nftables formula #61
nftables formula #61
Conversation
tacerus
force-pushed
the
new/nftables
branch
4 times, most recently
from
daaabc5
to
2959736
Compare
First concept idea. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
tacerus
force-pushed
the
new/nftables
branch
from
2959736
to
80e10ac
Compare
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
- use Jinja instead of Mako template (additional Python logic is no longer needed) - split into active and passive configurations for includes which shouldn't happen on the top-level - add file header - support sets Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
- Allows the same loops to be used both in the top-level as well as in lower contexts. - Expand includes to their file path if they match a passive configuration. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
No longer used in favor of the Jinja one. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
| - ct state established, related accept | ||
| sets: | ||
| mode: passive | ||
| sets: |
There was a problem hiding this comment.
there needs to be a layer for inet/ip/ip6 here.
There was a problem hiding this comment.
Can you elaborate, do you mean some abstraction which will generate sets for the different families? Currently I just build sets the same way as natively in nftables (see the macros file https://github.com/openSUSE/salt-formulas/pull/61/files/730c44859d4d76bb02a4c3b17dc371161695382f), which intends specifying the family as part of the set type.
There was a problem hiding this comment.
how do you decide if a set should go into
table ip6 nat {
}
table ip nat {
}
which is might be needed if you want to use sets in nat rules . those can not live in table inet ...
There was a problem hiding this comment.
That depends on where you include the file you define the set in. In the example pillar, a configuration file sets.conf is placed in /etc/nftables.conf.d/salt/passive/, which is then included in the nat table via line 34.
Edit: Maybe I should make it more clear that the key names underneath config are just example file names. The example has sets in a file called sets, but it could just as well be multiple files mysets1, mysets2, .. all containing sets, which can then be included in different tables.
New formula for managing nftables. Work in progress.