nftables.conf.tmpl 8.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305
  1. #!/usr/sbin/nft -f
  2. #
  3. # /etc/nftables.conf - FFHO packet filter configuration
  4. #
  5. {%- set nodes = salt['pillar.get']('nodes', {}) %}
  6. {%- set node_config = nodes.get (grains['id'], {}) %}
  7. {%- set roles = node_config.get ('roles', []) %}
  8. {%- set fw_config = salt['pillar.get']('firewall', {}) %}
  9. {%- set admin_access = fw_config.get ('admin_access') %}
  10. {%- set ssh = fw_config.get ('ssh') %}
  11. {%- set monitoring_cfg = salt['pillar.get']('monitoring') %}
  12. {%- set monitoring_rules = salt['ffho_netfilter.generate_monitoring_rules'](nodes, monitoring_cfg) %}
  13. {%- set services = salt['ffho_netfilter.generate_service_rules'](fw_config, node_config) %}
  14. {%- set forward = salt['ffho_netfilter.generate_forward_policy'](fw_config, node_config) %}
  15. {%- set nat_policy = salt['ffho_netfilter.generate_nat_policy'](node_config) %}
  16. {%- set mgmt_config = salt['ffho_netfilter.generate_mgmt_config'](fw_config, node_config) %}
  17. {%- set urpf = salt['ffho_netfilter.generate_urpf_policy'](node_config) %}
  18. {%- set ospf_ifaces = salt['ffho_netfilter.get_ospf_active_interface'](node_config) %}
  19. {%- set vxlan_ifaces = salt['ffho_netfilter.get_vxlan_interfaces'](node_config['ifaces']) %}
  20. flush ruleset
  21. table ip filter {
  22. set ibgp-peers {
  23. type ipv4_addr
  24. elements = {
  25. 10.132.255.1, # cr01.in.ffho.net
  26. 10.132.255.2, # cr02.in.ffho.net
  27. 10.132.255.3, # cr03.in.ffho.net
  28. }
  29. }
  30. chain input {
  31. type filter hook input priority 0; policy drop;
  32. iifname "lo" counter accept
  33. udp dport 0 counter drop
  34. tcp dport 7 counter drop comment "Ignore echo protocol queries"
  35. {%- if vxlan_ifaces %}
  36. udp dport 4789 jump vxlan
  37. {%- endif %}
  38. {%- if urpf %}
  39. jump urpf
  40. {%- endif %}
  41. ip protocol icmp jump icmp_chain
  42. ct state invalid counter drop
  43. jump admin_access
  44. jump monitoring
  45. tcp dport 22 counter jump ssh
  46. {%- if ospf_ifaces %}
  47. {#- ifname sets are introduced in nftables 2.11 #}
  48. meta l4proto ospf iifname { {{ ospf_ifaces|join(', ') }} } counter accept
  49. {%- endif %}
  50. {%- if 'router' in roles %}
  51. tcp dport 179 counter jump bgp
  52. {%- endif %}
  53. ct state related,established counter accept
  54. jump services
  55. meta pkttype broadcast counter drop comment "Drop broadcasts before logging"
  56. limit rate 1/second burst 3 packets counter log prefix "nf input: "
  57. limit rate 1/second burst 3 packets counter reject with icmp type admin-prohibited
  58. counter drop
  59. }
  60. chain forward {
  61. type filter hook forward priority 0; policy {{ forward['policy'] }}; # {{ forward['policy_reason'] }}
  62. {%- if urpf %}
  63. jump urpf
  64. {%- endif %}
  65. {%- if mgmt_config and mgmt_config['prefixes'][4] %}
  66. ip daddr { {{ mgmt_config['prefixes'][4]|join(', ') }} } oifname { {{ mgmt_config['ifaces']|join(', ') }} } jump mgmt
  67. {%- endif %}
  68. {%- for rule in forward['rules'].get ('4', []) %}
  69. {{ rule }}
  70. {%- endfor %}
  71. {%- if forward['policy'] == 'drop' %}
  72. limit rate 1/second burst 3 packets counter log prefix "nf forward: "
