salt.states.nftables#
Management of nftables#
This is an nftables-specific module designed to manage Linux firewalls. It is expected that this state module, and other system-specific firewall states, may at some point be deprecated in favor of a more generic firewall state.
httpd:
nftables.append:
- table: filter
- chain: input
- jump: accept
- match: state
- connstate: new
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
nftables.append:
- table: filter
- family: ipv6
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
nftables.insert:
- position: 1
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
nftables.insert:
- position: 1
- table: filter
- family: ipv6
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
nftables.delete:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
nftables.delete:
- position: 1
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
nftables.delete:
- table: filter
- family: ipv6
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
output:
nftables.chain_present:
- family: ip
- table: filter
output:
nftables.chain_absent:
- family: ip
- table: filter
- salt.states.nftables.append(name, family='ipv4', **kwargs)#
New in version 0.17.0.
Append a rule to a chain
- name
A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.
- family
Network family, ipv4 or ipv6.
All other arguments are passed in with the same name as the long option that would normally be used for nftables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate).
- salt.states.nftables.chain_absent(name, table='filter', family='ipv4')#
New in version 2014.7.0.
Verify the chain is absent.
- family
Networking family, either ipv4 or ipv6
- salt.states.nftables.chain_present(name, table='filter', table_type=None, hook=None, priority=None, family='ipv4')#
New in version 2014.7.0.
Changed in version 3002.
Verify a chain exists in a table.
- name
A user-defined chain name.
- table
The table to own the chain.
- family
Networking family, either ipv4 or ipv6
- salt.states.nftables.delete(name, family='ipv4', **kwargs)#
New in version 2014.7.0.
Delete a rule to a chain
- name
A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.
- family
Networking family, either ipv4 or ipv6
All other arguments are passed in with the same name as the long option that would normally be used for nftables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate).
- salt.states.nftables.flush(name, family='ipv4', ignore_absence=False, **kwargs)#
New in version 2014.7.0.
Changed in version 3002.
Flush current nftables state
- family
Networking family, either ipv4 or ipv6
- ignore_absence
If set to True, attempts to flush a non-existent table will not result in a failed state.
New in version 3002.
- salt.states.nftables.insert(name, family='ipv4', **kwargs)#
New in version 2014.7.0.
Insert a rule into a chain
- name
A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.
- family
Networking family, either ipv4 or ipv6
All other arguments are passed in with the same name as the long option that would normally be used for nftables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate).
- salt.states.nftables.set_policy(name, table='filter', family='ipv4', **kwargs)#
New in version 3002.
Sets the default policy for nftables chains
- table
The table that owns the chain that should be modified
- family
Networking family, either ipv4 or ipv6
- policy
The requested table policy (accept or drop)
- save
Boolean to save the in-memory nftables settings to a file.
- save_filename
The filename to save the nftables settings (default: /etc/nftables or /etc/nftables/salt-all-in-one.nft if the former is a directory)
- salt.states.nftables.table_absent(name, family='ipv4', **kwargs)#
New in version 3002.
Ensure an nftables table is absent
- name
Name of the table to ensure is absent
- family
Networking family, either ipv4 or ipv6
- salt.states.nftables.table_present(name, family='ipv4', **kwargs)#
New in version 3002.
Ensure an nftables table is present
- name
A user-defined table name.
- family
Networking family, either ipv4 or ipv6