initial commit

2020-04-30 13:51:19 +02:00 · 2020-04-30 13:51:19 +02:00 · 88b851cfff
commit 88b851cfff
4 changed files with 109 additions and 0 deletions
--- a/templates/nftables.conf.j2
+++ b/templates/nftables.conf.j2
@ -0,0 +1,56 @@
+#jinja2:lstrip_blocks: True
+#!/usr/sbin/nft -f
+
+{%- macro nftrule(name, rule) -%}
+	{{rule.matches }} {{ rule.statement }} comment "{{ name }}"
+{% endmacro %}
+
+{%- macro nftchain(name) -%}
+	{% for i in firewall.chains[name] %}
+		{% if not firewall.chains[name][i] is mapping %}
+			{% set tmprule = { 'matches': firewall.chains[name][i] }%}
+		{% else %}
+			{% set tmprule = firewall.chains[name][i] %}
+		{% endif%}
+		{% set rule = {}|combine(firewall.defaults.all, firewall.defaults[name], tmprule, recursive=True) %}
+{{ nftrule(i, rule) }}
+	{% endfor %}
+{% endmacro%}
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0;
+		policy {{ firewall.policies.input }};
+
+		iif lo accept comment "Accept any localhost traffic"
+		ct state invalid drop comment "Drop invalid connections"
+		ct state established,related accept comment "Accept traffic originated from us"
+
+		ip6 nexthdr icmpv6 accept comment "Accept ICMPv6"
+		ip protocol icmp accept comment "Accept ICMP"
+		ip protocol igmp accept comment "Accept IGMP"
+
+		{{ nftchain('input') }}
+
+		counter comment "Count dropped"
+
+	}
+	chain forward {
+		type filter hook forward priority 0;
+		policy {{ firewall.policies.forward }};
+
+		{{ nftchain('forward') }}
+
+		counter comment "Count dropped"
+	}
+	chain output {
+		type filter hook output priority 0;
+		policy {{ firewall.policies.output }};
+
+		{{ nftchain('output') }}
+	}
+}
+
+include "/etc/nftables/*.nft"