bundlewrap/bundles/nftables/files/nftables.conf

73 lines
1.5 KiB
Text
Raw Normal View History

2021-11-26 17:36:16 +00:00
#!/usr/sbin/nft -f
2021-06-03 11:57:50 +00:00
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0
policy drop
tcp flags syn tcp option maxseg size 1-500 drop
ct state { established, related } accept
ct state invalid drop
iif lo accept
icmp type timestamp-request drop
icmp type timestamp-reply drop
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
% for ruleset, rules in sorted(node.metadata.get('nftables/rules/input', {}).items()):
# ${ruleset}
% for rule in rules:
${rule}
% endfor
# / ${ruleset}
% endfor
}
chain output {
type filter hook output priority 0
policy accept
}
chain forward {
type filter hook forward priority 0
policy drop
icmp type timestamp-request drop
icmp type timestamp-reply drop
% for ruleset, rules in sorted(node.metadata.get('nftables/rules/forward', {}).items()):
# ${ruleset}
% for rule in rules:
${rule}
% endfor
# / ${ruleset}
% endfor
}
}
table nat {
chain prerouting {
type nat hook prerouting priority -100
2021-09-29 17:44:13 +00:00
% for rule in sorted(node.metadata.get('nftables/rules/nat_prerouting', [])):
2021-06-03 11:57:50 +00:00
${rule}
% endfor
}
chain postrouting {
type nat hook postrouting priority 100
2021-09-29 17:44:13 +00:00
% for rule in sorted(node.metadata.get('nftables/rules/nat_postrouting', [])):
2021-06-03 11:57:50 +00:00
${rule}
% endfor
}
}
include "/etc/nftables-rules.d/*-*"