  73. limit rate 1/second burst 3 packets counter reject with icmp type admin-prohibited
  74. {%- endif %}
  75. }
  76. chain icmp_chain {
  77. icmp type { echo-request, destination-unreachable, time-exceeded } counter accept
  78. }
  79. chain admin_access {
  80. {%- for pfx in admin_access[4].keys()|sort %}
  81. {%- set comment = admin_access[4][pfx] %}
  82. ip saddr {{ pfx }} counter accept comment "{{ comment }}"
  83. {%- endfor %}
  84. }
  85. {%- if 'router' in roles %}
  86. chain bgp {
  87. ip saddr @ibgp-peers counter accept comment "iBGP peers"
  88. # TODO: Add external BGP peers, if any
  89. }
  90. {%- endif %}
  91. {%- if mgmt_config %}
  92. chain mgmt {
  93. ct state related,established counter accept
  94. jump admin_access
  95. jump icmp_chain
  96. jump monitoring
  97. jump log-reject
  98. }
  99. {%- endif %}
  100. chain monitoring {
  101. {%- for rule in monitoring_rules[4] %}
  102. {{ rule }}
  103. {%- endfor %}
  104. }
  105. chain ssh {
  106. {%- for pfx in ssh[4].keys()|sort %}
  107. {%- set comment = ssh[4][pfx] %}
  108. ip saddr {{ pfx }} counter accept comment "{{ comment }}"
  109. {%- endfor %}
  110. }
  111. chain services {
  112. {%- for rule in services[4] %}
  113. {{ rule }}
  114. {%- endfor %}
  115. }
  116. {%- if urpf %}
  117. chain urpf {
  118. {%- for iface_cfg in urpf %}
  119. {%- for pfx in iface_cfg[4] %}
  120. iifname {{ iface_cfg['iface'] }} ip saddr {{ pfx }} return
  121. {%- endfor %}
  122. iifname {{ iface_cfg['iface'] }} counter drop
  123. {%- endfor %}
  124. }
  125. {%- endif %}
  126. {%- if vxlan_ifaces %}
  127. chain vxlan {
  128. {%- for iface in vxlan_ifaces %}
  129. iifname {{ iface }} accept
  130. {%- endfor %}
  131. counter drop
  132. }
  133. {%- endif %}
  134. chain log-drop {
  135. limit rate 1/second burst 3 packets counter log prefix "netfilter: "
  136. counter drop
  137. }
  138. chain log-reject {
  139. limit rate 1/second burst 3 packets counter log prefix "netfilter: "
  140. limit rate 1/second burst 3 packets counter reject with icmp type admin-prohibited
  141. counter drop
  142. }
  143. }
  144. table ip6 filter {
  145. set ibgp-peers {
  146. type ipv6_addr
  147. elements = {
  148. 2a03:2260:2342:ffff::1, # cr01.in.ffho.net
  149. 2a03:2260:2342:ffff::2, # cr02.in.ffho.net
  150. 2a03:2260:2342:ffff::3, # cr03.in.ffho.net
  151. }
  152. }
  153. chain input {
  154. type filter hook input priority 0; policy drop;
  155. iifname "lo" counter accept
  156. tcp dport 7 counter drop comment "Ignore echo protocol queries"
  157. {%- if vxlan_ifaces %}
  158. udp dport 4789 jump vxlan
  159. {%- endif %}
  160. {%- if urpf %}
  161. jump urpf
  162. {%- endif %}
  163. meta l4proto icmpv6 jump icmp_chain
  164. ct state invalid counter drop
  165. jump admin_access
  166. jump monitoring
  167. tcp dport 22 counter jump ssh
  168. {%- if ospf_ifaces %}
  169. {#- ifname sets are introduced in nftables 2.11 #}
  170. meta l4proto ospf iifname { {{ ospf_ifaces|join(', ') }} } counter accept
  171. {%- endif %}
  172. {%- if 'router' in roles %}
  173. tcp dport 179 counter jump bgp
  174. {%- endif %}
  175. ct state related,established counter accept
  176. counter jump services
  177. limit rate 1/second burst 3 packets counter log prefix "netfilter: "
  178. limit rate 1/second burst 3 packets counter reject with icmpv6 type admin-prohibited
  179. counter drop
  180. }
  181. chain forward {
  182. type filter hook forward priority 0; policy {{ forward['policy'] }}; # {{ forward['policy_reason'] }}
  183. {%- if urpf %}
  184. jump urpf
  185. {%- endif %}
  186. {%- for rule in forward['rules'].get ('6', []) %}
  187. {{ rule }}
  188. {%- endfor %}
  189. {%- if forward['policy'] == 'drop' %}
  190. limit rate 1/second burst 3 packets counter log prefix "nf forward: "
  191. limit rate 1/second burst 3 packets counter reject with icmpv6 type admin-prohibited
  192. {%- endif %}
  193. }
  194. chain icmp_chain {
  195. icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply } counter accept
  196. icmpv6 type { nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert } ip6 hoplimit 255 counter accept
  197. icmpv6 type { mld-listener-query, mld-listener-report, mld-listener-reduction } ip6 saddr fe80::/64 counter accept
  198. }
  199. chain admin_access {
  200. {%- for pfx in admin_access[6].keys()|sort %}
  201. {%- set comment = admin_access[6][pfx] %}
  202. ip6 saddr {{ pfx }} counter accept comment "{{ comment }}"
  203. {%- endfor %}
  204. }
  205. {%- if 'router' in roles %}
  206. chain bgp {
  207. ip6 saddr @ibgp-peers counter accept comment "iBGP peers"
  208. # TODO: Add external BGP peers, if any
  209. }
  210. {%- endif %}
  211. chain monitoring {
  212. {%- for rule in monitoring_rules[6] %}
  213. {{ rule }}
  214. {%- endfor %}
  215. }
  216. chain ssh {
  217. {%- for pfx in ssh[6].keys()|sort %}
  218. {%- set comment = ssh[6][pfx] %}
  219. ip6 saddr {{ pfx }} counter accept comment "{{ comment }}"
  220. {%- endfor %}
  221. }
  222. chain services {
  223. {%- for rule in services[6] %}
  224. {{ rule }}
  225. {%- endfor %}
  226. }
  227. {%- if urpf %}
  228. chain urpf {
  229. ip6 saddr fe80::/64 return
  230. {%- for iface_cfg in urpf %}
  231. {%- for pfx in iface_cfg[6] %}
  232. iifname {{ iface_cfg['iface'] }} ip6 saddr {{ pfx }} return
  233. {%- endfor %}
  234. iifname {{ iface_cfg['iface'] }} counter drop
  235. {%- endfor %}
  236. }
  237. {%- endif %}
  238. {%- if vxlan_ifaces %}
  239. chain vxlan {
  240. {%- for iface in vxlan_ifaces %}
  241. iifname {{ iface }} accept
  242. {%- endfor %}
  243. counter drop
  244. }
  245. {%- endif %}
  246. chain log-drop {
  247. limit rate 1/second burst 3 packets counter log prefix "netfilter: "
  248. counter drop
  249. }
  250. chain log-reject {
  251. limit rate 1/second burst 3 packets counter log prefix "netfilter: "
  252. limit rate 1/second burst 3 packets counter reject with icmpv6 type admin-prohibited
  253. counter drop
  254. }
  255. }
  256. {#-
  257. # NAT
  258. #}
  259. {%- for af in [ 4, 6 ] %}
  260. {%- if nat_policy[af] %}
  261. {%- set af_name = "ip" if af == 4 else "ip6" %}
  262. table {{ af_name }} nat {
  263. {%- for chain in ['output', 'prerouting', 'postrouting'] if chain in nat_policy[af] %}
  264. chain {{ chain }} {
  265. type nat hook {{ chain }} priority 0; policy accept;
  266. {%- for rule in nat_policy[af][chain] %}
  267. {{ rule }}
  268. {%- endfor %}
  269. }
  270. {%- endfor %}
  271. }
  272. {%- endif %}
  273. {%- endfor %}