introduce a new cookbook: nftables

4 weeks ago · 3f1dc105fd
5 changed files with 73 additions and 0 deletions
--- a/cookbooks/nftables/Makefile
+++ b/cookbooks/nftables/Makefile
@ -0,0 +1,14 @@
 ##
 ## Makefile for nftables quadlet
 ##
 # Additional nftables directories and files
 TARGET_FILES += $(TARGET_CHROOT)/etc/sysconfig/nftables.conf
 $(TARGET_CHROOT)/etc/sysconfig/nftables.conf: other/nftables.conf
 	install -D -o root -g root -m 755 $< $@
 SYSTEMD_MAIN_UNIT_NAMES = nftables.service
 # Include common Makefile
 include ../../scripts/common.mk
--- a/cookbooks/nftables/config/00-global.nft
+++ b/cookbooks/nftables/config/00-global.nft
@ -0,0 +1,46 @@
 #!/usr/sbin/nft -f
 flush ruleset
 table inet itix-fw {
    chain input {
        type filter hook input priority filter + 20
        policy drop
        ct state invalid counter drop
        ct state { established, related } counter accept
        # Loopback
        iifname lo counter accept
    }
    chain output {
        type filter hook output priority filter + 20
        policy drop
        ct state invalid counter drop
        ct state { established, related } counter accept
        # Loopback
        oifname lo counter accept
    }
    chain forward {
        type filter hook forward priority filter + 20
        policy drop
        # Loopback
        iifname lo oifname lo counter accept
    }
 }
 table inet itix-nat {
    chain prerouting {
        type nat hook prerouting priority dstnat + 20
        policy accept
    }
    chain postrouting {
        type nat hook postrouting priority srcnat + 20
        policy accept
    }
 }
--- a/cookbooks/nftables/config/20-standard-rules.nft
+++ b/cookbooks/nftables/config/20-standard-rules.nft
@ -0,0 +1,7 @@
 #!/usr/sbin/nft -f
 # Enable SSH connections from anywhere
 add rule inet itix-fw input tcp dport 22 counter accept
 # Allow outgoing connections
 add rule inet itix-fw output counter accept
--- a/cookbooks/nftables/hooks.mk
+++ b/cookbooks/nftables/hooks.mk
@ -0,0 +1,5 @@
 # Nftables configuration files
 TARGET_NFTABLES_FILES = $(patsubst other/nftables/%, $(TARGET_CHROOT)/etc/quadlets/nftables/%, $(wildcard other/nftables/*))
 TARGET_EXAMPLE_FILES += $(TARGET_NFTABLES_FILES)
 $(TARGET_CHROOT)/etc/quadlets/nftables/%: other/nftables/%
 	install -m 0644 -o root -g root $< $@
--- a/cookbooks/nftables/other/nftables.conf
+++ b/cookbooks/nftables/other/nftables.conf
@ -0,0 +1 @@
 include "/etc/quadlets/nftables/*.nft"