Management of nftables

This is an nftables-specific module designed to manage Linux firewalls. It is expected that this state module, and other system-specific firewall states, may at some point be deprecated in favor of a more generic firewall state.

httpd:
  nftables.append:
    - table: filter
    - chain: input
    - jump: accept
    - match: state
    - connstate: new
    - dport: 80
    - proto: tcp
    - sport: 1025:65535
    - save: True

httpd:
  nftables.append:
    - table: filter
    - family: ipv6
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - proto: tcp
    - sport: 1025:65535
    - save: True

httpd:
  nftables.insert:
    - position: 1
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - proto: tcp
    - sport: 1025:65535
    - save: True

httpd:
  nftables.insert:
    - position: 1
    - table: filter
    - family: ipv6
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - proto: tcp
    - sport: 1025:65535
    - save: True

httpd:
  nftables.delete:
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - proto: tcp
    - sport: 1025:65535
    - save: True

httpd:
  nftables.delete:
    - position: 1
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - proto: tcp
    - sport: 1025:65535
    - save: True

httpd:
  nftables.delete:
    - table: filter
    - family: ipv6
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - proto: tcp
    - sport: 1025:65535
    - save: True

output:
  nftables.chain_present:
    - family: ip
    - table: filter

output:
  nftables.chain_absent:
    - family: ip
    - table: filter

salt.states.nftables.append(name, family='ipv4', **kwargs)

New in version 0.17.0.

Append a rule to a chain

name

A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.

family

Network family, ipv4 or ipv6.

All other arguments are passed in with the same name as the long option that would normally be used for nftables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate).

salt.states.nftables.chain_absent(name, table='filter', family='ipv4')

New in version 2014.7.0.

Verify the chain is absent.

family

Networking family, either ipv4 or ipv6

salt.states.nftables.chain_present(name, table='filter', table_type=None, hook=None, priority=None, family='ipv4')

New in version 2014.7.0.

Verify the chain is exist.

name

A user-defined chain name.

table

The table to own the chain.

family

Networking family, either ipv4 or ipv6

salt.states.nftables.delete(name, family='ipv4', **kwargs)

New in version 2014.7.0.

Delete a rule to a chain

name

A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.

family

Networking family, either ipv4 or ipv6

All other arguments are passed in with the same name as the long option that would normally be used for nftables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate).

salt.states.nftables.flush(name, family='ipv4', **kwargs)

New in version 2014.7.0.

Flush current nftables state

family

Networking family, either ipv4 or ipv6

salt.states.nftables.insert(name, family='ipv4', **kwargs)

New in version 2014.7.0.

Insert a rule into a chain

name

A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.

family

Networking family, either ipv4 or ipv6

All other arguments are passed in with the same name as the long option that would normally be used for nftables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate).