From a8ef3a46cb951ef56ff2b688279c55a27bb3131d Mon Sep 17 00:00:00 2001 From: Paul Lecuq Date: Fri, 10 Mar 2023 00:08:11 +0100 Subject: [PATCH] updated nftables state --- states/nftables/templates/rules.nft.j2 | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/states/nftables/templates/rules.nft.j2 b/states/nftables/templates/rules.nft.j2 index 9fb72a3..ff548f1 100644 --- a/states/nftables/templates/rules.nft.j2 +++ b/states/nftables/templates/rules.nft.j2 @@ -13,11 +13,13 @@ add rule ip filter INPUT iifname lo counter accept add rule ip filter INPUT iifname tun* counter accept add rule ip filter INPUT ct state related,established counter accept add rule ip filter INPUT ip protocol icmp counter accept -{%- for key, value in net.ipv4_networks.items() %} -add rule ip filter INPUT ip saddr {{ value.ip }}/{{ value.mask }} ct state established,new counter accept +{%- for network in net.ip_networks %} +{%- if '.' in network %} +add rule ip filter INPUT ip saddr {{ network }} ct state established,new counter accept +{%- endif %} {%- endfor %} -{%- for key, value in net.public_ports.items() %} -add rule ip filter INPUT {{ value.proto }} dport {{ value.port }} ct state established,new counter accept +{%- for port in net.public_ports %} +add rule ip filter INPUT {{ port.split('/')[0] }} dport {{ port.split('/')[1] }} ct state established,new counter accept {%- endfor %} {%- if nftables.log %} add rule ip filter INPUT counter log @@ -33,8 +35,8 @@ add chain ip nat POSTROUTING { type nat hook postrouting priority srcnat; policy add chain ip nat DOCKER ### Main NAT rules -{%- for key, value in net.nats.items() %} -add rule ip nat POSTROUTING ip saddr {{ value.ip }}/{{ value.mask }} counter masquerade +{%- for network in net.nats %} +add rule ip nat POSTROUTING ip saddr {{ network }} counter masquerade {%- endfor %} ### Docker related rules @@ -55,11 +57,13 @@ add rule ip6 filter6 INPUT iifname lo counter accept add rule ip6 filter6 INPUT iifname tun* counter accept add rule ip6 filter6 INPUT ct state related,established counter accept add rule ip6 filter6 INPUT icmpv6 type {destination-unreachable, packet-too-big, time-exceeded, echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-redirect, parameter-problem, router-renumbering} accept -{%- for key, value in net.ipv6_networks.items() %} -add rule ip6 filter6 INPUT ip6 saddr {{ value.ip }}/{{ value.mask }} ct state established,new counter accept +{%- for network in net.ip_networks %} +{%- if ':' in network %} +add rule ip6 filter6 INPUT ip6 saddr {{ network }} ct state established,new counter accept +{%- endif %} {%- endfor %} -{%- for key, value in net.public_ports.items() %} -add rule ip6 filter6 INPUT {{ value.proto }} dport {{ value.port }} ct state established,new counter accept +{%- for port in net.public_ports %} +add rule ip6 filter6 INPUT {{ port.split('/')[0] }} dport {{ port.split('/')[1] }} ct state established,new counter accept {%- endfor %} {%- if nftables.log %} add rule ip6 filter6 INPUT counter log