X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/0e74e2f70ceb291199499bcd7aa1828e1908fa65..3ee5c4d242a98a13d89a02ba7998610a20969e0c:/cookbooks/networking/templates/default/nftables.conf.erb

diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb
index d98237d6e..05984ac3e 100644
--- a/cookbooks/networking/templates/default/nftables.conf.erb
+++ b/cookbooks/networking/templates/default/nftables.conf.erb
@@ -4,8 +4,10 @@
 define external-interfaces = { <%= @interfaces.sort.uniq.join(", ") %> }
 <%- end %>
 
-define ip-private-addresses = { 0.0.0.0, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 224.0.0.0/4 }
-define ip6-private-addresses = { 2001:db8::/32, fc00::/7, ff00::/8 }
+define ip-private-addresses = { 0.0.0.0, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16 }
+define ip-multicast-addresses = { 224.0.0.0/4 }
+define ip6-private-addresses = { 2001:db8::/32, fc00::/7 }
+define ip6-multicast-addresses = { ff00::/8 }
 
 table inet chef-filter {
   set ip-osm-addresses {
@@ -24,12 +26,12 @@ table inet chef-filter {
 
   set ip-blocklist {
     type ipv4_addr
-    flags dynamic
+    flags interval
   }
 
   set ip6-blocklist {
     type ipv6_addr
-    flags dynamic
+    flags interval
   }
 
   set ratelimit-icmp-echo-ip {
@@ -57,6 +59,13 @@ table inet chef-filter {
 <%- end %>
   }
 
+<%- end %>
+
+<%- node[:networking][:firewall][:helpers].each do |helper| %>
+  ct helper <%= helper[:name] %> {
+    type "<%= helper[:helper] %>" protocol <%= helper[:protocol] %>
+  }
+
 <%- end %>
   chain log-and-drop {
     limit rate 1/second log
@@ -70,18 +79,15 @@ table inet chef-filter {
 
   chain incoming {
 <%- if node[:networking][:firewall][:allowlist].empty? %>
-    ip saddr { $ip-private-addresses } jump log-and-drop
+    ip saddr { $ip-private-addresses, $ip-multicast-addresses } jump log-and-drop
 <%- else %>
-    ip saddr { $ip-private-addresses } ip saddr != { <%= node[:networking][:firewall][:allowlist].sort.join(", ") %> } jump log-and-drop
+    ip saddr { $ip-private-addresses, $ip-multicast-addresses } ip saddr != { <%= node[:networking][:firewall][:allowlist].sort.join(", ") %> } jump log-and-drop
 <%- end %>
-    ip6 saddr { $ip6-private-addresses } jump log-and-drop
+    ip6 saddr { $ip6-private-addresses, $ip6-multicast-addresses } jump log-and-drop
 
     ip saddr @ip-blocklist jump log-and-drop
     ip6 saddr @ip6-blocklist jump log-and-drop
 
-    ct state { established, related } accept
-
-    icmp type { destination-unreachable } accept
     icmp type { echo-request } update @ratelimit-icmp-echo-ip { ip saddr limit rate 1/second } accept
     icmp type { echo-request } drop
 
@@ -89,6 +95,8 @@ table inet chef-filter {
     icmpv6 type { echo-request } update @ratelimit-icmp-echo-ip6 { ip6 saddr limit rate 1/second } accept
     icmpv6 type { echo-request } drop
 
+    ct state { established, related } accept
+
     meta l4proto { icmp, icmpv6 } jump log-and-drop
 
     tcp flags & (fin|syn|rst|psh|ack|urg) == fin|psh|urg jump log-and-drop