salt.modules.nftables

Support for nftables

salt.modules.nftables.append(table='filter', chain=None, rule=None, family='ipv4')

Append a rule to the specified table & chain.

This function accepts a rule in a standard nftables command format,

starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it.

CLI Example:

salt '*' nftables.append filter input \
    rule='tcp dport 22 log accept'

IPv6:
salt '*' nftables.append filter input \
    rule='tcp dport 22 log accept' \
    family=ipv6
salt.modules.nftables.build_rule(table=None, chain=None, command=None, position='', full=None, family='ipv4', **kwargs)

Build a well-formatted nftables rule based on kwargs. A table and chain are not required, unless full is True.

If full is True, then table, chain and command are required. command may be specified as either insert, append, or delete. This will return the nftables command, exactly as it would be used from the command line.

If a position is required (as with insert or delete), it may be specified as position. This will only be useful if full is True.

If connstate is passed in, it will automatically be changed to state.

CLI Examples:

salt '*' nftables.build_rule match=state \
    connstate=RELATED,ESTABLISHED jump=ACCEPT
salt '*' nftables.build_rule filter input command=insert position=3 \
    full=True match=state state=related,established jump=accept

IPv6:
salt '*' nftables.build_rule match=state \
    connstate=related,established jump=accept \
    family=ipv6
salt '*' nftables.build_rule filter input command=insert position=3 \
    full=True match=state state=related,established jump=accept \
    family=ipv6
salt.modules.nftables.check(table='filter', chain=None, rule=None, family='ipv4')

Check for the existence of a rule in the table and chain

This function accepts a rule in a standard nftables command format,

starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it.

CLI Example:

salt '*' nftables.check filter input \
    rule='tcp dport 22 log accept'

IPv6:
salt '*' nftables.check filter input \
    rule='tcp dport 22 log accept' \
    family=ipv6
salt.modules.nftables.check_chain(table='filter', chain=None, family='ipv4')

New in version 2014.7.0.

Check for the existence of a chain in the table

CLI Example:

salt '*' nftables.check_chain filter input

IPv6:
salt '*' nftables.check_chain filter input family=ipv6
salt.modules.nftables.check_table(table=None, family='ipv4')

Check for the existence of a table

CLI Example:

salt '*' nftables.check_table nat
salt.modules.nftables.delete(table, chain=None, position=None, rule=None, family='ipv4')
Delete a rule from the specified table & chain, specifying either the rule

in its entirety, or the rule's position in the chain.

This function accepts a rule in a standard nftables command format,

starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it.

CLI Examples:

salt '*' nftables.delete filter input position=3

salt '*' nftables.delete filter input \
    rule='tcp dport 22 log accept'

IPv6:
salt '*' nftables.delete filter input position=3 family=ipv6

salt '*' nftables.delete filter input \
    rule='tcp dport 22 log accept' \
    family=ipv6
salt.modules.nftables.delete_chain(table='filter', chain=None, family='ipv4')

New in version 2014.7.0.

Delete the chain from the specified table.

CLI Example:

salt '*' nftables.delete_chain filter input

salt '*' nftables.delete_chain filter foo

IPv6:
salt '*' nftables.delete_chain filter input family=ipv6

salt '*' nftables.delete_chain filter foo family=ipv6
salt.modules.nftables.delete_table(table, family='ipv4')

New in version 2014.7.0.

Create new custom table.

CLI Example:

salt '*' nftables.delete_table filter

IPv6:
salt '*' nftables.delete_table filter family=ipv6
salt.modules.nftables.flush(table='filter', chain='', family='ipv4')

Flush the chain in the specified table, flush all chains in the specified table if chain is not specified.

CLI Example:

salt '*' nftables.flush filter

salt '*' nftables.flush filter input

IPv6:
salt '*' nftables.flush filter input family=ipv6
salt.modules.nftables.get_policy(table='filter', chain=None, family='ipv4')

New in version 3002.

