From c9088a7a246b63b37173a09bf5efad8958c7fa2a Mon Sep 17 00:00:00 2001 From: nd Date: Fri, 17 Sep 2021 03:42:30 +0200 Subject: [PATCH] move defaults to variables and clean up --- defaults/main.yml | 26 +++++++++++++++++++++++++- templates/nftables.conf.j2 | 22 +++++++--------------- 2 files changed, 32 insertions(+), 16 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 978e603..46b8a83 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -3,6 +3,7 @@ firewall: all: statement: accept matches: ~ + priority: 1000 input: {} forward: {} output: {} @@ -12,9 +13,32 @@ firewall: nat6_postrouting: {} chains: input: + "statefull-invalid": + matches: ct state invalid + priority: 240 + statement: drop + "statefull-accept": + matches: ct state established,related + priority: 250 + allow_localhost: + matches: iif lo + priority: 500 + allow_icmp: + matches: ip protocol icmp + priority: 500 + allow_icmp6: + matches: ip6 nexthdr icmpv6 + priority: 500 allow_ssh: tcp dport ssh output: {} - forward: {} + forward: + "statefull-invalid": + matches: ct state invalid + priority: 240 + statement: drop + "statefull-accept": + matches: ct state established,related + priority: 250 nat_prerouting: {} nat_postrouting: {} nat6_prerouting: {} diff --git a/templates/nftables.conf.j2 b/templates/nftables.conf.j2 index 9201e70..143aae3 100644 --- a/templates/nftables.conf.j2 +++ b/templates/nftables.conf.j2 @@ -1,19 +1,22 @@ #jinja2:lstrip_blocks: True #!/usr/sbin/nft -f -{%- macro nftrule(name, rule) -%} - {{rule.matches }} {{ rule.statement }} comment "{{ name }}" +{%- macro nftrule(rule) -%} + {{rule.matches }} {% if not rule.statement == "counter" %}counter {% endif %}{{ rule.statement }} comment "{{ rule.comment }}" {% endmacro %} {%- macro nftchain(name) -%} + {% set chain_rules = [] %} {% for i in firewall.chains[name] %} {% if not firewall.chains[name][i] is mapping %} {% set tmprule = { 'matches': firewall.chains[name][i] }%} {% else %} {% set tmprule = firewall.chains[name][i] %} {% endif%} - {% set rule = {}|combine(firewall.defaults.all, firewall.defaults[name], tmprule, recursive=True) %} - {{ nftrule(i, rule) }} + {% set rule = {}|combine(firewall.defaults.all, firewall.defaults[name], {'comment': i}, tmprule, recursive=True) %}{{ chain_rules.append(rule) }} + {% endfor %} + {% for rule in chain_rules|sort(attribute='priority') %} + {{ nftrule(rule) }} {% endfor %} {% endmacro%} @@ -28,14 +31,6 @@ table inet filter { type filter hook input priority 0; policy {{ firewall.policies.input }}; - iif lo accept comment "Accept any localhost traffic" - ct state invalid drop comment "Drop invalid connections" - ct state established,related accept comment "Accept established (statefull)" - - ip6 nexthdr icmpv6 accept comment "Accept ICMPv6" - ip protocol icmp accept comment "Accept ICMP" - ip protocol igmp accept comment "Accept IGMP" - {{ nftchain('input') }} counter comment "Count dropped" @@ -45,9 +40,6 @@ table inet filter { type filter hook forward priority 0; policy {{ firewall.policies.forward }}; - ct state invalid drop comment "Drop invalid connections" - ct state established,related accept comment "Accept established (statefull)" - {{ nftchain('forward') }} counter comment "Count dropped"