ansible/roles/wireguard-endpoint/templates/nftables.conf.j2

87 lines
1.5 KiB
Text
Raw Normal View History

#!/usr/sbin/nft -f
# {{ ansible_managed }}
flush ruleset
#table ip nat {
#
# chain prerouting {
# type nat hook prerouting priority -100
# policy accept
# }
#
# chain postrouting {
# type nat hook prerouting priority 100
# policy accept
#
# #{% for endpoint in wireguard_endpoints %}
# #oifname "{{ endpoint.name }}" masquerade
# #{% endfor %}
# }
#
#}
table inet filter {
set blacklist_v4 {
type ipv4_addr
}
set blacklist_v6 {
type ipv6_addr
}
chain blacklist {
ip saddr @blacklist_v4 drop
ip6 saddr @blacklist_v6 drop
}
chain conntrack {
ct state invalid drop
ct state related, established accept
}
chain input {
type filter hook input priority 0
policy drop
iif lo accept
jump blacklist
jump conntrack
# TODO: ansible + separate nftables module
ip protocol icmp accept
{% for rule in nftables_basic_input_rules %}
{{ rule.proto }} \
{% if "saddr" in rule %} saddr {{ rule.saddr }} \ {% endif %}
{% if "sport" in rule %} sport {{ rule.sport }} \ {% endif %}
{% if "daddr" in rule %} daddr {{ rule.daddr }} \ {% endif %}
{% if "dport" in rule %} dport {{ rule.dport }} \ {% endif %}
{{ rule.verdict }}
{% endfor %}
}
chain forward {
type filter hook forward priority 0
policy drop
iif lo accept
jump blacklist
jump conntrack
{% for endpoint in wireguard_endpoints %}
iifname "{{ endpoint.name }}" accept
{% endfor %}
}
chain output {
type filter hook output priority 0
policy accept
}
}