Ship a more advanced default config. Fixes rhbz#1999596
This commit is contained in:
Phil Sutter
parent
9b907271ec
commit
de6fc1c6f7
64
main.nft
Normal file
64
main.nft
Normal file
@ -0,0 +1,64 @@
|
||||
# Sample configuration for nftables service.
|
||||
# Load this by calling 'nft -f /etc/nftables/main.nft'.
|
||||
|
||||
# Note about base chain priorities:
|
||||
# The priority values used in these sample configs are
|
||||
# offset by 20 in order to avoid ambiguity when firewalld
|
||||
# is also running which uses an offset of 10. This means
|
||||
# that packets will traverse firewalld first and if not
|
||||
# dropped/rejected there will hit the chains defined here.
|
||||
# Chains created by iptables, ebtables and arptables tools
|
||||
# do not use an offset, so those chains are traversed first
|
||||
# in any case.
|
||||
|
||||
# drop any existing nftables ruleset
|
||||
flush ruleset
|
||||
|
||||
# a common table for both IPv4 and IPv6
|
||||
table inet nftables_svc {
|
||||
|
||||
# protocols to allow
|
||||
set allowed_protocols {
|
||||
type inet_proto
|
||||
elements = { icmp, icmpv6 }
|
||||
}
|
||||
|
||||
# interfaces to accept any traffic on
|
||||
set allowed_interfaces {
|
||||
type ifname
|
||||
elements = { "lo" }
|
||||
}
|
||||
|
||||
# services to allow
|
||||
set allowed_tcp_dports {
|
||||
type inet_service
|
||||
elements = { ssh, 9090 }
|
||||
}
|
||||
|
||||
# this chain gathers all accept conditions
|
||||
chain allow {
|
||||
ct state established,related accept
|
||||
|
||||
meta l4proto @allowed_protocols accept
|
||||
iifname @allowed_interfaces accept
|
||||
tcp dport @allowed_tcp_dports accept
|
||||
}
|
||||
|
||||
# base-chain for traffic to this host
|
||||
chain INPUT {
|
||||
type filter hook input priority filter + 20
|
||||
policy accept
|
||||
|
||||
jump allow
|
||||
reject with icmpx type port-unreachable
|
||||
}
|
||||
}
|
||||
|
||||
# By default, any forwarding traffic is allowed.
|
||||
# Uncomment the following line to filter it based
|
||||
# on the same criteria as input traffic.
|
||||
#include "/etc/nftables/router.nft"
|
||||
|
||||
# Uncomment the following line to enable masquerading of
|
||||
# forwarded traffic. May be used with or without router.nft.
|
||||
#include "/etc/nftables/nat.nft"
