bundles/nftables: introduce

2021-06-03 13:57:50 +02:00 · 2021-06-03 13:57:50 +02:00 · ecb67d012b
commit ecb67d012b
parent faf27a3940
3 changed files with 198 additions and 0 deletions
--- a/bundles/nftables/files/nftables.conf
+++ b/bundles/nftables/files/nftables.conf
@ -0,0 +1,72 @@
+#!/usb/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0
+        policy drop
+
+        tcp flags syn tcp option maxseg size 1-500 drop
+
+        ct state { established, related } accept
+        ct state invalid drop
+
+        iif lo accept
+
+        icmp type timestamp-request drop
+        icmp type timestamp-reply drop
+        ip protocol icmp accept
+
+        ip6 nexthdr ipv6-icmp accept
+% for ruleset, rules in sorted(node.metadata.get('nftables/rules/input', {}).items()):
+
+        # ${ruleset}
+%  for rule in rules:
+        ${rule}
+%  endfor
+        # / ${ruleset}
+% endfor
+    }
+
+    chain output {
+        type filter hook output priority 0
+        policy accept
+    }
+
+    chain forward {
+        type filter hook forward priority 0
+        policy drop
+
+        icmp type timestamp-request drop
+        icmp type timestamp-reply drop
+
+% for ruleset, rules in sorted(node.metadata.get('nftables/rules/forward', {}).items()):
+
+        # ${ruleset}
+%  for rule in rules:
+        ${rule}
+%  endfor
+        # / ${ruleset}
+% endfor
+    }
+}
+
+table nat {
+    chain prerouting {
+        type nat hook prerouting priority -100
+
+% for rule in node.metadata.get('nftables/rules/nat_prerouting', []):
+        ${rule}
+% endfor
+    }
+    chain postrouting {
+        type nat hook postrouting priority 100
+
+% for rule in node.metadata.get('nftables/rules/nat_postrouting', []):
+        ${rule}
+% endfor
+    }
+}
+
+include "/etc/nftables-rules.d/*-*"