From 3f1dc105fd9c0e48454b6269d1cc11c0fedad967 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= Date: Fri, 29 May 2026 09:55:33 +0000 Subject: [PATCH] introduce a new cookbook: nftables --- cookbooks/nftables/Makefile | 14 ++++++ cookbooks/nftables/config/00-global.nft | 46 +++++++++++++++++++ .../nftables/config/20-standard-rules.nft | 7 +++ cookbooks/nftables/hooks.mk | 5 ++ cookbooks/nftables/other/nftables.conf | 1 + 5 files changed, 73 insertions(+) create mode 100644 cookbooks/nftables/Makefile create mode 100755 cookbooks/nftables/config/00-global.nft create mode 100755 cookbooks/nftables/config/20-standard-rules.nft create mode 100644 cookbooks/nftables/hooks.mk create mode 100644 cookbooks/nftables/other/nftables.conf diff --git a/cookbooks/nftables/Makefile b/cookbooks/nftables/Makefile new file mode 100644 index 0000000..b5d6376 --- /dev/null +++ b/cookbooks/nftables/Makefile @@ -0,0 +1,14 @@ +## +## Makefile for nftables quadlet +## + +# Additional nftables directories and files +TARGET_FILES += $(TARGET_CHROOT)/etc/sysconfig/nftables.conf +$(TARGET_CHROOT)/etc/sysconfig/nftables.conf: other/nftables.conf + install -D -o root -g root -m 755 $< $@ + +SYSTEMD_MAIN_UNIT_NAMES = nftables.service + +# Include common Makefile +include ../../scripts/common.mk + diff --git a/cookbooks/nftables/config/00-global.nft b/cookbooks/nftables/config/00-global.nft new file mode 100755 index 0000000..59b7a31 --- /dev/null +++ b/cookbooks/nftables/config/00-global.nft @@ -0,0 +1,46 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet itix-fw { + chain input { + type filter hook input priority filter + 20 + policy drop + + ct state invalid counter drop + ct state { established, related } counter accept + + # Loopback + iifname lo counter accept + } + + chain output { + type filter hook output priority filter + 20 + policy drop + + ct state invalid counter drop + ct state { established, related } counter accept + + # Loopback + oifname lo counter accept + } + + chain forward { + type filter hook forward priority filter + 20 + policy drop + + # Loopback + iifname lo oifname lo counter accept + } +} + +table inet itix-nat { + chain prerouting { + type nat hook prerouting priority dstnat + 20 + policy accept + } + chain postrouting { + type nat hook postrouting priority srcnat + 20 + policy accept + } +} diff --git a/cookbooks/nftables/config/20-standard-rules.nft b/cookbooks/nftables/config/20-standard-rules.nft new file mode 100755 index 0000000..5717a54 --- /dev/null +++ b/cookbooks/nftables/config/20-standard-rules.nft @@ -0,0 +1,7 @@ +#!/usr/sbin/nft -f + +# Enable SSH connections from anywhere +add rule inet itix-fw input tcp dport 22 counter accept + +# Allow outgoing connections +add rule inet itix-fw output counter accept diff --git a/cookbooks/nftables/hooks.mk b/cookbooks/nftables/hooks.mk new file mode 100644 index 0000000..ab69cd6 --- /dev/null +++ b/cookbooks/nftables/hooks.mk @@ -0,0 +1,5 @@ +# Nftables configuration files +TARGET_NFTABLES_FILES = $(patsubst other/nftables/%, $(TARGET_CHROOT)/etc/quadlets/nftables/%, $(wildcard other/nftables/*)) +TARGET_EXAMPLE_FILES += $(TARGET_NFTABLES_FILES) +$(TARGET_CHROOT)/etc/quadlets/nftables/%: other/nftables/% + install -m 0644 -o root -g root $< $@ diff --git a/cookbooks/nftables/other/nftables.conf b/cookbooks/nftables/other/nftables.conf new file mode 100644 index 0000000..18e6ca1 --- /dev/null +++ b/cookbooks/nftables/other/nftables.conf @@ -0,0 +1 @@ +include "/etc/quadlets/nftables/*.nft"