salt.states.nftables

Management of nftables

This is an nftables-specific module designed to manage Linux firewalls. It is expected that this state module, and other system-specific firewall states, may at some point be deprecated in favor of a more generic firewall state.

httpd:
  nftables.append:
    - table: filter
    - chain: input
    - jump: accept
    - match: state
    - connstate: new
    - dport: 80
    - proto: tcp
    - sport: 1025:65535
    - save: True

httpd:
  nftables.append:
    - table: filter
    - family: ipv6
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - proto: tcp
    - sport: 1025:65535
    - save: True

httpd:
  nftables.insert:
    - position: 1
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - proto: tcp
    - sport: 1025:65535
    - save: True

httpd:
  nftables.insert:
    - position: 1
    - table: filter
    - family: ipv6
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - proto: tcp
    - sport: 1025:65535
    - save: True

httpd:
  nftables.delete:
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - proto: tcp
    - sport: 1025:65535
    - save: True

httpd:
  nftables.delete:
    - position: 1
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - proto: tcp
    - sport: 1025:65535
    - save: True

httpd:
  nftables.delete:
    - table: filter
    - family: ipv6
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - proto: tcp
    - sport: 1025:65535
    - save: True

output:
  nftables.chain_present:
    - family: ip
    - table: filter

output:
  nftables.chain_absent:
    - family: ip
    - table: filter
salt.states.nftables.append(name, family='ipv4', **kwargs)

New in version 0.17.0.

Append a rule to a chain

name

A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.

family

Network family, ipv4 or ipv6.

All other arguments are passed in with the same name as the long option that would normally be used for nftables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate).

salt.states.nftables.chain_absent(name, table='filter', family='ipv4')

New in version 2014.7.0.

Verify the chain is absent.

family

Networking family, either ipv4 or ipv6

salt.states.nftables.chain_present(name, table='filter', table_type=None, hook=None, priority=None, family='ipv4')

New in version 2014.7.0.

Changed in version 3002.

Verify a chain exists in a table.

name

A user-defined chain name.

table

The table to own the chain.

family

Networking family, either ipv4 or ipv6

salt.states.nftables.delete(name, family='ipv4', **kwargs)

New in version 2014.7.0.

Delete a rule to a chain

name

A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.

family

Networking family, either ipv4 or ipv6

All other arguments are passed in with the same name as the long option that would normally be used for nftables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate).

salt.states.nftables.flush(name, family='ipv4', ignore_absence=False, **kwargs)

New in version 2014.7.0.

Changed in version 3002.

Flush current nftables state

family

Networking family, either ipv4 or ipv6

ignore_absence

If set to True, attempts to flush a non-existent table will not result in a failed state.

New in version 3002.

salt.states.nftables.insert(name, family='ipv4', **kwargs)

New in version 2014.7.0.

Insert a rule into a chain

name

A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.

family

Networking family, either ipv4 or ipv6

All other arguments are passed in with the same name as the long option that would normally be used for nftables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate).

salt.states.nftables.set_policy(name, table='filter', family='ipv4', **kwargs)

New in version 3002.

Sets the default policy for nftables chains

table

The table that owns the chain that should be modified

family

Networking family, either ipv4 or ipv6

policy

The requested table policy (accept or drop)

save

Boolean to save the in-memory nftables settings to a file.

save_filename

The filename to save the nftables settings (default: /etc/nftables or /etc/nftables/salt-all-in-one.nft if the former is a directory)

salt.states.nftables.table_absent(name, family='ipv4', **kwargs)

New in version 3002.

Ensure an nftables table is absent

name

Name of the table to ensure is absent

family

Networking family, either ipv4 or ipv6

salt.states.nftables.table_present(name, family='ipv4', **kwargs)

New in version 3002.

Ensure an nftables table is present

name

A user-defined table name.

family

Networking family, either ipv4 or ipv6

Generated on October 23, 2024 at 09:02:06 UTC.

You are viewing docs for the latest stable release, 3007.1. Switch to docs for the previous stable release, 3006.9, or to a recent doc build from the master branch.


saltproject.io

© 2024 VMware, Inc. | Privacy Policy