Define new sets and vars for output to avoid multiple redifinition of

the dicts.
This commit is contained in:
Jeremy Gardais 2017-08-09 14:56:20 +02:00
parent f5f4b83a84
commit 2aafa3c320
3 changed files with 57 additions and 16 deletions

View File

@ -4,6 +4,9 @@
### Features ### Features
* Manage nftables service at startup. * Manage nftables service at startup.
### Default Rules
* Use more sets and vars definitions to avoid multiple rules.
## v1.0 ## v1.0
### Features ### Features

View File

@ -64,7 +64,7 @@ Each type of rules dictionaries will be merged and rules will be applied in the
``` yml ``` yml
# rules # rules
nft_global_default_rules: nft_global_default_rules:
000 state management: 005 state management:
- ct state established,related accept - ct state established,related accept
- ct state invalid drop - ct state invalid drop
nft_global_group_rules: {} nft_global_group_rules: {}
@ -93,10 +93,10 @@ nft_output_default_rules:
- jump global - jump global
015 localhost: 015 localhost:
- oif lo accept - oif lo accept
040 dhcp: 200 output udp accepted:
- udp sport bootpc udp dport bootps limit rate 6/minute accept - udp dport @output_udp_accept ct state new accept
050 domain: 210 output tcp accepted:
- udp dport domain ct state new accept - tcp dport @output_tcp_accept ct state new accept
nft_output_group_rules: {} nft_output_group_rules: {}
nft_output_host_rules: {} nft_output_host_rules: {}
@ -106,12 +106,26 @@ nft_define_default:
desc: 'broadcast and multicast' desc: 'broadcast and multicast'
name: badcast_addr name: badcast_addr
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }' value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
output udp accepted:
name: output_udp_accept
value: '{ domain, bootps, ntp }'
output tcp accepted:
name: output_tcp_accept
value: '{ http, https }'
nft_define_group: {} nft_define_group: {}
nft_define_host: {} nft_define_host: {}
# sets and maps
nft_set_default: nft_set_default:
blackhole: blackhole:
- type ipv4_addr; - type ipv4_addr;
- elements = $badcast_addr - elements = $badcast_addr
output_udp_accept:
- type inet_service; flags interval;
- elements = $output_udp_accept
output_tcp_accept:
- type inet_service; flags interval;
- elements = $output_tcp_accept
nft_set_group: {} nft_set_group: {}
nft_set_host: {} nft_set_host: {}
``` ```
@ -138,7 +152,7 @@ table ip firewall {
} }
``` ```
And you get the same result by displaying the ruleset on the host: `$ nft list ruleset`: And you can get all rules and definitons by displaying the ruleset on the host: `$ nft list ruleset`:
``` ```
table ip firewall { table ip firewall {
@ -147,6 +161,18 @@ table ip firewall {
elements = { 255.255.255.255, 224.0.0.1, 224.0.0.251} elements = { 255.255.255.255, 224.0.0.1, 224.0.0.251}
} }
set output_tcp_accept {
type inet_service
flags interval
elements = { http, https}
}
set output_udp_accept {
type inet_service
flags interval
elements = { domain, bootps, ntp}
}
chain global { chain global {
ct state established,related accept ct state established,related accept
ct state invalid drop ct state invalid drop
@ -155,9 +181,8 @@ table ip firewall {
chain input { chain input {
type filter hook input priority 0; policy drop; type filter hook input priority 0; policy drop;
jump global jump global
ip daddr @blackhole counter packets 3 bytes 204 drop ip daddr @blackhole counter packets 0 bytes 0 drop
iif "lo" accept iif "lo" accept
udp sport bootps udp dport bootpc limit rate 6/minute accept
tcp dport ssh ct state new counter packets 0 bytes 0 accept tcp dport ssh ct state new counter packets 0 bytes 0 accept
} }
@ -165,8 +190,8 @@ table ip firewall {
type filter hook output priority 0; policy drop; type filter hook output priority 0; policy drop;
jump global jump global
oif "lo" accept oif "lo" accept
udp sport bootpc udp dport bootps limit rate 6/minute accept udp dport @output_udp_accept ct state new accept
udp dport domain ct state new packets 0 bytes 0 accept tcp dport @output_tcp_accept ct state new accept
} }
} }
``` ```

View File

@ -19,7 +19,7 @@ nft_set_conf_content: 'etc/nftables.d/sets.nft.j2'
# rules # rules
nft_global_default_rules: nft_global_default_rules:
000 state management: 005 state management:
- ct state established,related accept - ct state established,related accept
- ct state invalid drop - ct state invalid drop
nft_global_group_rules: {} nft_global_group_rules: {}
@ -48,10 +48,10 @@ nft_output_default_rules:
- jump global - jump global
015 localhost: 015 localhost:
- oif lo accept - oif lo accept
040 dhcp: 200 output udp accepted:
- udp sport bootpc udp dport bootps limit rate 6/minute accept - udp dport @output_udp_accept ct state new accept
050 domain: 210 output tcp accepted:
- udp dport domain ct state new accept - tcp dport @output_tcp_accept ct state new accept
nft_output_group_rules: {} nft_output_group_rules: {}
nft_output_host_rules: {} nft_output_host_rules: {}
@ -61,13 +61,26 @@ nft_define_default:
desc: 'broadcast and multicast' desc: 'broadcast and multicast'
name: badcast_addr name: badcast_addr
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }' value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
output tcp accepted:
name: output_tcp_accept
value: '{ http, https }'
output udp accepted:
name: output_udp_accept
value: '{ bootps, domain, ntp }'
nft_define_group: {} nft_define_group: {}
nft_define_host: {} nft_define_host: {}
# sets and maps
nft_set_default: nft_set_default:
blackhole: blackhole:
- type ipv4_addr; - type ipv4_addr;
- elements = $badcast_addr - elements = $badcast_addr
output_tcp_accept:
- type inet_service; flags interval;
- elements = $output_tcp_accept
output_udp_accept:
- type inet_service; flags interval;
- elements = $output_udp_accept
nft_set_group: {} nft_set_group: {}
nft_set_host: {} nft_set_host: {}