New SLE 15 rule set_nftables_table #10128
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| # platform = multi_platform_sle | ||
| # reboot = false | ||
| # strategy = restrict | ||
| # complexity = low | ||
| # disruption = low | ||
|
|
||
| {{{ ansible_instantiate_variables("var_nftables_family") }}} | ||
| {{{ ansible_instantiate_variables("var_nftables_table") }}} | ||
|
|
||
| - name: Collect Existing Nftables | ||
| ansible.builtin.command: nft list tables | ||
| register: existing_nftables | ||
|
|
||
| - name: Set Nftable Table | ||
| ansible.builtin.command: nft create table {{ var_nftables_family }} {{ var_nftables_table }} | ||
| when: existing_nftables.stdout_lines | length == 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| # platform = multi_platform_sle | ||
|
|
||
| #Set nftables family name | ||
| {{{ bash_instantiate_variables("var_nftables_family") }}} | ||
|
|
||
| #Set nftables table name | ||
| {{{ bash_instantiate_variables("var_nftables_table") }}} | ||
|
|
||
| IS_TABLE=$(nft list tables) | ||
| if [ -z "$IS_TABLE" ] | ||
| then | ||
| nft create table "$var_nftables_family" "$var_nftables_table" | ||
| fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| documentation_complete: true | ||
|
|
||
| prodtype: sle15 | ||
|
|
||
| title: 'Ensure a Table Exists for Nftables' | ||
|
|
||
| description: |- | ||
| Tables in nftables hold chains. Each table only has one address family and only applies | ||
| to packets of this family. Tables can have one of six families. | ||
|
|
||
| rationale: |- | ||
| Nftables doesn't have any default tables. Without a table being built, nftables will not filter | ||
| network traffic. | ||
| Note: adding rules to a running nftables can cause loss of connectivity to the system. | ||
|
|
||
|
There was a problem hiding this comment. Please add warning like this about risk of losing connectivity to the system. |
||
| severity: medium | ||
|
|
||
| identifiers: | ||
| cce@sle15: CCE-92569-3 | ||
|
|
||
| references: | ||
| cis@sle15: 3.5.2.4 | ||
|
|
||
| ocil_clause: 'a nftables table does not exist' | ||
|
|
||
| warnings: | ||
| - general: "Adding rules to a running nftables can cause loss of connectivity to the system." | ||
|
|
||
| ocil: |- | ||
| To verify that a nftables table exists, run the following command: | ||
| <pre>$ sudo nft list tables</pre> | ||
| Output should include a list of nftables similar to: | ||
| <tt> | ||
| table inet filter | ||
| </tt> | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| documentation_complete: true | ||
|
|
||
| title: 'Nftables Families' | ||
|
|
||
|
|
||
| description: |- | ||
| Netfilter enables filtering at multiple networking levels. With iptables there | ||
| is a separate tool for each level: iptables, ip6tables, arptables, ebtables. | ||
| With nftables the multiple networking levels are abstracted into families, | ||
| all of which are served by the single tool nft. | ||
| <tt>ip</tt>Tables of this family see IPv4 traffic/packets. | ||
| <tt>ip6</tt>Tables of this family see IPv6 traffic/packets. | ||
| <tt>inet</tt>Tables of this family see both IPv4 and IPv6 traffic/packets, | ||
| simplifying dual stack support. | ||
| <tt>arp</tt>Tables of this family see ARP-level (i.e, L2) traffic, before | ||
| any L3 handling is done by the kernel. | ||
| <tt>bridge</tt>Tables of this family see traffic/packets traversing bridges | ||
| (i.e. switching). No assumptions are made about L3 protocols. | ||
| <tt>netdev</tt>The netdev family is different from the others in that it | ||
| is used to create base chains attached to a single network interface. Such | ||
| base chains see all network traffic on the specified interface, with no | ||
| assumptions about L2 or L3 protocols. Therefore you can filter ARP traffic from here. | ||
|
|
||
| type: string | ||
|
|
||
| operator: equals | ||
|
|
||
| interactive: true | ||
|
|
||
| options: | ||
| default: inet | ||
| ip: ip | ||
| ip6: ip6 | ||
| inet: inet | ||
| arp: arp | ||
| bridge: bridge | ||
| netdev: netdev |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| documentation_complete: true | ||
|
|
||
| title: 'Nftables Tables' | ||
|
|
||
rumch-se marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| description: |- | ||
| Tables in nftables hold chains. Each table only has one address family and only applies | ||
| to packets of this family. Tables can have one of six families. | ||
|
|
||
| type: string | ||
|
|
||
| operator: equals | ||
|
|
||
| interactive: true | ||
|
|
||
| options: | ||
| default: filter | ||
| filter: filter | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -84,7 +84,6 @@ CCE-92565-1 | |
| CCE-92566-9 | ||
| CCE-92567-7 | ||
| CCE-92568-5 | ||
| CCE-92570-1 | ||
| CCE-92571-9 | ||
| CCE-92572-7 | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a side note, if you are willing to not be SCAP compliant SCE (script check engine) content could be used on this rule to automate the check.