2 лет назад · 9f302065c1
--- a/_modules/ffho_netfilter.py
+++ b/_modules/ffho_netfilter.py
@@ -203,3 +203,13 @@ def generate_urpf_policy (interfaces):
 
				 		sorted_urpf.append (urpf[iface])
			
 
				 
			
 
				 	return sorted_urpf
			
 
				+
			
 
				+
			
 
				+#
			
 
				+# Check if at least one of the node roles are supposed to run DHCP
			
 
				+def allow_dhcp (fw_policy, roles):
			
 
				+	for dhcp_role in fw_policy.get ('dhcp_roles', []):
			
 
				+		if dhcp_role in roles:
			
 
				+			return True
			
 
				+
			
 
				+	return False
			
--- a/nftables/nftables.conf.tmpl
+++ b/nftables/nftables.conf.tmpl
@@ -18,6 +18,7 @@
 
				 {%- set forward = salt['ffho_netfilter.generate_forward_policy'](fw_policy, roles, nf_cc) %}
			
 
				 {%- set nat_policy = salt['ffho_netfilter.generate_nat_policy'](roles, nf_cc) %}
			
 
				 {%- set urpf = salt['ffho_netfilter.generate_urpf_policy'](node_config['ifaces']) %}
			
 
				+{%- set allow_dhcp = salt['ffho_netfilter.allow_dhcp'](fw_policy, roles) %}
			
 
				 
			
 
				 flush ruleset
			
 
				 
			
@@ -112,6 +113,10 @@ table ip filter {
 
				 	}
			
 
				 
			
 
				 	chain services {
			
 
				+{%- if allow_dhcp %}
			
 
				+		udp dport 67 counter accept comment "DHCP"
			
 
				+{%- endif %}
			
 
				+
			
 
				 {%- for rule in salt['ffho_netfilter.generate_service_rules'](services, acls, 4) %}
			
 
				 		{{ rule }}
			
 
				 {%- endfor %}