#!/usr/sbin/nft -f
#
# /etc/nftables.conf - FFHO packet filter configuration
#
{%- set roles = salt['pillar.get']('nodes:' ~ grains['id'] ~ ':roles', []) %}
{%- set acls = salt['pillar.get']('firewall:acls') %}
{%- set admin_access = salt['pillar.get']('firewall:admin_access') %}
{%- set ssh = salt['pillar.get']("firewall:ssh") %}
{%- set services = salt['pillar.get']('nodes:' ~ grains['id'] ~ ':services', []) %}
{%- set icinga2_queriers = salt['pillar.get']('monitoring:icinga2:queriers', []) %}
{%- set nms_list = salt['pillar.get']('globals:snmp:nms_list', []) %}

flush ruleset

table ip filter {
	set ibgp-peers {
		type ipv4_addr
		elements = {
			10.132.255.1,	# cr01.in.ffho.net
			10.132.255.2,	# cr02.in.ffho.net
			10.132.255.3,	# cr03.in.ffho.net
		}
	}

	chain input {
		type filter hook input priority 0; policy drop;
		iifname "lo" counter accept
		ip protocol icmp counter jump icmp_chain
		tcp dport 7 counter drop comment "Ignore echo protocol queries"
		ct state invalid counter drop
		counter jump admin_access
		counter jump monitoring
		tcp dport 22 counter jump ssh
{%- if 'router' in roles %}
		ip daddr { 224.0.0.5, 224.0.0.6 } meta l4proto ospf accept
		tcp dport 179 counter jump bgp
{%- endif %}
		ct state related,established counter accept
		counter jump services
		limit rate 1/second burst 3 packets counter log prefix "netfilter: "
		limit rate 1/second burst 3 packets counter reject with icmp type admin-prohibited
		counter drop
	}

	chain icmp_chain {
		icmp type { echo-request, destination-unreachable, time-exceeded } counter accept
	}

	chain admin_access {
{%- for pfx in admin_access[4].keys()|sort %}
  {%- set comment = admin_access[4][pfx] %}
		ip saddr {{ pfx }} counter accept comment "{{ comment }}"
{%- endfor %}
	}

{%- if 'router' in roles %}
	chain bgp {
		ip saddr @ibgp-peers counter accept comment "iBGP peers"
		# TODO: Add external BGP peers, if any
	}
{%- endif %}

	chain monitoring {
{%- for ip in icinga2_queriers if not ":" in ip %}
		ip saddr {{ ip }} counter accept comment "Icinga2"
{%- endfor %}
{%- for ip in nms_list if not ":" in ip %}
		ip saddr {{ ip }} udp dport 161 counter accept comment "NMS"
{%- endfor %}
	}

	chain ssh {
{%- for pfx in ssh[4].keys()|sort %}
  {%- set comment = ssh[4][pfx] %}
		ip saddr {{ pfx }} counter accept comment "{{ comment }}"
{%- endfor %}
	}

	chain services {
{%- for rule in salt['ffho_netfilter.generate_service_rules'](services, acls, 4) %}
		{{ rule }}
{%- endfor %}
	}

	chain log-drop {
		limit rate 1/second burst 3 packets counter log prefix "netfilter: "
		counter drop
	}

	chain log-reject {
		limit rate 1/second burst 3 packets counter log prefix "netfilter: "
		limit rate 1/second burst 3 packets counter reject with icmp type admin-prohibited
		counter drop
	}
}

table ip6 filter {
	set ibgp-peers {
		type ipv6_addr
		elements = {
			2a03:2260:2342:ffff::1,	# cr01.in.ffho.net
			2a03:2260:2342:ffff::2,	# cr02.in.ffho.net
			2a03:2260:2342:ffff::3,	# cr03.in.ffho.net
		}
	}

	chain input {
		type filter hook input priority 0; policy drop;
		iifname "lo" counter accept
		ip6 nexthdr icmpv6 counter jump icmp_chain
		tcp dport 7 counter drop comment "Ignore echo protocol queries"
		ct state invalid counter drop comment "Drop packets that do not make sense."
		counter jump admin_access
		counter jump monitoring
		tcp dport 22 counter jump ssh
{%- if 'router' in roles %}
		ip6 saddr fe80::/64 ip6 daddr { fe80::/10, ff02::5, ff02::6 } meta l4proto ospf accept
		tcp dport 179 counter jump bgp
{%- endif %}
		ct state related,established counter accept comment "Allow established connections."
		counter jump services
		limit rate 1/second burst 3 packets counter log prefix "netfilter: "
		limit rate 1/second burst 3 packets counter reject with icmpv6 type admin-prohibited
		counter drop
	}

	chain icmp_chain {
		icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply } counter accept
		icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } ip6 hoplimit 255 counter accept
	}

	chain admin_access {
{%- for pfx in admin_access[6].keys()|sort %}
  {%- set comment = admin_access[6][pfx] %}
		ip6 saddr {{ pfx }} counter accept comment "{{ comment }}"
{%- endfor %}
	}

{%- if 'router' in roles %}
	chain bgp {
		ip6 saddr @ibgp-peers counter accept comment "iBGP peers"
		# TODO: Add external BGP peers, if any
	}
{%- endif %}

	chain monitoring {
{%- for ip in icinga2_queriers if ":" in ip %}
		ip6 saddr {{ ip }} counter accept comment "Icinga2"
{%- endfor %}
{%- for ip in nms_list if ":" in ip %}
		ip6 saddr {{ ip }} udp dport 161 counter accept comment "NMS"
{%- endfor %}
	}

	chain ssh {
{%- for pfx in ssh[6].keys()|sort %}
  {%- set comment = ssh[6][pfx] %}
		ip6 saddr {{ pfx }} counter accept comment "{{ comment }}"
{%- endfor %}
	}

	chain services {
{%- for rule in salt['ffho_netfilter.generate_service_rules'](services, acls, 6) %}
		{{ rule }}
{%- endfor %}
	}

	chain log-drop {
		limit rate 1/second burst 3 packets counter log prefix "netfilter: "
		counter drop
	}

	chain log-reject {
		limit rate 1/second burst 3 packets counter log prefix "netfilter: "
		limit rate 1/second burst 3 packets counter reject with icmpv6 type admin-prohibited
		counter drop
	}
}