nftables.conf.tmpl 8.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310
  1. #!/usr/sbin/nft -f
  2. #
  3. # /etc/nftables.conf - FFHO packet filter configuration
  4. #
  5. {%- set nodes = salt['pillar.get']('nodes', {}) %}
  6. {%- set node_config = nodes.get (grains['id'], {}) %}
  7. {%- set roles = node_config.get ('roles', []) %}
  8. {%- set fw_config = salt['pillar.get']('firewall', {}) %}
  9. {%- set admin_access = fw_config.get ('admin_access') %}
  10. {%- set ssh = fw_config.get ('ssh') %}
  11. {%- set monitoring_cfg = salt['pillar.get']('monitoring') %}
  12. {%- set monitoring_rules = salt['ffho_netfilter.generate_monitoring_rules'](nodes, grains['id'], monitoring_cfg) %}
  13. {%- set services = salt['ffho_netfilter.generate_service_rules'](fw_config, node_config) %}
  14. {%- set forward = salt['ffho_netfilter.generate_forward_policy'](fw_config, node_config) %}
  15. {%- set nat_policy = salt['ffho_netfilter.generate_nat_policy'](node_config) %}
  16. {%- set mgmt_config = salt['ffho_netfilter.generate_mgmt_config'](fw_config, node_config) %}
  17. {%- set urpf = salt['ffho_netfilter.generate_urpf_policy'](node_config) %}
  18. {%- set ospf_ifaces = salt['ffho_netfilter.get_ospf_active_interface'](node_config) %}
  19. {%- set vxlan_ifaces = salt['ffho_netfilter.get_vxlan_interfaces'](node_config['ifaces']) %}
  20. {%- set bgp_peers = salt['ffho_netfilter.get_bgp_peers']() %}
  21. flush ruleset
  22. table ip filter {
  23. {%- if bgp_peers[4]|length > 0 %}
  24. set ibgp-peers {
  25. type ipv4_addr
  26. elements = {
  27. {%- for ip, name in bgp_peers[4].items () %}
  28. {{ ip }}, # {{ name }}
  29. {%- endfor %}
  30. }
  31. }
  32. {%- endif %}
  33. chain input {
  34. type filter hook input priority 0; policy drop;
  35. iifname "lo" counter accept
  36. udp dport 0 counter drop
  37. tcp dport 7 counter drop comment "Ignore echo protocol queries"
  38. {%- if vxlan_ifaces %}
  39. udp dport 4789 jump vxlan
  40. {%- endif %}
  41. {%- if urpf %}
  42. jump urpf
  43. {%- endif %}
  44. ip protocol icmp jump icmp_chain
  45. ct state invalid counter drop
  46. jump admin_access
  47. jump monitoring
  48. tcp dport 22 counter jump ssh
  49. {%- if ospf_ifaces %}
  50. {#- ifname sets are introduced in nftables 2.11 #}
  51. meta l4proto ospf iifname { {{ ospf_ifaces|join(', ') }} } counter accept
  52. {%- endif %}
  53. {%- if bgp_peers[4]|length > 0 %}
  54. tcp dport 179 counter jump bgp
  55. {%- endif %}
  56. ct state related,established counter accept
  57. jump services
  58. meta pkttype broadcast counter drop comment "Drop broadcasts before logging"
  59. limit rate 1/second burst 3 packets counter log prefix "nf input: "
  60. limit rate 1/second burst 3 packets counter reject with icmp type admin-prohibited
  61. counter drop
  62. }
  63. chain forward {
  64. type filter hook forward priority 0; policy {{ forward['policy'] }}; # {{ forward['policy_reason'] }}
  65. {%- if urpf %}
  66. jump urpf
  67. {%- endif %}
  68. {%- if mgmt_config and mgmt_config['prefixes'][4] %}
  69. ip daddr { {{ mgmt_config['prefixes'][4]|join(', ') }} } oifname { {{ mgmt_config['ifaces']|join(', ') }} } jump mgmt
  70. {%- endif %}
  71. {%- for rule in forward['rules'].get ('4', []) %}
  72. {{ rule }}
  73. {%- endfor %}
  74. {%- if forward['policy'] == 'drop' %}
