bundlewrap/bundles/nftables/files/nftables.conf

72 lines
1.5 KiB
Text

#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0
policy drop
tcp flags syn tcp option maxseg size 1-500 drop
ct state { established, related } accept
ct state invalid drop
iif lo accept
icmp type timestamp-request drop
icmp type timestamp-reply drop
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
% for ruleset, rules in sorted(node.metadata.get('nftables/rules/input', {}).items()):
# ${ruleset}
% for rule in rules:
${rule}
% endfor
# / ${ruleset}
% endfor
}
chain output {
type filter hook output priority 0
policy accept
}
chain forward {
type filter hook forward priority 0
policy drop
icmp type timestamp-request drop
icmp type timestamp-reply drop
% for ruleset, rules in sorted(node.metadata.get('nftables/rules/forward', {}).items()):
# ${ruleset}
% for rule in rules:
${rule}
% endfor
# / ${ruleset}
% endfor
}
}
table nat {
chain prerouting {
type nat hook prerouting priority -100
% for rule in sorted(node.metadata.get('nftables/rules/nat_prerouting', [])):
${rule}
% endfor
}
chain postrouting {
type nat hook postrouting priority 100
% for rule in sorted(node.metadata.get('nftables/rules/nat_postrouting', [])):
${rule}
% endfor
}
}
include "/etc/nftables-rules.d/*-*"