Re: Grammar in a bash script - Pablo Neira Ayuso

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Mario V Guenzi <jclark@tiscali.it>
Cc: Netfilter list <netfilter@vger.kernel.org>
Subject: Re: Grammar in a bash script
Date: Mon, 17 Aug 2020 10:56:58 +0200	[thread overview]
Message-ID: <20200817085658.GA3677@salvia> (raw)
In-Reply-To: <74c7c496-2429-8646-6c1a-9454169498ac@tiscali.it>

Hi,

On Mon, Aug 17, 2020 at 07:55:32AM +0200, Mario V Guenzi wrote:
> Goodmorning everyone,
> Does it make sense to use this kind of grammar in a bash script?

Please, don't do bash scripting, use native scripting instead for
nftables. Bash scripting breaks atomicity when applying the ruleset.

You have to remove $NFT from your example below and use 'nft -f ruleset.nft'

> $NFT add table inet firewall
> $NFT add table inet nat
> $NFT add table netdev noddos
> 
> $NFT add chain inet firewall INPUT { type filter hook input priority 0 \;  }
> $NFT add chain inet firewall OUTPUT { type filter hook output priority 0
> \; }
> $NFT add chain inet firewall FORWARD { type filter hook forward priority
> 0 \; }
> $NFT add chain inet firewall IPS { type filter hook forward priority 10 \; }
> $NFT add chain inet firewall POSTROUTING { type filter hook postrouting
> priority 0 \; }
> $NFT add chain inet firewall SYN-FLOOD { type filter hook input priority
> 0 \; }
> $NFT -- add chain inet  nat PREROUTING { type nat hook prerouting
> priority -100 \; }
> $NFT add chain inet nat OUTPUT { type nat hook output priority 0 \; }
> $NFT add chain inet nat POSTROUTING { type nat hook postrouting priority
> 100 \; }
> $NFT -- add chain netdev noddos ingress { type filter hook ingress
> device $EXTIF priority -500 \; }
> 
> my rules
> my rules
> my rules
> .
> .
> .
> $NFT add chain inet firewall INPUT { type filter hook input priority 0
> \; policy drop \; }
> $NFT add chain inet firewall OUTPUT { type filter hook output priority 0
> \; policy drop \; }
> $NFT add chain inet firewall FORWARD { type filter hook forward priority
> 0 \; policy drop \; }
> $NFT -- add chain inet  nat PREROUTING { type nat hook prerouting
> priority -100 \; policy drop \;  }
> $NFT add chain inet nat OUTPUT { type nat hook output priority 0
> \;policy drop \;  }
> 
> The reasoning that I have done and of which I ask for confirmation is,
> after having given permission to what I need, I deny everything as a policy

You can set default policy to drop wehn defining the chain (in the
same go), no need to call it twice, my suggestion for your ruleset is
to place this in ruleset.nft:

add table inet firewall
add table inet nat
add table netdev noddos

add chain inet firewall INPUT { type filter hook input priority 0; policy drop; }
add chain inet firewall OUTPUT { type filter hook output priority 0; policy drop; }
add chain inet firewall FORWARD { type filter hook forward priority 0; policy drop; }
...

my rules
my rules
my rules

next prev parent reply	other threads:[~2020-08-17  8:56 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-17  5:55 Grammar in a bash script Mario V Guenzi
2020-08-17  8:56 ` Pablo Neira Ayuso [this message]
2020-08-18  5:12   ` Mario V Guenzi
2020-08-18 10:04     ` A L
2020-08-18 10:11     ` Pablo Neira Ayuso
2020-08-18 10:28       ` Mario Vittorio Guenzi
2020-08-19  7:55         ` Pablo Neira Ayuso
2020-08-18 10:32     ` Reindl Harald
2020-08-18 10:41       ` Mario Vittorio Guenzi
2020-09-25 12:01 ` Mario Vittorio Guenzi
  -- strict thread matches above, loose matches on Subject: below --
2020-08-17  8:09 Mario V Guenzi
2020-08-17  8:42 ` Reindl Harald

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200817085658.GA3677@salvia \
    --to=pablo@netfilter.org \
    --cc=jclark@tiscali.it \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.