  75. limit rate 1/second burst 3 packets counter log prefix "nf forward: "
  76. limit rate 1/second burst 3 packets counter reject with icmp type admin-prohibited
  77. {%- endif %}
  78. }
  79. chain icmp_chain {
  80. icmp type { echo-request, destination-unreachable, time-exceeded } counter accept
  81. }
  82. chain admin_access {
  83. {%- for pfx in admin_access[4].keys()|sort %}
  84. {%- set comment = admin_access[4][pfx] %}
  85. ip saddr {{ pfx }} counter accept comment "{{ comment }}"
  86. {%- endfor %}
  87. }
  88. {%- if 'router' in roles %}
  89. chain bgp {
  90. ip saddr @ibgp-peers counter accept comment "iBGP peers"
  91. # TODO: Add external BGP peers, if any
  92. }
  93. {%- endif %}
  94. {%- if mgmt_config %}
  95. chain mgmt {
  96. ct state related,established counter accept
  97. jump admin_access
  98. jump icmp_chain
  99. jump monitoring
  100. jump log-reject
  101. }
  102. {%- endif %}
  103. chain monitoring {
  104. {%- for rule in monitoring_rules[4] %}
  105. {{ rule }}
  106. {%- endfor %}
  107. }
  108. chain ssh {
  109. {%- for pfx in ssh[4].keys()|sort %}
  110. {%- set comment = ssh[4][pfx] %}
  111. ip saddr {{ pfx }} counter accept comment "{{ comment }}"
  112. {%- endfor %}
  113. }
  114. chain services {
  115. {%- for rule in services[4] %}
  116. {{ rule }}
  117. {%- endfor %}
  118. }
  119. {%- if urpf %}
  120. chain urpf {
  121. {%- for iface_cfg in urpf %}
  122. {%- for pfx in iface_cfg[4] %}
  123. iifname {{ iface_cfg['iface'] }} ip saddr {{ pfx }} return
  124. {%- endfor %}
  125. iifname {{ iface_cfg['iface'] }} counter drop
  126. {%- endfor %}
  127. }
  128. {%- endif %}
  129. {%- if vxlan_ifaces %}
  130. chain vxlan {
  131. {%- for iface in vxlan_ifaces %}
  132. iifname {{ iface }} accept
  133. {%- endfor %}
  134. counter drop
  135. }
  136. {%- endif %}
  137. chain log-drop {
  138. limit rate 1/second burst 3 packets counter log prefix "netfilter: "
  139. counter drop
  140. }
  141. chain log-reject {
  142. limit rate 1/second burst 3 packets counter log prefix "netfilter: "
  143. limit rate 1/second burst 3 packets counter reject with icmp type admin-prohibited
  144. counter drop
  145. }
  146. }
  147. table ip6 filter {
  148. {%- if bgp_peers[6]|length > 0 %}
  149. set ibgp-peers {
  150. type ipv6_addr
  151. elements = {
  152. {%- for ip, name in bgp_peers[6].items () %}
  153. {{ ip }}, # {{ name }}
  154. {%- endfor %}
  155. }
  156. }
  157. {%- endif %}
  158. chain input {
  159. type filter hook input priority 0; policy drop;
  160. iifname "lo" counter accept
  161. tcp dport 7 counter drop comment "Ignore echo protocol queries"
  162. {%- if vxlan_ifaces %}
  163. udp dport 4789 jump vxlan
  164. {%- endif %}
  165. {%- if urpf %}
  166. jump urpf
  167. {%- endif %}
  168. meta l4proto icmpv6 jump icmp_chain
  169. ct state invalid counter drop
  170. jump admin_access
  171. jump monitoring
  172. tcp dport 22 counter jump ssh
  173. {%- if ospf_ifaces %}
  174. {#- ifname sets are introduced in nftables 2.11 #}
  175. meta l4proto ospf iifname { {{ ospf_ifaces|join(', ') }} } counter accept
  176. {%- endif %}
  177. {%- if bgp_peers[6]|length > 0 %}
  178. tcp dport 179 counter jump bgp
  179. {%- endif %}
  180. ct state related,established counter accept
