2017-08-07 12:09:13 +02:00
|
|
|
---
|
|
|
|
|
# defaults file for nftables
|
|
|
|
|
|
|
|
|
|
# packages
|
2017-08-07 13:48:54 +02:00
|
|
|
nft_pkg_manage: true
|
|
|
|
|
nft_pkg_state: 'installed'
|
|
|
|
|
|
|
|
|
|
# conf
|
|
|
|
|
nft_main_conf_path: '/etc/nftables.conf'
|
|
|
|
|
nft_main_conf_content: 'etc/nftables.conf.j2'
|
2017-08-08 13:42:02 +02:00
|
|
|
nft_input_conf_path: '/etc/nftables.d/inet-input.nft'
|
|
|
|
|
nft_input_conf_content: 'etc/nftables.d/inet-input.nft.j2'
|
2017-08-08 12:11:58 +02:00
|
|
|
nft_define_conf_path: '/etc/nftables.d/defines.nft'
|
|
|
|
|
nft_define_conf_content: 'etc/nftables.d/defines.nft.j2'
|
2017-08-07 14:14:14 +02:00
|
|
|
|
2017-08-07 17:07:35 +02:00
|
|
|
# rules
|
|
|
|
|
nft_global_default_rules:
|
|
|
|
|
000 state management:
|
|
|
|
|
- ct state established,related accept
|
|
|
|
|
- ct state invalid drop
|
|
|
|
|
nft_global_group_rules: {}
|
|
|
|
|
nft_global_host_rules: {}
|
2017-08-07 17:41:03 +02:00
|
|
|
nft_input_default_rules:
|
|
|
|
|
000 policy:
|
|
|
|
|
- type filter hook input priority 0; policy drop;
|
|
|
|
|
001 global:
|
|
|
|
|
- jump global
|
|
|
|
|
nft_input_group_rules: {}
|
|
|
|
|
nft_input_host_rules: {}
|
2017-08-07 17:07:35 +02:00
|
|
|
|
2017-08-08 12:11:58 +02:00
|
|
|
# define nft vars
|
|
|
|
|
nft_define_default:
|
|
|
|
|
broadcast and multicast:
|
|
|
|
|
desc: 'broadcast and multicast'
|
|
|
|
|
name: badcast_addr
|
|
|
|
|
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
|
|
|
|
|
nft_define_group: {}
|
|
|
|
|
nft_define_host: {}
|
|
|
|
|
|
2017-08-07 14:14:14 +02:00
|
|
|
# service
|
|
|
|
|
nft_service_manage: true
|
|
|
|
|
nft_service_name: 'nftables'
|
