From 79e80221cd74b4055141699b59fcb51ecbce5601 Mon Sep 17 00:00:00 2001
From: Patrick Spek
Date: Wed, 28 Feb 2024 11:35:01 +0100
Subject: Rename fw-nftables to nftables
---
playbooks.d/fw-nftables/description.txt | 1 -
playbooks.d/fw-nftables/etc/defaults | 2 -
playbooks.d/fw-nftables/playbook.bash | 99 ---------------------------------
playbooks.d/nftables/description.txt | 1 +
playbooks.d/nftables/etc/defaults | 2 +
playbooks.d/nftables/playbook.bash | 99 +++++++++++++++++++++++++++++++++
6 files changed, 102 insertions(+), 102 deletions(-)
delete mode 100644 playbooks.d/fw-nftables/description.txt
delete mode 100644 playbooks.d/fw-nftables/etc/defaults
delete mode 100644 playbooks.d/fw-nftables/playbook.bash
create mode 100644 playbooks.d/nftables/description.txt
create mode 100644 playbooks.d/nftables/etc/defaults
create mode 100644 playbooks.d/nftables/playbook.bash
(limited to 'playbooks.d')
diff --git a/playbooks.d/fw-nftables/description.txt b/playbooks.d/fw-nftables/description.txt
deleted file mode 100644
index 38683d6..0000000
--- a/playbooks.d/fw-nftables/description.txt
+++ /dev/null
@@ -1 +0,0 @@
-Firewall through nftables
diff --git a/playbooks.d/fw-nftables/etc/defaults b/playbooks.d/fw-nftables/etc/defaults
deleted file mode 100644
index 10cc38b..0000000
--- a/playbooks.d/fw-nftables/etc/defaults
+++ /dev/null
@@ -1,2 +0,0 @@
-pkg.nftables=nftables
-svc.nftables=nftables
diff --git a/playbooks.d/fw-nftables/playbook.bash b/playbooks.d/fw-nftables/playbook.bash
deleted file mode 100644
index c0b366c..0000000
--- a/playbooks.d/fw-nftables/playbook.bash
+++ /dev/null
@@ -1,99 +0,0 @@
-#!/usr/bin/env bash
-
-playbook_add() {
- pkg install nftables
-
- playbook_sync
-
- svc enable nftables
- svc start nftables
-}
-
-playbook_sync() {
- {
- printf "#!%s -f\n\n" "$(config "$BASHTARD_PLAYBOOK.binpath" "/usr/sbin/nft")"
- printf "flush ruleset\n\n"
- printf "table inet filter {\n"
- printf "\tchain input {\n"
- printf "\t\ttype filter hook input priority filter;\n"
-
- # Add conntrack state rules
- info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for conntrack state"
- printf "\n"
- printf "\t\tct state established %s;\n" \
- "$(config "$BASHTARD_PLAYBOOK.input.state.established.policy" "accept")"
- printf "\t\tct state related %s;\n" \
- "$(config "$BASHTARD_PLAYBOOK.input.state.related.policy" "accept")"
- printf "\t\tct state invalid %s;\n" \
- "$(config "$BASHTARD_PLAYBOOK.input.state.invalid.policy" "drop")"
-
- # Add interface rules
- printf "\n"
- while read -r interface
- do
- info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for interface $interface"
- printf "\t\tiifname %s %s;\n" "$interface" "$(config "$BASHTARD_PLAYBOOK.input.interfaces.$interface.policy")"
- done < <(config_subkeys "$BASHTARD_PLAYBOOK.input.interfaces")
-
- # Add ICMP rules
- info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for ICMP"
- printf "\n"
- printf "\t\tmeta l4proto icmp" \ # IPv4
- if [[ "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.rate" "")" != "" ]]
- then
- printf " limit rate %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.rate" "2/second")"
- fi
- printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.policy" "accept")"
- printf ";\n"
- printf "\t\tmeta l4proto ipv6-icmp" \ # IPv6
- if [[ "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.rate" "")" != "" ]]
- then
- printf " limit rate %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.rate")"
- fi
- printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.policy" "accept")"
- printf ";\n"
-
- # Add custom input rules
- printf "\n"
- while read -r rule
- do
- info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for custom rule $rule"
- printf "\t\tmeta l4proto { %s } th" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.proto")"
- printf " dport %s" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.port")"
- printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.policy" "accept")"
- printf " comment \"%s\"" "$rule"
- printf ";\n"
- done < <(config_subkeys "$BASHTARD_PLAYBOOK.input.rules")
-
- # Add fallback policy
- printf "\n"
- printf "\t\tlog prefix \"[nftables] \" counter drop;\n"
- printf "\t\tpolicy %s;\n" "$(config "$BASHTARD_PLAYBOOK.input.policy" "drop")"
-
- printf "\t}\n"
- printf "\tchain forward {\n"
- printf "\t\ttype filter hook forward priority filter;\n"
