commit 6509d7450660a842a0cc844d79de2b07f6069421
author Wei-Yu Chen <weiyu@opennetworking.org> Thu Jul 29 21:14:51 2021 +0800
committer Wei-Yu Chen <weiyu@opennetworking.org> Tue Aug 17 13:14:28 2021 +0800
tree 2914f84d9fce4b1ccbcd4355fb2680992a3f69aa
parent 021d7a96e1bd297dc718d766d02afa04b595355b

Add service ports, ssh port, SNAT rule in nftables

ref: INF-138

Change-Id: I94a80467b30416a288b4a2ac6325427123df4d7d

templates/nftables.conf.j2

diff --git a/templates/nftables.conf.j2 b/templates/nftables.conf.j2
index 95c1439..e710436 100644
--- a/templates/nftables.conf.j2
+++ b/templates/nftables.conf.j2
@@ -9,13 +9,37 @@
 # Primary rules
 table inet filter {
   chain input {
-    type filter hook input priority 0;
+    type filter hook input priority 0; policy drop;
+
+    # The basic rules to accept ICMP and established connection
+    iif "lo" accept
+    ip protocol icmp accept
+    ct state established,related accept
+    ct state invalid drop
+
+    {% if "services" in netprep_nftables %}
+    ## The service present on this server
+    {% for item in netprep_nftables["services"] %}
+    # For service {{ item["name"] }}
+    iif "{{ netprep_nftables["external_if"] }}" {{ item["protocol"] }} dport {{ item["port"]}} accept
+    {% endfor %}
+    {% endif %}
+
+    # Allow SSH on all interfaces
+    tcp dport ssh accept
+
+    {% if "allow_subnets" in netprep_nftables %}
+    # The ingress traffic restriction of internal networks
+      {% for item in netprep_nftables["allow_subnets"] %}
+    iif "{{ netprep_nftables["internal_if"] }}" ip saddr {{ item }} accept
+      {% endfor %}
+    {% endif %}
   }
   chain forward {
-    type filter hook forward priority 0;
+    type filter hook forward priority 0; policy accept;
   }
   chain output {
-    type filter hook output priority 0;
+    type filter hook output priority 0; policy accept;
   }
 }
 
@@ -27,9 +51,14 @@
 
   chain postrouting {
     type nat hook postrouting priority 100;
-    oifname "{{ netprep_nat_if }}" masquerade;
-{% if netprep_nftables_nat_postrouting %}
-{{ netprep_nftables_nat_postrouting | indent(width=4) }}
-{% endif %}
+    oifname "{{ netprep_nftables["internal_if"] }}" masquerade;
+    {% if "ue_routing" in netprep_nftables %}
+    {% for src_subnet in netprep_nftables["ue_routing"]["src_subnets"] %}
+      {% for ue_subnet in netprep_nftables["ue_routing"]["ue_subnets"] %}
+    ip saddr {{ src_subnet }} ip daddr {{ ue_subnet }} counter snat to {{ netprep_nftables["ue_routing"]["snat_addr"] }};
+      {% endfor %}
+    {% endfor %}
+
+    {% endif %}
   }
 }