blob: c0b366c33af59b4c1a162d0cea233afef73829ef (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
#!/usr/bin/env bash
playbook_add() {
pkg install nftables
playbook_sync
svc enable nftables
svc start nftables
}
playbook_sync() {
{
printf "#!%s -f\n\n" "$(config "$BASHTARD_PLAYBOOK.binpath" "/usr/sbin/nft")"
printf "flush ruleset\n\n"
printf "table inet filter {\n"
printf "\tchain input {\n"
printf "\t\ttype filter hook input priority filter;\n"
# Add conntrack state rules
info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for conntrack state"
printf "\n"
printf "\t\tct state established %s;\n" \
"$(config "$BASHTARD_PLAYBOOK.input.state.established.policy" "accept")"
printf "\t\tct state related %s;\n" \
"$(config "$BASHTARD_PLAYBOOK.input.state.related.policy" "accept")"
printf "\t\tct state invalid %s;\n" \
"$(config "$BASHTARD_PLAYBOOK.input.state.invalid.policy" "drop")"
# Add interface rules
printf "\n"
while read -r interface
do
info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for interface $interface"
printf "\t\tiifname %s %s;\n" "$interface" "$(config "$BASHTARD_PLAYBOOK.input.interfaces.$interface.policy")"
done < <(config_subkeys "$BASHTARD_PLAYBOOK.input.interfaces")
# Add ICMP rules
info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for ICMP"
printf "\n"
printf "\t\tmeta l4proto icmp" \ # IPv4
if [[ "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.rate" "")" != "" ]]
then
printf " limit rate %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.rate" "2/second")"
fi
printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv4.policy" "accept")"
printf ";\n"
printf "\t\tmeta l4proto ipv6-icmp" \ # IPv6
if [[ "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.rate" "")" != "" ]]
then
printf " limit rate %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.rate")"
fi
printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.icmp.ipv6.policy" "accept")"
printf ";\n"
# Add custom input rules
printf "\n"
while read -r rule
do
info "$BASHTARD_PLAYBOOK/sync" "Adding input filter for custom rule $rule"
printf "\t\tmeta l4proto { %s } th" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.proto")"
printf " dport %s" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.port")"
printf " %s" "$(config "$BASHTARD_PLAYBOOK.input.rules.$rule.policy" "accept")"
printf " comment \"%s\"" "$rule"
printf ";\n"
done < <(config_subkeys "$BASHTARD_PLAYBOOK.input.rules")
# Add fallback policy
printf "\n"
printf "\t\tlog prefix \"[nftables] \" counter drop;\n"
printf "\t\tpolicy %s;\n" "$(config "$BASHTARD_PLAYBOOK.input.policy" "drop")"
printf "\t}\n"
printf "\tchain forward {\n"
printf "\t\ttype filter hook forward priority filter;\n"
# TODO: Add forward rules
printf "\t}\n"
printf "\tchain output {\n"
printf "\t\ttype filter hook output priority filter;\n"
# TODO: Add output rules
printf "\t}\n"
printf "}\n"
} > "$(config "fs.etcdir")/nftables.conf"
[[ "$BASHTARD_COMMAND" == "add" ]] && return
svc restart nftables
}
playbook_del() {
svc stop nftables
svc disable nftables
pkg uninstall nftables
rm -fr -- "$(config "fs.etcdir")/nftables"
}
|