-
Notifications
You must be signed in to change notification settings - Fork 710
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #10128 from rumch-se/rule_set_nftables_table
New SLE 15 rule set_nftables_table
- Loading branch information
Showing
7 changed files
with
126 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16 changes: 16 additions & 0 deletions
16
linux_os/guide/system/network/network-nftables/set_nftables_table/ansible/shared.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| # platform = multi_platform_sle | ||
| # reboot = false | ||
| # strategy = restrict | ||
| # complexity = low | ||
| # disruption = low | ||
|
|
||
| {{{ ansible_instantiate_variables("var_nftables_family") }}} | ||
| {{{ ansible_instantiate_variables("var_nftables_table") }}} | ||
|
|
||
| - name: Collect Existing Nftables | ||
| ansible.builtin.command: nft list tables | ||
| register: existing_nftables | ||
|
|
||
| - name: Set Nftable Table | ||
| ansible.builtin.command: nft create table {{ var_nftables_family }} {{ var_nftables_table }} | ||
| when: existing_nftables.stdout_lines | length == 0 |
13 changes: 13 additions & 0 deletions
13
linux_os/guide/system/network/network-nftables/set_nftables_table/bash/shared.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| # platform = multi_platform_sle | ||
|
|
||
| #Set nftables family name | ||
| {{{ bash_instantiate_variables("var_nftables_family") }}} | ||
|
|
||
| #Set nftables table name | ||
| {{{ bash_instantiate_variables("var_nftables_table") }}} | ||
|
|
||
| IS_TABLE=$(nft list tables) | ||
| if [ -z "$IS_TABLE" ] | ||
| then | ||
| nft create table "$var_nftables_family" "$var_nftables_table" | ||
| fi |
35 changes: 35 additions & 0 deletions
35
linux_os/guide/system/network/network-nftables/set_nftables_table/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| documentation_complete: true | ||
|
|
||
| prodtype: sle15 | ||
|
|
||
| title: 'Ensure a Table Exists for Nftables' | ||
|
|
||
| description: |- | ||
| Tables in nftables hold chains. Each table only has one address family and only applies | ||
| to packets of this family. Tables can have one of six families. | ||
| rationale: |- | ||
| Nftables doesn't have any default tables. Without a table being built, nftables will not filter | ||
| network traffic. | ||
| Note: adding rules to a running nftables can cause loss of connectivity to the system. | ||
| severity: medium | ||
|
|
||
| identifiers: | ||
| cce@sle15: CCE-92569-3 | ||
|
|
||
| references: | ||
| cis@sle15: 3.5.2.4 | ||
|
|
||
| ocil_clause: 'a nftables table does not exist' | ||
|
|
||
| warnings: | ||
| - general: "Adding rules to a running nftables can cause loss of connectivity to the system." | ||
|
|
||
| ocil: |- | ||
| To verify that a nftables table exists, run the following command: | ||
| <pre>$ sudo nft list tables</pre> | ||
| Output should include a list of nftables similar to: | ||
| <tt> | ||
| table inet filter | ||
| </tt> |
37 changes: 37 additions & 0 deletions
37
linux_os/guide/system/network/network-nftables/var_nftables_family.var
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| documentation_complete: true | ||
|
|
||
| title: 'Nftables Families' | ||
|
|
||
|
|
||
| description: |- | ||
| Netfilter enables filtering at multiple networking levels. With iptables there | ||
| is a separate tool for each level: iptables, ip6tables, arptables, ebtables. | ||
| With nftables the multiple networking levels are abstracted into families, | ||
| all of which are served by the single tool nft. | ||
| <tt>ip</tt>Tables of this family see IPv4 traffic/packets. | ||
| <tt>ip6</tt>Tables of this family see IPv6 traffic/packets. | ||
| <tt>inet</tt>Tables of this family see both IPv4 and IPv6 traffic/packets, | ||
| simplifying dual stack support. | ||
| <tt>arp</tt>Tables of this family see ARP-level (i.e, L2) traffic, before | ||
| any L3 handling is done by the kernel. | ||
| <tt>bridge</tt>Tables of this family see traffic/packets traversing bridges | ||
| (i.e. switching). No assumptions are made about L3 protocols. | ||
| <tt>netdev</tt>The netdev family is different from the others in that it | ||
| is used to create base chains attached to a single network interface. Such | ||
| base chains see all network traffic on the specified interface, with no | ||
| assumptions about L2 or L3 protocols. Therefore you can filter ARP traffic from here. | ||
|
|
||
| type: string | ||
|
|
||
| operator: equals | ||
|
|
||
| interactive: true | ||
|
|
||
| options: | ||
| default: inet | ||
| ip: ip | ||
| ip6: ip6 | ||
| inet: inet | ||
| arp: arp | ||
| bridge: bridge | ||
| netdev: netdev |
17 changes: 17 additions & 0 deletions
17
linux_os/guide/system/network/network-nftables/var_nftables_table.var
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| documentation_complete: true | ||
|
|
||
| title: 'Nftables Tables' | ||
|
|
||
| description: |- | ||
| Tables in nftables hold chains. Each table only has one address family and only applies | ||
| to packets of this family. Tables can have one of six families. | ||
|
|
||
| type: string | ||
|
|
||
| operator: equals | ||
|
|
||
| interactive: true | ||
|
|
||
| options: | ||
| default: filter | ||
| filter: filter |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -75,7 +75,6 @@ CCE-92565-1 | |
| CCE-92566-9 | ||
| CCE-92567-7 | ||
| CCE-92568-5 | ||
| CCE-92569-3 | ||
| CCE-92570-1 | ||
| CCE-92571-9 | ||
| CCE-92572-7 | ||
|
|
||