From 2a93b6783e880f5c14e82eba8ba006126b384930 Mon Sep 17 00:00:00 2001
From: Xiao Pan <xyz@flylightning.xyz>
Date: Mon, 14 Jul 2025 16:06:44 +0800
Subject: nft only allow monerod-p2p port to wg_* network interfaces

Note I think this will not prevent monerod download things from public
internet without wireguard tunnel. But a little more limit is still
better, maybe upload will limit a little bit to wg_* network interfaces.
---
 etc/nftables.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/etc/nftables.conf b/etc/nftables.conf
index 480298a3..1ec682d9 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -27,7 +27,7 @@ table inet my_table {
 		udp dport mdns accept
 		tcp dport qbt accept
 		udp dport qbt accept
-		tcp dport monerod-p2p accept
+		iifname wg_* tcp dport monerod-p2p accept
 		#tcp dport iperf3 accept
 		#udp dport wireguard accept
 
-- 
cgit v1.2.3-70-g09d2