openSUSE · tacerus · Sep 10, 2023 · Sep 16, 2023 · Oct 7, 2023 · Oct 7, 2023
diff --git a/nftables-formula/nftables/files/nftables.mako b/nftables-formula/nftables/files/nftables.mako
@@ -0,0 +1,37 @@
+## Write simple and set variables
+% for variable, contents in config.get('variables', {}).items():
+define ${variable} = \
+  % if isinstance(contents, str):
+${contents}
+  % elif isinstance(contents, list):
+{
+% for value in contents:
+  ${value},
+% endfor
+}
+% endif
+% endfor
+
+## Write tables
+% for table, table_config in config.get('tables', {}).items():
+table ${table} ${table_config['type']} {
+% for chain, chain_config in table_config.get('chains', {}).items():
+  chain ${chain} {
+    % if 'policy' in chain_config:
+    policy ${chain_config['policy']}
+    % endif
+    ## Establish correct rule order based on priority key
+    <%
+     combined_chain_config = {}
+     combined_chain_config.update(chain_config.get('rules', {}))
+     combined_chain_config.update(chain_config.get('meta', {}))
+     for entry in sorted(combined_chain_config, key=lambda lowentry: combined_chain_config[lowentry].get('priority', 100)):
+       combined_chain_config[entry] = combined_chain_config.pop(entry)
+    %>
+    % for entry, entry_config in combined_chain_config.items():
+    ${entry}${entry_config.get(' action','')}
+    % endfor
+  }
+% endfor
+}
+% endfor
diff --git a/nftables-formula/nftables/init.sls b/nftables-formula/nftables/init.sls
@@ -0,0 +1,34 @@
+{%- from 'nftables/map.jinja' import nft, dir %}
+
+#nftables_packages:
+#  pkg.installed:
+#    - pkgs:
+#      - nftables-service
+
+nftables_directory:
+  file.directory:
+    - name: {{ dir }}
+    - makedirs: true
+
+nftables_config_base:
+  file.managed:
+    - name: /etc/nftables.conf
+    - contents: |
+        #!/usr/sbin/nft -f
+        include "{{ dir }}/*.conf"
+
+{%- for category, config in nft.items() %}
+
+nftables_config_{{ category }}:
+  file.managed:
+    - name:
+    {%- set file = category ~ '.conf' -%}
+    {%- if 'priority' in config -%}
+    {%- set file = config['priority'] ~ '_' ~ file -%}
+    {%- endif -%}
+    {{ ' ' ~ dir }}/{{ file }}
+    - template: mako
+    - source: salt://{{ slspath }}/files/nftables.mako
+    - context:
+        config: {{ config }}
+{%- endfor %}
diff --git a/nftables-formula/nftables/map.jinja b/nftables-formula/nftables/map.jinja
@@ -0,0 +1,3 @@
+{%- set mypillar = salt['pillar.get']('nftables', {}) -%}
+{%- set nft = mypillar.get('config', {}) -%}
+{%- set dir = '/etc/nftables.conf.d/salt' %}
diff --git a/nftables-formula/pillar.example b/nftables-formula/pillar.example
@@ -0,0 +1,27 @@
+nftables:
+  config:
+    variables:
+      priority: 01
+      variables:
+        vpn_ranges:
+          - 192.168.0.0/24
+          - 192.168.1.0/24
+        myhost: 192.168.0.1/32
+    tables:
+      priority: 02
+      tables:
+        inet:
+          type: filter
+          chains:
+            input:
+              policy: drop
+              rules:
+                'ct state established, related':
+                  priority: 201
+                  action: accept
+                'ct state invalid':
+                  priority: 202
+                  action: drop
+              meta:
+                'iif external jump input_external':
+                  priority: 101