Add interface-wide policies for fw-nftables

author: Patrick Spek <p.spek@tyil.nl> 2024-02-27 09:43:04 +0100
committer: Patrick Spek <p.spek@tyil.nl> 2024-02-27 09:43:04 +0100
commit: c3f1866b75bc782a1f55a427379274871217157c (patch)
tree: f84ec6977be17cde910fc28fe3753dde333d6bb5
parent: c3e43dbe56633296694528a59c2c03abe58970b7 (diff)
2 files changed, 9 insertions, 0 deletions
diff --git a/defaults b/defaults
index 15203d5..857d2f2 100644
--- a/defaults
+++ b/defaults
@@ -13,6 +13,7 @@ fw-nftables.input.icmp.ipv4.policy=accept
 fw-nftables.input.icmp.ipv4.rate=2/second
 fw-nftables.input.icmp.ipv6.policy=accept
 fw-nftables.input.icmp.ipv6.rate=2/second
+fw-nftables.input.interfaces.lo.policy=accept
 fw-nftables.input.policy=drop
 fw-nftables.input.rules.ssh.policy=accept
 fw-nftables.input.rules.ssh.port=22
diff --git a/playbooks.d/fw-nftables/playbook.bash b/playbooks.d/fw-nftables/playbook.bash
index 748c177..927e414 100644
--- a/playbooks.d/fw-nftables/playbook.bash
+++ b/playbooks.d/fw-nftables/playbook.bash
@@ -27,6 +27,14 @@ playbook_sync() {
 		printf "\t\tct state invalid %s;\n" \
 			"$(config "$BASHTARD_PLAYBOOK.input.state.invalid.policy" "drop")"
 
+		# Add interface rules
+		printf "\n"
+		while read -r interface
+		do
+			info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for interface $interface"
+			printf "\t\tiifname %s %s;\n" "$interface" "$(config "$BASHTARD_PLAYBOOK.input.interfaces.$interface.policy")"
+		done < <(config_subkeys "$BASHTARD_PLAYBOOK.input.interfaces")
+
 		# Add ICMP rules
 		info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for ICMP"
 		printf "\n"
author	Patrick Spek <p.spek@tyil.nl>	2024-02-27 09:43:04 +0100
committer	Patrick Spek <p.spek@tyil.nl>	2024-02-27 09:43:04 +0100
commit	c3f1866b75bc782a1f55a427379274871217157c (patch)
tree	f84ec6977be17cde910fc28fe3753dde333d6bb5
parent	c3e43dbe56633296694528a59c2c03abe58970b7 (diff)