|
||||
30
nat.nft
Normal file
30
nat.nft
Normal file
@ -0,0 +1,30 @@
|
||||
# Sample configuration snippet for nftables service.
|
||||
# Meant to be included by main.nft, not for direct use.
|
||||
|
||||
# dedicated table for IPv4
|
||||
table ip nftables_svc {
|
||||
|
||||
# interfaces to masquerade traffic from
|
||||
set masq_interfaces {
|
||||
type ifname
|
||||
elements = { "virbr0" }
|
||||
}
|
||||
|
||||
# networks to masquerade traffic from
|
||||
# 'interval' flag is required to support subnets
|
||||
set masq_ips {
|
||||
type ipv4_addr
|
||||
flags interval
|
||||
elements = { 192.168.122.0/24 }
|
||||
}
|
||||
|
||||
# base-chain to manipulate conntrack in postrouting,
|
||||
# will see packets for new or related traffic only
|
||||
chain POSTROUTING {
|
||||
type nat hook postrouting priority srcnat + 20
|
||||
policy accept
|
||||
|
||||
iifname @masq_interfaces oifname != @masq_interfaces masquerade
|
||||
ip saddr @masq_ips masquerade
|
||||
}
|
||||
}
|
||||
@ -1,17 +1,8 @@
|
||||
#
|
||||
# This file will contain your nftables rules and
|
||||
# is read by the systemd service when restarting
|
||||
#
|
||||
# These provide an iptables like set of filters
|
||||
# (uncomment to include)
|
||||
# include "/etc/nftables/arp-filter.nft"
|
||||
# include "/etc/nftables/bridge-filter.nft"
|
||||
# include "/etc/nftables/inet-filter.nft"
|
||||
# include "/etc/nftables/ipv4-filter.nft"
|
||||
# include "/etc/nftables/ipv4-mangle.nft"
|
||||
# include "/etc/nftables/ipv4-nat.nft"
|
||||
# include "/etc/nftables/ipv4-raw.nft"
|
||||
# include "/etc/nftables/ipv6-filter.nft"
|
||||
# include "/etc/nftables/ipv6-mangle.nft"
|
||||
# include "/etc/nftables/ipv6-nat.nft"
|
||||
# include "/etc/nftables/ipv6-raw.nft"
|
||||
# Uncomment the include statement here to load the default config sample
|
||||
# in /etc/nftables for nftables service.
|
||||
|
||||
#include "/etc/nftables/main.nft"
|
||||
|
||||
# To customize, either edit the samples in /etc/nftables, append further
|
||||
# commands to the end of this file or overwrite it after first service
|
||||
# start by calling: 'nft list ruleset >/etc/sysconfig/nftables.conf'.
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
Name: nftables
|
||||
Version: 1.0.1
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
# Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
|
||||
Epoch: 1
|
||||
Summary: Netfilter Tables userspace utilites
|
||||
@ -10,6 +10,9 @@ URL: https://netfilter.org/projects/nftables/
|
||||
Source0: %{url}/files/%{name}-%{version}.tar.bz2
|
||||
Source1: nftables.service
|
||||
Source2: nftables.conf
|
||||
Source3: main.nft
|
||||
Source4: router.nft
|
||||
Source5: nat.nft
|
||||
|
||||
# already upstream at https://git.netfilter.org/nftables/commit/?id=8492878961248b4b53fa97383c7c1b15d7062947
|
||||
Patch1: nftables-1.0.1-drop-historyh.patch
|
||||
@ -71,6 +74,9 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
|
||||
# Don't ship static lib (for now at least)
|
||||
rm -f $RPM_BUILD_ROOT/%{_libdir}/libnftables.a
|
||||
|
||||
# drop vendor-provided configs, they are not really useful
|
||||
rm -f $RPM_BUILD_ROOT/%{_datadir}/nftables/*.nft
|
||||
|
||||
chmod 644 $RPM_BUILD_ROOT/%{_mandir}/man8/nft*
|
||||
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_unitdir}
|
||||
@ -78,13 +84,13 @@ cp -a %{SOURCE1} $RPM_BUILD_ROOT/%{_unitdir}/
|
||||
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig
|
||||
cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/
|
||||
chmod 600 $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/nftables.conf
|
||||
|
||||
mkdir -m 700 -p $RPM_BUILD_ROOT/%{_sysconfdir}/nftables
|
||||
mv $RPM_BUILD_ROOT/%{_datadir}/nftables/*.nft \
|
||||
cp %{SOURCE3} %{SOURCE4} %{SOURCE5} \
|
||||
$RPM_BUILD_ROOT/%{_sysconfdir}/nftables/
|
||||
chmod 600 $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/*.nft
|
||||
chmod 700 $RPM_BUILD_ROOT/%{_sysconfdir}/nftables
|
||||
|
||||
find $RPM_BUILD_ROOT/%{_sysconfdir} \
|
||||
\( -type d -exec chmod 0700 {} \; \) , \
|
||||
\( -type f -exec chmod 0600 {} \; \)
|
||||
|
||||
# make nftables.py use the real library file name
|
||||
# to avoid nftables-devel package dependency
|
||||
@ -125,6 +131,9 @@ sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \
|
||||
%{python3_sitelib}/nftables/
|
||||
|
||||
%changelog
|
||||
* Thu Feb 03 2022 Phil Sutter <psutter@redhat.com> - 1:1.0.1-3
|
||||
- Ship a more advanced default config. Fixes rhbz#1999596
|
||||
|
||||
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.0.1-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
||||
|
||||
|
||||
16
router.nft
Normal file
16
router.nft
Normal file
@ -0,0 +1,16 @@
|
||||
# Sample configuration snippet for nftables service.
|
||||
# Meant to be included by main.nft, not for direct use.
|
||||
|
||||
# a common table for both IPv4 and IPv6
|
||||
table inet nftables_svc {
|
||||
|
||||
# base-chain for traffic forwarded by this host
|
||||
# re-uses 'allow' chain from main.nft
|
||||
chain FORWARD {
|
||||
type filter hook forward priority filter + 20
|
||||
policy accept
|
||||
|
||||
jump allow
|
||||
reject with icmpx type host-unreachable
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user