New SLE 15 rule set_nftables_table #10128
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,16 @@ | ||||||
| # platform = multi_platform_sle | ||||||
| # reboot = false | ||||||
| # strategy = restrict | ||||||
| # complexity = low | ||||||
| # disruption = low | ||||||
|
|
||||||
| {{{ ansible_instantiate_variables("var_nftables_family") }}} | ||||||
| {{{ ansible_instantiate_variables("var_nftables_table") }}} | ||||||
|
|
||||||
| - name: Collect existing nftables | ||||||
marcusburghardt marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
| ansible.builtin.shell: nft list tables | ||||||
|
There was a problem hiding this comment. Do you need |
||||||
| register: existing_nftables | ||||||
|
|
||||||
| - name: Set nftable table | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
| ansible.builtin.shell: nft create table {{ var_nftables_family }} {{ var_nftables_table }} | ||||||
| when: existing_nftables.stdout_lines | length == 0 | ||||||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| # platform = multi_platform_sle | ||
|
|
||
| #Set nftables family name | ||
| {{{ bash_instantiate_variables("var_nftables_family") }}} | ||
| NETWORK_LEVEL=$var_nftables_family | ||
|
There was a problem hiding this comment. These can be removed, and just the variables directly in your command. |
||
|
|
||
| #Set nftables table name | ||
| {{{ bash_instantiate_variables("var_nftables_table") }}} | ||
| TABLE_NAME=$var_nftables_table | ||
|
|
||
|
|
||
| IS_TABLE=$(nft list tables) | ||
| if [ -z "$IS_TABLE" ] | ||
| then | ||
| nft create table "$NETWORK_LEVEL" "$TABLE_NAME" | ||
| fi | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,32 @@ | ||||||
| documentation_complete: true | ||||||
|
|
||||||
| prodtype: sle15 | ||||||
|
|
||||||
| title: 'Ensure a table exists for nftables' | ||||||
Mab879 marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
|
||||||
| description: |- | ||||||
| Tables in nftables hold chains. Each table only has one address family and only applies | ||||||
| to packets of this family. Tables can have one of six families. | ||||||
|
|
||||||
| rationale: |- | ||||||
| Nftables doesn't have any default tables. Without a table being build, nftables will not filter | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
| network traffic. | ||||||
| <b>Impact</b>Adding rules to a running nftables can cause loss of connectivity to the system | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
|
There was a problem hiding this comment. Please add warning like this about risk of losing connectivity to the system. |
||||||
| severity: medium | ||||||
|
|
||||||
| identifiers: | ||||||
| cce@sle15: CCE-92569-3 | ||||||
|
|
||||||
| references: | ||||||
| cis@sle15: 3.5.2.4 | ||||||
|
|
||||||
| ocil_clause: 'nftables table does not exist' | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| ocil: |- | ||||||
| To verify that a nftables table exists, run the following command: | ||||||
marcusburghardt marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
| <pre>$ sudo nft list tables</pre> | ||||||
Mab879 marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
| Output should include a list of nftables similar to: | ||||||
| <tt> | ||||||
| table inet filter | ||||||
| </tt> | ||||||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,37 @@ | ||||||
| documentation_complete: true | ||||||
|
|
||||||
| title: 'Nftables families' | ||||||
Mab879 marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
|
||||||
|
|
||||||
| description: |- | ||||||
| Netfilter enables filtering at multiple networking levels. With iptables there | ||||||
| is a separate tool for each level: iptables, ip6tables, arptables, ebtables. | ||||||
| With nftables the multiple networking levels are abstracted into families, | ||||||
| all of which are served by the single tool nft. | ||||||
| <tt>ip</tt>Tables of this family see IPv4 traffic/packets. | ||||||
| <tt>ip6</tt>Tables of this family see IPv6 traffic/packets. | ||||||
| <tt>inet</tt>Tables of this family see both IPv4 and IPv6 traffic/packets, | ||||||
| simplifying dual stack support. | ||||||
| <tt>arp</tt>Tables of this family see ARP-level (i.e, L2) traffic, before | ||||||
| any L3 handling is done by the kernel. | ||||||
| <tt>bdidge</tt>Tables of this family see traffic/packets traversing bridges | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
| (i.e. switching). No assumptions are made about L3 protocols. | ||||||
| <tt>netdev</tt>The netdev family is different from the others in that it | ||||||
| is used to create base chains attached to a single network interface. Such | ||||||
| base chains see all network traffic on the specified interface, with no | ||||||
| assumptions about L2 or L3 protocols. Therefore you can filter ARP traffic from here. | ||||||
|
|
||||||
| type: string | ||||||
|
|
||||||
| operator: equals | ||||||
|
|
||||||
| interactive: true | ||||||
|
|
||||||
| options: | ||||||
| default: inet | ||||||
| ip: ip | ||||||
| ip6: ip6 | ||||||
| inet: inet | ||||||
| arp: arp | ||||||
| bridge: bridge | ||||||
| netdev: netdev | ||||||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| documentation_complete: true | ||
|
|
||
| title: 'Nftables tables' | ||
marcusburghardt marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
rumch-se marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| description: |- | ||
| Tables in nftables hold chains. Each table only has one address family and only applies | ||
| to packets of this family. Tables can have one of six families. | ||
|
|
||
| type: string | ||
|
|
||
| operator: equals | ||
|
|
||
| interactive: true | ||
|
|
||
| options: | ||
| default: filter | ||
| filter: filter | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -84,7 +84,6 @@ CCE-92565-1 | |
| CCE-92566-9 | ||
| CCE-92567-7 | ||
| CCE-92568-5 | ||
| CCE-92570-1 | ||
| CCE-92571-9 | ||
| CCE-92572-7 | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a side note, if you are willing to not be SCAP compliant SCE (script check engine) content could be used on this rule to automate the check.