Fix wireguard clients being able to connect to local ports

config/nftables/APKBUILD

@@ -3,7 +3,7 @@
 
 . ../APKBUILD-config.template
 
-pkgver=2023.05.24.01
+pkgver=2023.08.09.04
 pkgrel=0
 options="!check" # check requires root?
 

config/nftables/nft/inet/redxenfirewall/filter/input/stateful/base

@@ -1,3 +1,3 @@
 # Ban if connection attempts are still made over the limit
-ct state new meter ban4  { ip  saddr timeout 10m limit rate over 2/second burst 60 packets } update @blackhole4 { ip  saddr timeout 1h } counter reject;
-ct state new meter ban6  { ip6 saddr timeout 10m limit rate over 2/second burst 60 packets } update @blackhole6 { ip6 saddr timeout 1h } counter reject;
+iifname "eth0" ct state new meter ban4  { ip  saddr timeout 10m limit rate over 2/second burst 60 packets } update @blackhole4 { ip  saddr timeout 1h } counter reject;
+iifname "eth0" ct state new meter ban6  { ip6 saddr timeout 10m limit rate over 2/second burst 60 packets } update @blackhole6 { ip6 saddr timeout 1h } counter reject;

config/nftables/nft/inet/redxenfirewall/table

@@ -12,7 +12,7 @@ table inet redxenfirewall {
 
 	chain rxfi {
 		type filter hook input priority 0;
-		policy accept;
+		policy drop;
 
 		ct state invalid counter drop;
 		ip  saddr @blackhole4 update @blackhole4 { ip  saddr timeout 1h } counter reject with icmpx type admin-prohibited;
@@ -22,7 +22,8 @@ table inet redxenfirewall {
 		icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } counter accept;
 		ct state related,established counter accept;
 
-		iifname "eth0" jump rxfi-extern;
+		iifname {"lo", "eth1"} counter accept;
+		jump rxfi-extern;
 	}
 
 	chain rxfi-extern {