Using configuration management systems
This page shows a basic example on how to integrate nftables scripting capabilities with configuration management systems (like puppet, ansible, chef, salt and others).
The basic approach is to have a central point where we deploy nftables, with a ruleset layout that allows other files to be deployed and loaded atomically by nftables. Other components (modules, or profiles, or whatever) then deploy specific rules or other configuration as required.
For the sake of the example this page uses puppet as reference, but the same concepts and mechanism could be applied to others.
NOTE: if you copy-paste this example make sure you adapt it to your environment. This code below is an example and hasn't been tested at all.
a base puppet module
A file like named this: modules/nftables/manifest/init.pp
class nftables(
) {
# install the package
package { 'nftables':
ensure => 'present',
}
# create a directory to hold the nftables config
file { '/etc/nftables/':
ensure => 'directory',
}
# deploy the basic configuration file, i.e, the basic nftables ruleset skeleton
file { '/etc/nftables/ruleset.nft':
ensure => 'present',
source => 'puppet:///modules/nftables/nftables.nft',
}
# ensure nftables systemd service is running (at boot time, etc)
service { 'nftables':
ensure => 'running',
}
}
We are installing this file (a file like: modules/nftables/files/nftables.nft)
#!/usr/sbin/nft -f
flush ruleset
# create the basic ruleset skeleton
add table inet filter
add set inet filter allowed_ports { type inet_service ; }
add chain inet filter input { type filter hook input priority filter ; policy drop ; }
add rule inet filter input iif lo counter accept
add rule inet filter input ct state established,related counter accept
add rule inet filter input tcp dport @allowed_ports accept
add rule inet filter input counter
# include all the other files that may be deployed by puppet
include "/etc/nftables/*puppet.nft"
a module to introduce nftables config
This module is responsible for injecting into the system the new nftables config. A file named like : modules/nftables/manifest/rule.pp
define nftables::rule(
String $rule,
) {
require ::nftables
file { "/etc/nftables/${name}_puppet.nft":
ensure => 'present',
content => $rule,
notify => Service['nftables'],
}
}
other modules adding nftables configuration
In this example, we have an apache module that creates some additional rules and configuration for nftables.
This is a file named like this: modules/apache/manifest/config.pp
class ::apache::config(
) {
package { 'apache':
ensure => 'present',
}
nftables::rule { 'apache_port_80':
rule => 'add element inet filter allowed_ports { 80 }',
}
}