Return the current policy for the specified table/chain

table

Name of the table containing the chain to check

chain

Name of the chain to get the policy for

family

Networking family, either ipv4 or ipv6

CLI Example:

salt '*' nftables.get_policy filter input

IPv6:
salt '*' nftables.get_policy filter input family=ipv6
salt.modules.nftables.get_rule_handle(table='filter', chain=None, rule=None, family='ipv4')

Get the handle for a particular rule

This function accepts a rule in a standard nftables command format,

starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it.

CLI Example:

salt '*' nftables.get_rule_handle filter input \
    rule='tcp dport 22 log accept'

IPv6:
salt '*' nftables.get_rule_handle filter input \
    rule='tcp dport 22 log accept' \
    family=ipv6
salt.modules.nftables.get_rules(family='ipv4')

Return a data structure of the current, in-memory rules

CLI Example:

salt '*' nftables.get_rules

salt '*' nftables.get_rules family=ipv6
salt.modules.nftables.get_rules_json(family='ipv4')

New in version 3002.

Return a list of dictionaries comprising the current, in-memory rules

family

Networking family, either ipv4 or ipv6

CLI Example:

salt '*' nftables.get_rules_json

salt '*' nftables.get_rules_json family=ipv6
salt.modules.nftables.get_saved_rules(conf_file=None)

Return a data structure of the rules in the conf file

CLI Example:

salt '*' nftables.get_saved_rules
salt.modules.nftables.insert(table='filter', chain=None, position=None, rule=None, family='ipv4')

Insert a rule into the specified table & chain, at the specified position.

If position is not specified, rule will be inserted in first position.

This function accepts a rule in a standard nftables command format,

starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it.

CLI Examples:

salt '*' nftables.insert filter input \
    rule='tcp dport 22 log accept'

salt '*' nftables.insert filter input position=3 \
    rule='tcp dport 22 log accept'

IPv6:
salt '*' nftables.insert filter input \
    rule='tcp dport 22 log accept' \
    family=ipv6

salt '*' nftables.insert filter input position=3 \
    rule='tcp dport 22 log accept' \
    family=ipv6
salt.modules.nftables.list_tables(family='ipv4')

Return a data structure of the current, in-memory tables

CLI Example:

salt '*' nftables.list_tables

salt '*' nftables.list_tables family=ipv6
salt.modules.nftables.new_chain(table='filter', chain=None, table_type=None, hook=None, priority=None, family='ipv4')

New in version 2014.7.0.

Create new chain to the specified table.

CLI Example:

salt '*' nftables.new_chain filter input

salt '*' nftables.new_chain filter input \
        table_type=filter hook=input priority=0

salt '*' nftables.new_chain filter foo

IPv6:
salt '*' nftables.new_chain filter input family=ipv6

salt '*' nftables.new_chain filter input \
        table_type=filter hook=input priority=0 family=ipv6

salt '*' nftables.new_chain filter foo family=ipv6
salt.modules.nftables.new_table(table, family='ipv4')

New in version 2014.7.0.

Create new custom table.

CLI Example:

salt '*' nftables.new_table filter

IPv6:
salt '*' nftables.new_table filter family=ipv6
salt.modules.nftables.save(filename=None, family='ipv4')

Changed in version 3002.

Save the current in-memory rules to disk. On systems where /etc/nftables is a directory, a file named salt-all-in-one.nft will be dropped inside by default. The main nftables configuration will need to include this file.

CLI Example:

salt '*' nftables.save /etc/nftables
salt.modules.nftables.set_policy(table='filter', chain=None, policy=None, family='ipv4')

New in version 3002.

Set the current policy for the specified table/chain. This only works on chains with an existing base chain.

table

Name of the table containing the chain to modify

chain

Name of the chain to set the policy for

policy

accept or drop

family

Networking family, either ipv4 or ipv6

CLI Example:

salt '*' nftables.set_policy filter input accept

IPv6:
salt '*' nftables.set_policy filter input accept family=ipv6
salt.modules.nftables.version()

Return version from nftables --version

CLI Example:

salt '*' nftables.version