Using configuration management systems

From nftables wiki
Revision as of 17:41, 30 July 2019 by Arturo (talk | contribs) (introduce ansible section)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This page shows a basic example on how to integrate nftables scripting capabilities with configuration management systems (like puppet, ansible, chef, salt and others).

The basic approach is to have a central point where we deploy nftables, with a ruleset layout that allows other files to be deployed and loaded atomically by nftables. Other components (modules, or profiles, or whatever) then deploy specific rules or other configuration as required.

puppet

For the sake of the example this page uses puppet as reference, but the same concepts and mechanism could be applied to others.

NOTE: if you copy-paste this example make sure you adapt it to your environment. This code below is an example and hasn't been tested at all.

a base puppet module

A file like named this: modules/nftables/manifest/init.pp

class nftables(
) {
    # install the package
    package { 'nftables':
        ensure => 'present',
    }

    # create a directory to hold the nftables config
    file { '/etc/nftables/':
        ensure => 'directory',
    }

    # deploy the basic configuration file, i.e, the basic nftables ruleset skeleton
    file { '/etc/nftables/ruleset.nft':
        ensure  => 'present',
        source  => 'puppet:///modules/nftables/nftables.nft',
    }
 
    # ensure nftables systemd service is running (at boot time, etc)
    service { 'nftables':
        ensure => 'running',
    }
}

We are installing this file (a file like: modules/nftables/files/nftables.nft)

#!/usr/sbin/nft -f

flush ruleset

# create the basic ruleset skeleton
add table inet filter
add set inet filter allowed_ports { type inet_service ; }
add chain inet filter input { type filter hook input priority filter ; policy drop ; }
add rule inet filter input iif lo counter accept
add rule inet filter input ct state established,related counter accept
add rule inet filter input tcp dport @allowed_ports accept
add rule inet filter input counter

# include all the other files that may be deployed by puppet
include "/etc/nftables/*puppet.nft"

a module to introduce nftables config

This module is responsible for injecting into the system the new nftables config. A file named like : modules/nftables/manifest/rule.pp

define nftables::rule(
    String $rule,
) {
   require ::nftables

   file { "/etc/nftables/${name}_puppet.nft":
       ensure  => 'present',
       content => $rule,
       notify  => Service['nftables'],
   }
}

other modules adding nftables configuration

In this example, we have an apache module that creates some additional rules and configuration for nftables.

This is a file named like this: modules/apache/manifest/config.pp

class ::apache::config(
) {
    package { 'apache':
        ensure => 'present',
    }

    nftables::rule { 'apache_port_80':
        rule => 'add element inet filter allowed_ports { 80 }',
    }
}

ansible

Check some examples on how people are using nftables with ansible: