From 1cce3fc642dd4e64151aba1deff02b35beee04c9 Mon Sep 17 00:00:00 2001 From: Ryan Cavicchioni Date: Sun, 14 Apr 2024 17:46:42 -0500 Subject: [PATCH] nftables: add more rules --- roles/nftables/defaults/main.yaml | 73 ++++++++++++-------- roles/nftables/templates/nftables.conf.j2 | 81 ++++++++--------------- 2 files changed, 72 insertions(+), 82 deletions(-) diff --git a/roles/nftables/defaults/main.yaml b/roles/nftables/defaults/main.yaml index f90a042..912a93e 100644 --- a/roles/nftables/defaults/main.yaml +++ b/roles/nftables/defaults/main.yaml @@ -36,35 +36,54 @@ nftables_builtin_sets: - flags interval nftables_input_builtin_rules: - - type filter hook input priority filter; policy drop; - - ip saddr @blackhole4 drop - - ip6 saddr @blackhole6 drop - - ct state established,related accept - - ct state invalid drop - - iifname "lo" accept - - icmpv6 type $REQUIRED_ICMPV6_TYPES accept - - icmpv6 type echo-request accept - - icmp type echo-request accept - - tcp dport @tcp_input_accept accept - - udp dport @udp_input_accept accept - # this should be last because these ports could be allowed - - udp dport $TRACEROUTE_UDP_PORTS reject + '000 policy': + - type filter hook input priority filter; policy drop; + '010 blackhole': + - ip saddr @blackhole4 drop + - ip6 saddr @blackhole6 drop + '020 related established': + - ct state established,related accept + - ct state invalid drop + '030 loopback': + - iifname "lo" accept + '040 icmp': + - icmpv6 type $REQUIRED_ICMPV6_TYPES accept + - icmpv6 type echo-request accept + - icmp type echo-request accept + '050 tcp accept': + - tcp dport @tcp_input_accept accept + '060 udp accept': + - udp dport @udp_input_accept accept + '999 traceroute': + # this should be last because these ports could be allowed + - udp dport $TRACEROUTE_UDP_PORTS reject nftables_forward_builtin_rules: - - type filter hook forward priority filter; policy drop; - - ct state { established, related } accept + '000 policy': + - type filter hook forward priority filter; policy drop; + '010 related established': + - ct state { established, related } accept nftables_output_builtin_rules: - - type filter hook output priority filter; policy accept; - - ip daddr @blackhole4 drop - - ip6 daddr @blackhole6 drop - - ct state { established, related } accept + '000 policy': + - type filter hook output priority filter; policy accept; + '010 blackhole': + - ip daddr @blackhole4 drop + - ip6 daddr @blackhole6 drop + '020 related established': + - ct state { established, related } accept -# nftables_sets: -# {} -# -# nftables_input_rules: -# [] -# -# nftables_output_rules: -# [] +nftables_defines: + {} + +nftables_sets: + {} + +nftables_input_rules: + {} + +nftables_forward_rules: + {} + +nftables_output_rules: + {} diff --git a/roles/nftables/templates/nftables.conf.j2 b/roles/nftables/templates/nftables.conf.j2 index 51db0ae..d776cd8 100644 --- a/roles/nftables/templates/nftables.conf.j2 +++ b/roles/nftables/templates/nftables.conf.j2 @@ -1,82 +1,53 @@ +{% set combined_defines = [ nftables_builtin_defines, nftables_defines ] | combine %} +{% set combined_sets = [ nftables_builtin_sets, nftables_sets ] | combine %} +{% set combined_input_rules = [ nftables_input_builtin_rules, nftables_input_rules ] | combine %} +{% set combined_forward_rules = [ nftables_forward_builtin_rules, nftables_forward_rules ] | combine %} +{% set combined_output_rules = [ nftables_output_builtin_rules, nftables_output_rules ] | combine %} table inet filter { -{% if nftables_builtin_defines is mapping %} -{% for name, cfg in nftables_builtin_defines.items() %} -{% if cfg is string %} +{% for name, cfg in combined_defines.items() %} +{% if cfg is string or cfg is number %} define {{ name }} = {{ cfg }} -{% elif cfg is sequence %} +{% elif cfg is sequence %} define {{ name }} = { -{% for elem in cfg %} +{% for elem in cfg %} {{ elem }}, -{% endfor %} - } -{% endif %} {% endfor %} -{% endif %} -{% if nftables_defines is mapping %} -{% for name, cfg in nftables_defines.items() %} - define {{ name }} = { -{% for elem in cfg %} - {{ elem }}, -{% endfor %} } -{% endfor %} -{% endif %} +{% endif %} +{% endfor %} -{% if nftables_builtin_sets is mapping %} -{% for name, cfg in nftables_builtin_sets.items() %} +{% for name, cfg in combined_sets.items() %} set {{ name }} { -{% for elem in cfg %} +{% for elem in cfg %} {{ elem }} -{% endfor %} - } {% endfor %} -{% endif %} -{% if nftables_sets is mapping %} -{% for name, cfg in nftables_sets.items() %} - set {{ name }} { -{% for elem in cfg %} - {{ elem }} -{% endfor %} } -{% endfor %} -{% endif %} +{% endfor %} chain input { -{% if nftables_input_builtin_rules is sequence %} -{% for rule in nftables_input_builtin_rules %} +{% for comment, rules in combined_input_rules.items() %} + # {{ comment }} +{% for rule in rules %} {{ rule }} {% endfor %} -{% endif %} -{% if nftables_input_rules is sequence %} -{% for rule in nftables_input_rules %} - {{ rule }} -{% endfor %} -{% endif %} +{% endfor %} } chain forward { -{% if nftables_forward_builtin_rules is sequence %} -{% for rule in nftables_forward_builtin_rules %} +{% for comment, rules in combined_forward_rules.items() %} + # {{ comment }} +{% for rule in rules %} {{ rule }} {% endfor %} -{% endif %} -{% if nftables_forward_rules is sequence %} -{% for rule in nftables_forward_rules %} - {{ rule }} -{% endfor %} -{% endif %} +{% endfor %} } chain output { -{% if nftables_output_builtin_rules is sequence %} -{% for rule in nftables_output_builtin_rules %} +{% for comment, rules in combined_output_rules.items() %} + # {{ comment }} +{% for rule in rules %} {{ rule }} {% endfor %} -{% endif %} -{% if nftables_output_rules is sequence %} -{% for rule in nftables_output_rules %} - {{ rule }} -{% endfor %} -{% endif %} +{% endfor %} } }