bundles/nftables: add feature to block ips

2024-01-21 11:44:13 +01:00 · 2024-01-21 11:44:13 +01:00 · bb56f0fb9a
commit bb56f0fb9a
parent ee58509e93
2 changed files with 9 additions and 0 deletions
--- a/bundles/nftables/files/nftables.conf
+++ b/bundles/nftables/files/nftables.conf
@ -14,6 +14,13 @@ table inet filter {

        iif lo accept

+% for address in sorted(blocked_v4):
+        ip saddr ${address} drop
+% endfor
+% for address in sorted(blocked_v6):
+        ip6 saddr ${address} drop
+% endfor
+
        icmp type timestamp-request drop
        icmp type timestamp-reply drop
        ip protocol icmp accept
--- a/bundles/nftables/items.py
+++ b/bundles/nftables/items.py
@ -17,6 +17,8 @@ files = {
    '/etc/nftables.conf': {
        'content_type': 'mako',
        'context': {
+            'blocked_v4': node.metadata.get('nftables/blocked_v4', set()),
+            'blocked_v6': node.metadata.get('nftables/blocked_v6', set()),
            'forward': node.metadata.get('nftables/forward', {}),
            'input': node.metadata.get('nftables/input', {}),
            'postrouting': node.metadata.get('nftables/postrouting', {}),