  181. counter jump services
  182. limit rate 1/second burst 3 packets counter log prefix "netfilter: "
  183. limit rate 1/second burst 3 packets counter reject with icmpv6 type admin-prohibited
  184. counter drop
  185. }
  186. chain forward {
  187. type filter hook forward priority 0; policy {{ forward['policy'] }}; # {{ forward['policy_reason'] }}
  188. {%- if urpf %}
  189. jump urpf
  190. {%- endif %}
  191. {%- for rule in forward['rules'].get ('6', []) %}
  192. {{ rule }}
  193. {%- endfor %}
  194. {%- if forward['policy'] == 'drop' %}
  195. limit rate 1/second burst 3 packets counter log prefix "nf forward: "
  196. limit rate 1/second burst 3 packets counter reject with icmpv6 type admin-prohibited
  197. {%- endif %}
  198. }
  199. chain icmp_chain {
  200. icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply } counter accept
  201. icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } ip6 hoplimit 255 counter accept
  202. icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-reduction } ip6 saddr fe80::/64 counter accept
  203. }
  204. chain admin_access {
  205. {%- for pfx in admin_access[6].keys()|sort %}
  206. {%- set comment = admin_access[6][pfx] %}
  207. ip6 saddr {{ pfx }} counter accept comment "{{ comment }}"
  208. {%- endfor %}
  209. }
  210. {%- if 'router' in roles %}
  211. chain bgp {
  212. ip6 saddr @ibgp-peers counter accept comment "iBGP peers"
  213. # TODO: Add external BGP peers, if any
  214. }
  215. {%- endif %}
  216. chain monitoring {
  217. {%- for rule in monitoring_rules[6] %}
  218. {{ rule }}
  219. {%- endfor %}
  220. }
  221. chain ssh {
  222. {%- for pfx in ssh[6].keys()|sort %}
  223. {%- set comment = ssh[6][pfx] %}
  224. ip6 saddr {{ pfx }} counter accept comment "{{ comment }}"
  225. {%- endfor %}
  226. }
  227. chain services {
  228. {%- for rule in services[6] %}
  229. {{ rule }}
  230. {%- endfor %}
  231. }
  232. {%- if urpf %}
  233. chain urpf {
  234. ip6 saddr fe80::/64 return
  235. {%- for iface_cfg in urpf %}
  236. {%- for pfx in iface_cfg[6] %}
  237. iifname {{ iface_cfg['iface'] }} ip6 saddr {{ pfx }} return
  238. {%- endfor %}
  239. iifname {{ iface_cfg['iface'] }} counter drop
  240. {%- endfor %}
  241. }
  242. {%- endif %}
  243. {%- if vxlan_ifaces %}
  244. chain vxlan {
  245. {%- for iface in vxlan_ifaces %}
  246. iifname {{ iface }} accept
  247. {%- endfor %}
  248. counter drop
  249. }
  250. {%- endif %}
  251. chain log-drop {
  252. limit rate 1/second burst 3 packets counter log prefix "netfilter: "
  253. counter drop
  254. }
  255. chain log-reject {
  256. limit rate 1/second burst 3 packets counter log prefix "netfilter: "
  257. limit rate 1/second burst 3 packets counter reject with icmpv6 type admin-prohibited
  258. counter drop
  259. }
  260. }
  261. {#-
  262. # NAT
  263. #}
  264. {%- for af in [ 4, 6 ] %}
  265. {%- if nat_policy[af] %}
  266. {%- set af_name = "ip" if af == 4 else "ip6" %}
  267. table {{ af_name }} nat {
  268. {%- for chain in ['output', 'prerouting', 'postrouting'] if chain in nat_policy[af] %}
  269. chain {{ chain }} {
  270. type nat hook {{ chain }} priority 0; policy accept;
  271. {%- for rule in nat_policy[af][chain] %}
  272. {{ rule }}
  273. {%- endfor %}
  274. }
  275. {%- endfor %}
  276. }
  277. {%- endif %}
  278. {%- endfor %}