ryanc/ansible
1
0
Fork 0
Code Issues 4 Pull Requests Releases Wiki Activity

nftables: add more rules

Browse Source
This commit is contained in:
Ryan Cavicchioni 2024-04-14 17:46:42 -05:00
parent 7168a89e53
commit 1cce3fc642
2 changed files with 72 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
roles/nftables/defaults/main.yaml
View File

@ -36,35 +36,54 @@ nftables_builtin_sets:
- flags interval - flags interval
nftables_input_builtin_rules: nftables_input_builtin_rules:
- type filter hook input priority filter; policy drop; '000 policy':
- ip saddr @blackhole4 drop - type filter hook input priority filter; policy drop;
- ip6 saddr @blackhole6 drop '010 blackhole':
- ct state established,related accept - ip saddr @blackhole4 drop
- ct state invalid drop - ip6 saddr @blackhole6 drop
- iifname "lo" accept '020 related established':
- icmpv6 type $REQUIRED_ICMPV6_TYPES accept - ct state established,related accept
- icmpv6 type echo-request accept - ct state invalid drop
- icmp type echo-request accept '030 loopback':
- tcp dport @tcp_input_accept accept - iifname "lo" accept
- udp dport @udp_input_accept accept '040 icmp':
# this should be last because these ports could be allowed - icmpv6 type $REQUIRED_ICMPV6_TYPES accept
- udp dport $TRACEROUTE_UDP_PORTS reject - icmpv6 type echo-request accept
- icmp type echo-request accept
'050 tcp accept':
- tcp dport @tcp_input_accept accept
'060 udp accept':
- udp dport @udp_input_accept accept
'999 traceroute':
# this should be last because these ports could be allowed
- udp dport $TRACEROUTE_UDP_PORTS reject
nftables_forward_builtin_rules: nftables_forward_builtin_rules:
- type filter hook forward priority filter; policy drop; '000 policy':
- ct state { established, related } accept - type filter hook forward priority filter; policy drop;
'010 related established':
- ct state { established, related } accept
nftables_output_builtin_rules: nftables_output_builtin_rules:
- type filter hook output priority filter; policy accept; '000 policy':
- ip daddr @blackhole4 drop - type filter hook output priority filter; policy accept;
- ip6 daddr @blackhole6 drop '010 blackhole':
- ct state { established, related } accept - ip daddr @blackhole4 drop
- ip6 daddr @blackhole6 drop
'020 related established':
- ct state { established, related } accept
# nftables_sets: nftables_defines:
# {} {}
#
# nftables_input_rules: nftables_sets:
# [] {}
#
# nftables_output_rules: nftables_input_rules:
# [] {}
nftables_forward_rules:
{}
nftables_output_rules:
{}

81
roles/nftables/templates/nftables.conf.j2
View File

@ -1,82 +1,53 @@
{% set combined_defines = [ nftables_builtin_defines, nftables_defines ] | combine %}
{% set combined_sets = [ nftables_builtin_sets, nftables_sets ] | combine %}
{% set combined_input_rules = [ nftables_input_builtin_rules, nftables_input_rules ] | combine %}
{% set combined_forward_rules = [ nftables_forward_builtin_rules, nftables_forward_rules ] | combine %}
{% set combined_output_rules = [ nftables_output_builtin_rules, nftables_output_rules ] | combine %}
table inet filter { table inet filter {
{% if nftables_builtin_defines is mapping %} {% for name, cfg in combined_defines.items() %}
{% for name, cfg in nftables_builtin_defines.items() %} {% if cfg is string or cfg is number %}
{% if cfg is string %}
define {{ name }} = {{ cfg }} define {{ name }} = {{ cfg }}
{% elif cfg is sequence %} {% elif cfg is sequence %}
define {{ name }} = { define {{ name }} = {
{% for elem in cfg %} {% for elem in cfg %}
{{ elem }}, {{ elem }},
{% endfor %}
}
{% endif %}
{% endfor %} {% endfor %}
{% endif %}
{% if nftables_defines is mapping %}
{% for name, cfg in nftables_defines.items() %}
define {{ name }} = {
{% for elem in cfg %}
{{ elem }},
{% endfor %}
} }
{% endfor %} {% endif %}
{% endif %} {% endfor %}
{% if nftables_builtin_sets is mapping %} {% for name, cfg in combined_sets.items() %}
{% for name, cfg in nftables_builtin_sets.items() %}
set {{ name }} { set {{ name }} {
{% for elem in cfg %} {% for elem in cfg %}
{{ elem }} {{ elem }}
{% endfor %}
}
{% endfor %} {% endfor %}
{% endif %}
{% if nftables_sets is mapping %}
{% for name, cfg in nftables_sets.items() %}
set {{ name }} {
{% for elem in cfg %}
{{ elem }}
{% endfor %}
} }
{% endfor %} {% endfor %}
{% endif %}
chain input { chain input {
{% if nftables_input_builtin_rules is sequence %} {% for comment, rules in combined_input_rules.items() %}
{% for rule in nftables_input_builtin_rules %} # {{ comment }}
{% for rule in rules %}
{{ rule }} {{ rule }}
{% endfor %} {% endfor %}
{% endif %} {% endfor %}
{% if nftables_input_rules is sequence %}
{% for rule in nftables_input_rules %}
{{ rule }}
{% endfor %}
{% endif %}
} }
chain forward { chain forward {
{% if nftables_forward_builtin_rules is sequence %} {% for comment, rules in combined_forward_rules.items() %}
{% for rule in nftables_forward_builtin_rules %} # {{ comment }}
{% for rule in rules %}
{{ rule }} {{ rule }}
{% endfor %} {% endfor %}
{% endif %} {% endfor %}
{% if nftables_forward_rules is sequence %}
{% for rule in nftables_forward_rules %}
{{ rule }}
{% endfor %}
{% endif %}
} }
chain output { chain output {
{% if nftables_output_builtin_rules is sequence %} {% for comment, rules in combined_output_rules.items() %}
{% for rule in nftables_output_builtin_rules %} # {{ comment }}
{% for rule in rules %}
{{ rule }} {{ rule }}
{% endfor %} {% endfor %}
{% endif %} {% endfor %}
{% if nftables_output_rules is sequence %}
{% for rule in nftables_output_rules %}
{{ rule }}
{% endfor %}
{% endif %}
} }
} }