From a066063f6aa0bb4373f028e26eb950f81d55eaf1 Mon Sep 17 00:00:00 2001
From: Logan Fick <logan@logal.dev>
Date: Tue, 16 Dec 2025 09:01:19 -0500
Subject: [PATCH] Fixed localhost output firewall rule not using correct
 selector.

---
 etc/nftables.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/etc/nftables.conf b/etc/nftables.conf
index fde9961..18ead68 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -12,7 +12,7 @@ table inet filter {
 		ct state invalid counter drop comment "drop invalid"
 		meta l4proto { icmp, ipv6-icmp } counter accept comment "accept ICMP"
 
-		tcp dport ssh ct state { new } counter accept comment "accept new SSH connections"
+		tcp dport ssh ct state new counter accept comment "accept new SSH connections"
 
 		counter comment "count any other dropped traffic"
 	}
@@ -20,7 +20,7 @@ table inet filter {
 	chain output {
 		type filter hook output priority filter; policy drop;
 
-		iif lo counter accept comment "accept any localhost traffic"
+		oif lo counter accept comment "accept any localhost traffic"
 		ct state { established, related } counter accept comment "accept established,related"
 		ct state invalid counter drop comment "drop invalid"
 		meta l4proto { icmp, ipv6-icmp } counter accept comment "accept ICMP"