--- # defaults file for nftables # packages nft_pkg_manage: true nft_pkg_state: 'installed' # conf nft_main_conf_path: '/etc/nftables.conf' nft_main_conf_content: 'etc/nftables.conf.j2' nft_input_conf_path: '/etc/nftables.d/inet-input.nft' nft_input_conf_content: 'etc/nftables.d/inet-input.nft.j2' nft_define_conf_path: '/etc/nftables.d/defines.nft' nft_define_conf_content: 'etc/nftables.d/defines.nft.j2' nft_set_conf_path: '/etc/nftables.d/inet-sets.nft' nft_set_conf_content: 'etc/nftables.d/inet-sets.nft.j2' # rules nft_global_default_rules: 000 state management: - ct state established,related accept - ct state invalid drop nft_global_group_rules: {} nft_global_host_rules: {} nft_input_default_rules: 000 policy: - type filter hook input priority 0; policy drop; 005 global: - jump global 010 drop unwanted: - ip daddr @blackhole counter drop 022 ssh: - tcp dport ssh ct state new counter accept nft_input_group_rules: {} nft_input_host_rules: {} # define nft vars nft_define_default: broadcast and multicast: desc: 'broadcast and multicast' name: badcast_addr value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }' nft_define_group: {} nft_define_host: {} nft_set_default: blackhole: - type ipv4_addr; - elements = $badcast_addr nft_set_group: {} nft_set_host: {} # service nft_service_manage: true nft_service_name: 'nftables'