Re: Grammar in a bash script

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Tue, Aug 18, 2020 at 12:28:04PM +0200, Mario Vittorio Guenzi wrote:
> 
> 
> Il 18/08/20 12:11, Pablo Neira Ayuso ha scritto:
> > On Tue, Aug 18, 2020 at 07:12:38AM +0200, Mario V Guenzi wrote:
> >> Il 17/08/20 10:56, Pablo Neira Ayuso ha scritto:
> >>> Hi,
> >>
> >>> You can set default policy to drop wehn defining the chain (in the
> >>> same go), no need to call it twice, my suggestion for your ruleset is
> >>> to place this in ruleset.nft:
> >>>
> >>> add table inet firewall
> >>> add table inet nat
> >>> add table netdev noddos
> >>>
> >>> add chain inet firewall INPUT { type filter hook input priority 0; policy drop; }
> >>> add chain inet firewall OUTPUT { type filter hook output priority 0; policy drop; }
> >>> add chain inet firewall FORWARD { type filter hook forward priority 0; policy drop; }
> >>> ...
> >>>
> >>> my rules
> >>> my rules
> >>> my rules
> >>>
> >>
> >> At first many thanks.
> >> another question given your kindness,
> >> I can use bash only to define my variables eg
> >> EXTIF = "eth0"
> >> LAN = "192.168.2.0/24"
> >> etc
> >> use the variables defined in writing the rules.nft file as per your
> >> example and then write
> >> nft -f /path/rules.nft in my bash script?
> > 
> > You can define variables in nftables, e.g.
> > 
> >   define EXTIF = "eth0"
> > 
> >   add rule inet firewall INPUT iifname $EXTIF accept
> > 
> Again Thank You.
> Yes I have read about, but for my convenience I do take the IPs with
> command and do not believe that nft can execute it.
> This are my variables You can see how take IP from eth
> 
> NFT="`whereis -b nft | cut -d \" \" -f 2`"
> EXTIF="eth0"  ## word interface
> INTIF="eth1" ## lan interface
> VPNIF="eth0:0"
> LO="lo"
> LO_IP="127.0.0.1"
> LAN="192.168.2.0/23" #our lan
> BCAST="192.168.3.255"
> EXTIP=`ifconfig $EXTIF | awk '$1 == "inet" { print $2 }'`
> INTIP=`ifconfig $INTIF | awk '$1 == "inet" { print $2 }'`
> VPNIP=`ifconfig $VPNIF | awk '$1 == "inet" { print $2 }'`
> CHIMERA="192.168.2.224"
> GRECALE="192.168.2.251"
> PERSEO="192.168.2.240"
> STROMBOLI="192.168.2.232"
> RESERVED_NET="0.0.0.0/8, 1.0.0.0/8, 2.0.0.0/8, 10.0.0.0/8,
> 100.64.0.0/10, 127.0.0.0/16, 169.254.0.0/16, 172.16.0.0/12, \
> 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15,
> 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/5"
> GOOD_BOYS="2.233.119.3, 88.149.179.177, 81.208.25.146, 82.85.80.100"

I suggest:

1) Add these variables to vars.nft, generate vars.nft via script as it
   was suggested.

2) From ruleset.nft, use:

        include "vars.nft"

to include your autogenerated variable definitions, so you can keep
your variables and your ruleset in separated files.