Manage nftables with Salt.
Table of Contents
See the full SaltStack Formulas installation and usage instructions.
If you are interested in writing or contributing to formulas, please pay attention to the Writing Formula Section.
If you want to use this formula, please pay attention to the FORMULA
file and/or git tag
,
which contains the currently released version. This formula is versioned according to Semantic Versioning.
See Formula Versioning Section for more details.
If you need (non-default) configuration, please refer to:
- how to configure the formula with map.jinja
- the
pillar.example
file - the Special notes section
An example pillar is provided, please see pillar.example. Note that you do not need to specify everything by pillar. Often, it's much easier and less resource-heavy to use the parameters/<grain>/<value>.yaml
files for non-sensitive settings. The underlying logic is explained in map.jinja.
The following states are found in this formula:
Meta-state.
This installs the nftables package, manages the nftables configuration file and then starts the associated nftables service.
Installs the nftables package only.
Manages the nftables service configuration. Has a dependency on nftables.package.
Starts the nftables service and enables it at boot time. Has a dependency on nftables.config.
Meta-state.
Undoes everything performed in the nftables
meta-state
in reverse order, i.e.
stops the service,
removes the configuration file and then
uninstalls the package.
Removes the nftables package. Has a dependency on nftables.config.clean.
Removes the configuration of the nftables service and has a dependency on nftables.service.clean.
Stops the nftables service and disables it at boot time.
Commit message formatting is significant!
Please see How to contribute for more details.
pre-commit is configured for this formula, which you may optionally use to ease the steps involved in submitting your changes.
First install the pre-commit
package manager using the appropriate method, then run bin/install-hooks
and
now pre-commit
will run automatically on each git commit
.
$ bin/install-hooks pre-commit installed at .git/hooks/pre-commit pre-commit installed at .git/hooks/commit-msg
There is a script that semi-autodocuments available states: bin/slsdoc
.
If a .sls
file begins with a Jinja comment, it will dump that into the docs. It can be configured differently depending on the formula. See the script source code for details currently.
This means if you feel a state should be documented, make sure to write a comment explaining it.
Linux testing is done with kitchen-salt
.
- Ruby
- Docker
$ gem install bundler
$ bundle install
$ bin/kitchen test [platform]
Where [platform]
is the platform name defined in kitchen.yml
,
e.g. debian-9-2019-2-py3
.
Creates the docker instance and runs the nftables
main state, ready for testing.
Runs the inspec
tests on the actual instance.
Removes the docker instance.
Runs all of the stages above in one go: i.e. destroy
+ converge
+ verify
+ destroy
.
Gives you SSH access to the instance for manual testing.
- https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
- https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes
- https://wiki.archlinux.org/title/nftables
- https://github.com/ipr-cnrs/nftables
- https://github.com/ansibleguy/infra_nftables
- https://wiki.gentoo.org/wiki/Nftables/Examples
- https://alexforsale.github.io/posts/nftables.html
- https://paulgorman.org/technical/linux-nftables.txt.html
- https://stosb.com/blog/explaining-my-configs-nftables/
- https://cryptsus.com/blog/setting-up-nftables-firewall.html
- https://dataswamp.org/~solene/2023-02-06-nftables.html
- https://pablotron.org/articles/nftables-examples/
- https://gitlab.com/postmarketOS/pmaports/-/tree/master/main/postmarketos-config-nftables/rules
- https://wiki.codeemo.com/secure/nftables.html
- https://www.going-flying.com/blog/nftables-vs-firewalld.html