bundles/nftables: store rules in dedicated files instead of nftables.conf

2021-12-14 14:03:13 +01:00 · 2021-12-14 14:03:13 +01:00 · 0101e0c92d
commit 0101e0c92d
parent 1742f51778
11 changed files with 77 additions and 102 deletions
--- a/nodes/home/router.py
+++ b/nodes/home/router.py
@ -102,21 +102,17 @@ nodes['home.router'] = {
        },
        'nftables': {
            'rules': {
-                'forward': {
-                    'router': [
-                        # This is a router. Allow forwarding traffic for internal networks.
-                        'ct state { related, established } accept',
-                        'iif enp1s0.23 oif ppp0 accept',
-                        'iif enp1s0.42 accept',
+                '50-router': [
+                    # This is a router. Allow forwarding traffic for internal networks.
+                    'inet filter forward ct state { related, established } accept',
+                    'inet filter forward iif enp1s0.23 oif ppp0 accept',
+                    'inet filter forward iif enp1s0.42 accept',

-                        # yaaaaay, IPv6! No NAT!
-                        'ip6 nexthdr ipv6-icmp accept',
-                        'tcp dport 22 accept',
-                    ],
-                },
-                'nat_prerouting': {
-                    'tcp dport 2022 dnat 172.19.138.20:22',
-                },
+                    # yaaaaay, IPv6! No NAT!
+                    'inet filter forward ip6 nexthdr ipv6-icmp accept',
+                    'inet filter forward tcp dport 22 accept',
+                    'nat prerouting tcp dport 2022 dnat 172.19.138.20:22',
+                ],
            },
        },
        'nginx': {
--- a/nodes/htz-cloud/influxdb.py
+++ b/nodes/htz-cloud/influxdb.py
@ -51,6 +51,11 @@ nodes['htz-cloud.influxdb'] = {
                },
            },
        },
+        #'openssh': {
+        #    'restrict-to': {
+        #        'versatel',
+        #    },
+        #},
        'vm': {
            'cpu': 1,
            'ram': 2,
--- a/nodes/htz-cloud/miniserver.py
+++ b/nodes/htz-cloud/miniserver.py
@ -181,12 +181,10 @@ nodes['htz-cloud.miniserver'] = {
        },
        'nftables': {
            'rules': {
-                'input': {
-                    'sophie-weechat': [
-                        'udp dport { 60000-61000 } accept',
-                        'tcp dport 9001 accept',
-                    ],
-                },
+                '50-sophie-weechat': [
+                    'inet filter input udp dport { 60000-61000 } accept',
+                    'inet filter input tcp dport 9001 accept',
+                ],
            },
        },
        'nginx': {
--- a/nodes/rx300.py
+++ b/nodes/rx300.py
@ -275,12 +275,10 @@ nodes['rx300'] = {
        },
        'nftables': {
            'rules': {
-                'input': {
-                    'kunsi-weechat': [
-                        'udp dport { 60000-61000 } accept',
-                        'tcp dport 9001 accept',
-                    ],
-                },
+                '50-kunsi-weechat': [
+                    'inet filter input udp dport { 60000-61000 } accept',
+                    'inet filter input tcp dport 9001 accept',
+                ],
            },
        },
        'nginx': {