Advanced ruleset for dynamic environments

From nftables wiki
Revision as of 02:17, 26 January 2018 by Jeff.welling (talk | contribs) (Started working on a more advanced config that supports service discovery)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

This page is an unvetted draft

Today's modern computing environments require features like Service Discovery and the environments themselves can be quite dynamic and rapidly changing. One of the ways nftables can help is by breaking firewall config into small pieces which can by dynamically generated by the likes of Consul and Consul Template, Vault, or config management like Chef Puppet or Ansible.


/etc/nftables.start.conf Creates tables Loads /etc/nftables.conf

/etc/nftables.conf Loads table-specific entries like /etc/nft.conf.d/nftables.ip.filter.conf and /etc/nft.conf.d/nftables.ip.nat.conf Loads Sets main file /etc/nft.conf.d/main.conf

/etc/nft.conf.d/main.conf Loads each individual Set, because nftables doesn't support wildcards in include statements (/etc/nft.conf.d/sets.d/trusted_ips.conf)

/etc/nft.conf.d/nftables.ip.filter.conf Configures the 'ip filter' table

/etc/nft.conf.d/nftables.ip.nat.conf Configures the 'ip nat' table

Retrieved from "http://wiki.nftables.org/wiki-nftables/index.php?title=Advanced_ruleset_for_dynamic_environments&oldid=248"