74 lines
1.5 KiB
Django/Jinja
74 lines
1.5 KiB
Django/Jinja
#jinja2:lstrip_blocks: True
|
|
#!/usr/sbin/nft -f
|
|
|
|
{%- macro nftrule(rule) -%}
|
|
{{rule.matches }} {% if not rule.statement == "counter" or not rule.counter %}counter {% endif %}{{ rule.statement }} comment "{{ rule.comment }}"
|
|
{% endmacro %}
|
|
|
|
{%- macro nftchain(name) -%}
|
|
{% for rule in firewall.chains[name]|expand_nft_rules([firewall.defaults.all, firewall.defaults[name]])|sort(attribute='priority') %}
|
|
{{ nftrule(rule) }}
|
|
{% endfor %}
|
|
{% endmacro%}
|
|
|
|
flush ruleset
|
|
|
|
{% for i in firewall.vars %}
|
|
define {{ i }} = { {{ firewall.vars[i]|join(', ') }} }
|
|
{% endfor %}
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0;
|
|
policy {{ firewall.policies.input }};
|
|
|
|
{{ nftchain('input') }}
|
|
|
|
counter comment "Count dropped"
|
|
|
|
}
|
|
chain forward {
|
|
type filter hook forward priority 0;
|
|
policy {{ firewall.policies.forward }};
|
|
|
|
{{ nftchain('forward') }}
|
|
|
|
counter comment "Count dropped"
|
|
}
|
|
chain output {
|
|
type filter hook output priority 0;
|
|
policy {{ firewall.policies.output }};
|
|
|
|
{{ nftchain('output') }}
|
|
}
|
|
}
|
|
|
|
table ip nat {
|
|
# NAT
|
|
chain prerouting {
|
|
type nat hook prerouting priority -100;
|
|
|
|
{{ nftchain('nat_prerouting') }}
|
|
}
|
|
chain postrouting {
|
|
type nat hook postrouting priority 100;
|
|
|
|
{{ nftchain('nat_postrouting') }}
|
|
}
|
|
}
|
|
|
|
table ip6 nat {
|
|
# NAT
|
|
chain prerouting {
|
|
type nat hook prerouting priority -100;
|
|
|
|
{{ nftchain('nat6_prerouting') }}
|
|
}
|
|
chain postrouting {
|
|
type nat hook postrouting priority 100;
|
|
|
|
{{ nftchain('nat6_postrouting') }}
|
|
}
|
|
}
|
|
|
|
include "/etc/nftables.d/*.nft"
|