servers/roles/ceph/templates/nftables.conf.j2

39 lines
960 B
Plaintext
Raw Normal View History

#!/usr/sbin/nft -f
flush ruleset
# Just a temporary filter until we get our shit together policy-wise.
table inet filter {
set allowed {
type ipv4_addr; flags interval
elements = { 10.32.0.0/14, 193.2.76.176/24, 192.168.19.0/24, 192.168.251.0/24, 88.200.23.0/24 }
}
set allowed/6 {
type ipv6_addr; flags interval
elements = { 2001:1470:fffd::/48 }
}
chain input {
type filter hook input priority filter; policy drop
ct state vmap { invalid : drop, established : accept, related : accept }
iif lo accept
# BGP / BFD sessions
iif lan0 ip6 saddr fe80::/64 accept
iif lan1 ip6 saddr fe80::/64 accept
ip saddr @allowed accept
ip6 saddr @allowed/6 accept
}
chain forward {
type filter hook forward priority filter; policy accept
}
chain output {
type filter hook output priority filter; policy accept
}
}