kunsi/bundlewrap
1
0
Fork 0
Code Issues 1 Pull requests 1 Releases Activity

bundles/nftables: add feature to block ips

Browse source
This commit is contained in:
Franzi 2024-01-21 11:44:13 +01:00
parent ee58509e93
commit bb56f0fb9a
Signed by: kunsi
GPG key ID: 12E3D2136B818350
2 changed files with 9 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
bundles/nftables/files/nftables.conf
View file

@ -14,6 +14,13 @@ table inet filter {
iif lo accept iif lo accept
% for address in sorted(blocked_v4):
ip saddr ${address} drop
% endfor
% for address in sorted(blocked_v6):
ip6 saddr ${address} drop
% endfor
icmp type timestamp-request drop icmp type timestamp-request drop
icmp type timestamp-reply drop icmp type timestamp-reply drop
ip protocol icmp accept ip protocol icmp accept

2
bundles/nftables/items.py
View file

@ -17,6 +17,8 @@ files = {
'/etc/nftables.conf': { '/etc/nftables.conf': {
'content_type': 'mako', 'content_type': 'mako',
'context': { 'context': {
'blocked_v4': node.metadata.get('nftables/blocked_v4', set()),
'blocked_v6': node.metadata.get('nftables/blocked_v6', set()),
'forward': node.metadata.get('nftables/forward', {}), 'forward': node.metadata.get('nftables/forward', {}),
'input': node.metadata.get('nftables/input', {}), 'input': node.metadata.get('nftables/input', {}),
'postrouting': node.metadata.get('nftables/postrouting', {}), 'postrouting': node.metadata.get('nftables/postrouting', {}),