Frzk.nftables

Panoramica Versioni Approfondimenti

Ansible Role: nftables

Build Status

This Ansible role helps you install nftables and manage its settings.

For more about nftables, visit the official project page.

Role Variables

The variables shown in bold are required, while the others are optional.

Variable Name Description Default Value
nftables_flush_ruleset Should we clear the current ruleset? yes
nftables_config_file Path to the configuration file. /etc/nftables.conf
nftables_tables A list of tables. []

Table Properties

Property Name Description Default Value
name Name of the table.
family Address family of the table. Choose from ip, ip6, inet, arp, bridge or netdev. ip
sets A list of sets.
maps A list of maps.
verdict_maps A list of verdict_maps.
chains A list of chains.

Documentation

Set Properties

Property Name Description
name Name of the set.
type Type of elements in the set: ipv4_addr, ipv6_addr, ether_addr, inet_service, inet_proto, icmp_type, icmpv6_type or mark.
size Number of elements that the set can hold.
policy Selection policy for the set: performance or memory.
timeout Duration elements stay in the set.
flags List of flags. Must include at least one of: constant, interval, timeout.
gc_interval Garbage collection interval.
elements A list of elements in the set. Elements must match the set type.

Documentation

Map Properties

Property Name Description
name Name of the map.
keys_type Type of the keys: ipv4_addr, ipv6_addr, ether_addr, inet_service, inet_proto, icmp_type, icmpv6_type or mark.
values_type Type of the values: ipv4_addr, ipv6_addr, ether_addr, inet_service, inet_proto, mark, counter or quota.
elements A list of elements in the map. Elements must fit the keys_type and values_type.

Documentation

Map Element Properties

Property Name Description
key Key value.
value Value linked to the key.

Verdict Map Properties

A verdict_map is a special type of map where the values_type is always verdict. It doesn't have a values_type property; instead, elements in a verdict_map have a verdict property.

Property Name Description
name Name of the map.
keys_type Type of the keys: ipv4_addr, ipv6_addr, ether_addr, inet_service, inet_proto, icmp_type, icmpv6_type or mark.
elements A list of elements in the verdict map.

Verdict Map Element Properties

Property Name Description
key Key value.
verdict Verdict linked to the key.

Chain Properties

Property Name Description
name Name of the chain.
base Base rule for the chain.
rules List of rules in the chain.

Documentation

Base Properties

Property Name Description
type The type of the chain: filter, nat or route.
hook Hook where the chain is attached. Possible values depend on type.
priority Integer that determines the order of chains attached to the same hook.
policy Default policy for the chain: accept or drop.

Documentation

Rule Properties

Documentation

Property Name Description
position Determines the order of the rules in the chain.
statement The rule statement.
comment A comment that describes the rule.

Example

Here's a small example of how your configuration file could look.

IMPORTANT: DO NOT use this as your firewall!

---
nftables_flush_ruleset: yes
nftables_config_path: /etc/nftables.rules
nftables_tables:
  - name: firewall
    family: inet

    sets:
      - name: "set1"
        type: 
        size: 10
        policy: "performance"
        timeout: "1d"
        flags:
          - "timeout"
          - "interval"
        gc_interval: "12h" 
        elements:
          - 192.0.2.1
          - 192.0.2.2

    maps:
      - name: "map1"
        keys_type: "inet_service"
        values_type: "ipv4_addr"
        elements:
          - key: ssh
            value: "192.0.2.10"
      - name: "map2"
        keys_type: "inet_service"
        values_type: "ipv4_addr"
        elements:
          - key: ftp
            value: "192.0.2.25"

    verdict_maps:
      - name: "vmap1"
        keys_type: "inet_service"
        elements:
          - key: "192.0.2.10"
            value: "accept"

    chains:
      - name: "My input filter"
        base:
          type: "filter"
          hook: "input"
          priority: 0
          policy: "drop"
        rules:
          - position: 2
            statement: "ct state invalid log prefix 'Invalid_IN: ' drop"
            comment: "Log and drop invalid packets."
          - position: 1
            statement: "iif lo accept"
          - position: 3
            statement: "ct state {established,related} accept"

      - name: "My output filter"
        base:
          type: "filter"
          hook: "output"
          priority: -10
          policy: "accept"
        rules:
          - position: 1
            statement: "ip daddr 192.0.2.100 counter"
...

Testing

To test, follow these steps:

  1. Check the role syntax.
  2. Run it for the first time.
  3. Run it again and check if it behaves the same.

You can test on the following operating systems:

  • Debian 9
  • CentOS 7
  • Ubuntu 18.04

Contributing

We welcome code reviews, patches, comments, bug reports, and feature requests. Please read the Contributing Guide for more details.

Informazioni sul progetto

Install and manage nftables.

role firewall networking nftables security system
Installa
ansible-galaxy install Frzk.nftables
GitHub repository
31 stelle
8 fork
0 problemi aperti
Licenza
apache-2.0
Download
136
Proprietario