diff options
Diffstat (limited to 'playbooks.d/nftables/playbook.bash')
| -rw-r--r-- | playbooks.d/nftables/playbook.bash | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/playbooks.d/nftables/playbook.bash b/playbooks.d/nftables/playbook.bash new file mode 100644 index 0000000..c0b366c --- /dev/null +++ b/playbooks.d/nftables/playbook.bash @@ -0,0 +1,99 @@ +#!/usr/bin/env bash + +playbook_add() { + pkg install nftables + + playbook_sync + + svc enable nftables + svc start nftables +} + +playbook_sync() { + { + printf "#!%s -f\n\n" "$(config "$BASHTARD_PLAYBOOK.binpath" "/usr/sbin/nft")" + printf "flush ruleset\n\n" + printf "table inet filter {\n" + printf "\tchain input {\n" + printf "\t\ttype filter hook input priority filter;\n" + + # Add conntrack state rules + info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for conntrack state" + printf "\n" + printf "\t\tct state established %s;\n" \ + "$(config "$BASHTARD_PLAYBOOK.input.state.established.policy" "accept")" + printf "\t\tct state related %s;\n" \ + "$(config "$BASHTARD_PLAYBOOK.input.state.related.policy" "accept")" + printf "\t\tct state invalid %s;\n" \ + "$(config "$BASHTARD_PLAYBOOK.input.state.invalid.policy" "drop")" + + # Add interface rules + printf "\n" + while read -r interface + do + info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for interface $interface" + printf "\t\tiifname %s %s;\n" "$interface" "$(config "$BASHTARD_PLAYBOOK.input.interfaces.$interface.policy")" + done < <(config_subkeys "$BASHTARD_PLAYBOOK.input.interfaces") + + # Add ICMP rules + info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for ICMP" + printf "\n" + printf "\t\tmeta l4proto icmp" \ # IPv4 + if [[ "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.rate" "")" != "" ]] + then + printf " limit rate %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.rate" "2/second")" + fi + printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.policy" "accept")" + printf ";\n" + printf "\t\tmeta l4proto ipv6-icmp" \ # IPv6 + if [[ "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.rate" "")" != "" ]] + then + printf " limit rate %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.rate")" + fi + printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.policy" "accept")" + printf ";\n" + + # Add custom input rules + printf "\n" + while read -r rule + do + info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for custom rule $rule" + printf "\t\tmeta l4proto { %s } th" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.proto")" + printf " dport %s" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.port")" + printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.policy" "accept")" + printf " comment \"%s\"" "$rule" + printf ";\n" + done < <(config_subkeys "$BASHTARD_PLAYBOOK.input.rules") + + # Add fallback policy + printf "\n" + printf "\t\tlog prefix \"[nftables] \" counter drop;\n" + printf "\t\tpolicy %s;\n" "$(config "$BASHTARD_PLAYBOOK.input.policy" "drop")" + + printf "\t}\n" + printf "\tchain forward {\n" + printf "\t\ttype filter hook forward priority filter;\n" + + # TODO: Add forward rules + + printf "\t}\n" + printf "\tchain output {\n" + printf "\t\ttype filter hook output priority filter;\n" + + # TODO: Add output rules + + printf "\t}\n" + printf "}\n" + } > "$(config "fs.etcdir")/nftables.conf" + + [[ "$BASHTARD_COMMAND" == "add" ]] && return + + svc restart nftables +} + +playbook_del() { + svc stop nftables + svc disable nftables + pkg uninstall nftables + rm -fr -- "$(config "fs.etcdir")/nftables" +} |