55228af9df27a8ee11f4 100755 (executable)
--- a/firewall.sh
+++ b/firewall.sh
@@ -146,6 +146,9 @@ persist_rules() {
         printf "#!/usr/sbin/nft -f\n" > /etc/nftables.conf
         printf "flush ruleset\n" >> /etc/nftables.conf
         nft list ruleset >> /etc/nftables.conf
+        if [ -d /etc/sysconfig ]; then
+            cp /etc/nftables.conf /etc/sysconfig/nftables.conf
+        fi
     fi
 
 }
@@ -305,11 +308,11 @@ allow_dns() {
 allow_ping() {
     printf "Allowing icmp pings\n"
     if [ "$FIREWALL" = "iptables" ]; then
-        iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 10/sec -j ACCEPT
-        iptables -A INPUT -p icmpv6 --icmpv6-type echo-request -m limit --limit 10/sec -j ACCEPT
+        iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+        iptables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
     elif [ "$FIREWALL" = "nftables" ]; then
-        nft add rule inet filter input icmp type \{ echo-request \} limit rate 10/second accept
-        nft add rule inet filter input icmpv6 type \{ echo-request \} limit rate 10/second accept
+        nft add rule inet filter input icmp type echo-request accept
+        nft add rule inet filter input icmpv6 type echo-request accept
     fi
 }