-
- # TODO: Add forward rules
-
- printf "\t}\n"
- printf "\tchain output {\n"
- printf "\t\ttype filter hook output priority filter;\n"
-
- # TODO: Add output rules
-
- printf "\t}\n"
- printf "}\n"
- } > "$(config "fs.etcdir")/nftables.conf"
-
- [[ "$BASHTARD_COMMAND" == "add" ]] && return
-
- svc restart nftables
-}
-
-playbook_del() {
- svc stop nftables
- svc disable nftables
- pkg uninstall nftables
- rm -fr -- "$(config "fs.etcdir")/nftables"
-}
diff --git a/playbooks.d/nftables/description.txt b/playbooks.d/nftables/description.txt
new file mode 100644
index 0000000..38683d6
--- /dev/null
+++ b/playbooks.d/nftables/description.txt
@@ -0,0 +1 @@
+Firewall through nftables
diff --git a/playbooks.d/nftables/etc/defaults b/playbooks.d/nftables/etc/defaults
new file mode 100644
index 0000000..10cc38b
--- /dev/null
+++ b/playbooks.d/nftables/etc/defaults
@@ -0,0 +1,2 @@
+pkg.nftables=nftables
+svc.nftables=nftables
diff --git a/playbooks.d/nftables/playbook.bash b/playbooks.d/nftables/playbook.bash
new file mode 100644
index 0000000..c0b366c
--- /dev/null
+++ b/playbooks.d/nftables/playbook.bash
@@ -0,0 +1,99 @@
+#!/usr/bin/env bash
+
+playbook_add() {
+ pkg install nftables
+
+ playbook_sync
+
+ svc enable nftables
+ svc start nftables
+}
+
+playbook_sync() {
+ {
+ printf "#!%s -f\n\n" "$(config "$BASHTARD_PLAYBOOK.binpath" "/usr/sbin/nft")"
+ printf "flush ruleset\n\n"
+ printf "table inet filter {\n"
+ printf "\tchain input {\n"
+ printf "\t\ttype filter hook input priority filter;\n"
+
+ # Add conntrack state rules
+ info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for conntrack state"
+ printf "\n"
+ printf "\t\tct state established %s;\n" \
+ "$(config "$BASHTARD_PLAYBOOK.input.state.established.policy" "accept")"
+ printf "\t\tct state related %s;\n" \
+ "$(config "$BASHTARD_PLAYBOOK.input.state.related.policy" "accept")"
+ printf "\t\tct state invalid %s;\n" \
+ "$(config "$BASHTARD_PLAYBOOK.input.state.invalid.policy" "drop")"
+
+ # Add interface rules
+ printf "\n"
+ while read -r interface
+ do
+ info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for interface $interface"
+ printf "\t\tiifname %s %s;\n" "$interface" "$(config "$BASHTARD_PLAYBOOK.input.interfaces.$interface.policy")"
+ done < <(config_subkeys "$BASHTARD_PLAYBOOK.input.interfaces")
+
+ # Add ICMP rules
+ info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for ICMP"
+ printf "\n"
+ printf "\t\tmeta l4proto icmp" \ # IPv4
+ if [[ "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.rate" "")" != "" ]]
+ then
+ printf " limit rate %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.rate" "2/second")"
+ fi
+ printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.policy" "accept")"
+ printf ";\n"
+ printf "\t\tmeta l4proto ipv6-icmp" \ # IPv6
+ if [[ "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.rate" "")" != "" ]]
+ then
+ printf " limit rate %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.rate")"
+ fi
+ printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.policy" "accept")"
+ printf ";\n"
+
+ # Add custom input rules
+ printf "\n"
+ while read -r rule
+ do
+ info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for custom rule $rule"
+ printf "\t\tmeta l4proto { %s } th" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.proto")"
+ printf " dport %s" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.port")"
+ printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.policy" "accept")"
+ printf " comment \"%s\"" "$rule"
+ printf ";\n"
+ done < <(config_subkeys "$BASHTARD_PLAYBOOK.input.rules")
+
+ # Add fallback policy
+ printf "\n"
+ printf "\t\tlog prefix \"[nftables] \" counter drop;\n"
+ printf "\t\tpolicy %s;\n" "$(config "$BASHTARD_PLAYBOOK.input.policy" "drop")"
+
+ printf "\t}\n"
+ printf "\tchain forward {\n"
+ printf "\t\ttype filter hook forward priority filter;\n"
+
+ # TODO: Add forward rules
+
+ printf "\t}\n"
+ printf "\tchain output {\n"
+ printf "\t\ttype filter hook output priority filter;\n"
+
+ # TODO: Add output rules
+
+ printf "\t}\n"
+ printf "}\n"
+ } > "$(config "fs.etcdir")/nftables.conf"
+
+ [[ "$BASHTARD_COMMAND" == "add" ]] && return
+
+ svc restart nftables
+}
+
+playbook_del() {
+ svc stop nftables
+ svc disable nftables
+ pkg uninstall nftables
+ rm -fr -- "$(config "fs.etcdir")/nftables"
+}
--
cgit v1.1