From c3f1866b75bc782a1f55a427379274871217157c Mon Sep 17 00:00:00 2001
From: Patrick Spek <p.spek@tyil.nl>
Date: Tue, 27 Feb 2024 09:43:04 +0100
Subject: Add interface-wide policies for fw-nftables

---
 defaults                              | 1 +
 playbooks.d/fw-nftables/playbook.bash | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/defaults b/defaults
index 15203d5..857d2f2 100644
--- a/defaults
+++ b/defaults
@@ -13,6 +13,7 @@ fw-nftables.input.icmp.ipv4.policy=accept
 fw-nftables.input.icmp.ipv4.rate=2/second
 fw-nftables.input.icmp.ipv6.policy=accept
 fw-nftables.input.icmp.ipv6.rate=2/second
+fw-nftables.input.interfaces.lo.policy=accept
 fw-nftables.input.policy=drop
 fw-nftables.input.rules.ssh.policy=accept
 fw-nftables.input.rules.ssh.port=22
diff --git a/playbooks.d/fw-nftables/playbook.bash b/playbooks.d/fw-nftables/playbook.bash
index 748c177..927e414 100644
--- a/playbooks.d/fw-nftables/playbook.bash
+++ b/playbooks.d/fw-nftables/playbook.bash
@@ -27,6 +27,14 @@ playbook_sync() {
 		printf "\t\tct state invalid %s;\n" \
 			"$(config "$BASHTARD_PLAYBOOK.input.state.invalid.policy" "drop")"
 
+		# Add interface rules
+		printf "\n"
+		while read -r interface
+		do
+			info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for interface $interface"
+			printf "\t\tiifname %s %s;\n" "$interface" "$(config "$BASHTARD_PLAYBOOK.input.interfaces.$interface.policy")"
+		done < <(config_subkeys "$BASHTARD_PLAYBOOK.input.interfaces")
+
 		# Add ICMP rules
 		info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for ICMP"
 		printf "\n"
-- 
cgit v1.1