salt.modules.nftables

Support for nftables

salt.modules.nftables.append(table=u'filter', chain=None, rule=None, family=u'ipv4')

Append a rule to the specified table & chain.

This function accepts a rule in a standard nftables command format,
starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it.

CLI Example:

salt '*' nftables.append filter input \
    rule='input tcp dport 22 log accept'

IPv6:
salt '*' nftables.append filter input \
    rule='input tcp dport 22 log accept' \
    family=ipv6
salt.modules.nftables.build_rule(table=None, chain=None, command=None, position=u'', full=None, family=u'ipv4', **kwargs)

Build a well-formatted nftables rule based on kwargs. A table and chain are not required, unless full is True.

If full is True, then table, chain and command are required. command may be specified as either insert, append, or delete. This will return the nftables command, exactly as it would be used from the command line.

If a position is required (as with insert or delete), it may be specified as position. This will only be useful if full is True.

If connstate is passed in, it will automatically be changed to state.

CLI Examples:

salt '*' nftables.build_rule match=state \
    connstate=RELATED,ESTABLISHED jump=ACCEPT
salt '*' nftables.build_rule filter input command=insert position=3 \
    full=True match=state state=related,established jump=accept

IPv6:
salt '*' nftables.build_rule match=state \
    connstate=related,established jump=accept \
    family=ipv6
salt '*' nftables.build_rule filter input command=insert position=3 \
    full=True match=state state=related,established jump=accept \
    family=ipv6
salt.modules.nftables.check(table=u'filter', chain=None, rule=None, family=u'ipv4')

Check for the existence of a rule in the table and chain

This function accepts a rule in a standard nftables command format,
starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it.

CLI Example:

salt '*' nftables.check filter input \
    rule='input tcp dport 22 log accept'

IPv6:
salt '*' nftables.check filter input \
    rule='input tcp dport 22 log accept' \
    family=ipv6
salt.modules.nftables.check_chain(table=u'filter', chain=None, family=u'ipv4')

New in version 2014.7.0.

Check for the existence of a chain in the table

CLI Example:

salt '*' nftables.check_chain filter input

IPv6:
salt '*' nftables.check_chain filter input family=ipv6
salt.modules.nftables.check_table(table=None, family=u'ipv4')

Check for the existence of a table

CLI Example:

salt '*' nftables.check_table nat
salt.modules.nftables.delete(table, chain=None, position=None, rule=None, family=u'ipv4')
Delete a rule from the specified table & chain, specifying either the rule
in its entirety, or the rule's position in the chain.
This function accepts a rule in a standard nftables command format,
starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it.

CLI Examples:

salt '*' nftables.delete filter input position=3

salt '*' nftables.delete filter input \
    rule='input tcp dport 22 log accept'

IPv6:
salt '*' nftables.delete filter input position=3 family=ipv6

salt '*' nftables.delete filter input \
    rule='input tcp dport 22 log accept' \
    family=ipv6
salt.modules.nftables.delete_chain(table=u'filter', chain=None, family=u'ipv4')

New in version 2014.7.0.

Delete the chain from the specified table.

CLI Example:

salt '*' nftables.delete_chain filter input

salt '*' nftables.delete_chain filter foo

IPv6:
salt '*' nftables.delete_chain filter input family=ipv6

salt '*' nftables.delete_chain filter foo family=ipv6
salt.modules.nftables.delete_table(table, family=u'ipv4')

New in version 2014.7.0.

Create new custom table.

CLI Example:

salt '*' nftables.delete_table filter

IPv6:
salt '*' nftables.delete_table filter family=ipv6
salt.modules.nftables.flush(table=u'filter', chain=u'', family=u'ipv4')

Flush the chain in the specified table, flush all chains in the specified table if chain is not specified.

CLI Example:

salt '*' nftables.flush filter

salt '*' nftables.flush filter input

IPv6:
salt '*' nftables.flush filter input family=ipv6
salt.modules.nftables.get_rule_handle(table=u'filter', chain=None, rule=None, family=u'ipv4')

Get the handle for a particular rule

This function accepts a rule in a standard nftables command format,
starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it.

CLI Example:

salt '*' nftables.get_rule_handle filter input \
    rule='input tcp dport 22 log accept'

IPv6:
salt '*' nftables.get_rule_handle filter input \
    rule='input tcp dport 22 log accept' \
    family=ipv6
salt.modules.nftables.get_rules(family=u'ipv4')

Return a data structure of the current, in-memory rules

CLI Example:

salt '*' nftables.get_rules

salt '*' nftables.get_rules family=ipv6
salt.modules.nftables.get_saved_rules(conf_file=None, family=u'ipv4')

Return a data structure of the rules in the conf file

CLI Example:

salt '*' nftables.get_saved_rules
salt.modules.nftables.insert(table=u'filter', chain=None, position=None, rule=None, family=u'ipv4')

Insert a rule into the specified table & chain, at the specified position.

If position is not specified, rule will be inserted in first position.

This function accepts a rule in a standard nftables command format,
starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it.

CLI Examples:

salt '*' nftables.insert filter input \
    rule='input tcp dport 22 log accept'

salt '*' nftables.insert filter input position=3 \
    rule='input tcp dport 22 log accept'

IPv6:
salt '*' nftables.insert filter input \
    rule='input tcp dport 22 log accept' \
    family=ipv6

salt '*' nftables.insert filter input position=3 \
    rule='input tcp dport 22 log accept' \
    family=ipv6
salt.modules.nftables.new_chain(table=u'filter', chain=None, table_type=None, hook=None, priority=None, family=u'ipv4')

New in version 2014.7.0.

Create new chain to the specified table.

CLI Example:

salt '*' nftables.new_chain filter input

salt '*' nftables.new_chain filter input \
        table_type=filter hook=input priority=0

salt '*' nftables.new_chain filter foo

IPv6:
salt '*' nftables.new_chain filter input family=ipv6

salt '*' nftables.new_chain filter input \
        table_type=filter hook=input priority=0 family=ipv6

salt '*' nftables.new_chain filter foo family=ipv6
salt.modules.nftables.new_table(table, family=u'ipv4')

New in version 2014.7.0.

Create new custom table.

CLI Example:

salt '*' nftables.new_table filter

IPv6:
salt '*' nftables.new_table filter family=ipv6
salt.modules.nftables.save(filename=None, family=u'ipv4')

Save the current in-memory rules to disk

CLI Example:

salt '*' nftables.save /etc/nftables
salt.modules.nftables.version()

Return version from nftables --version

CLI Example:

salt '*' nftables.version