Rework nftables Generation using anonymous chains for multi service matching

2025-09-13 15:19:08 +00:00 · 2023-05-07 02:33:14 +02:00 · 2023-05-07 02:33:14 +02:00 · 9c1114e189
commit 9c1114e189
parent e2aad5ec97
9 changed files with 102 additions and 67 deletions
--- a/internal/nftables/template/addresses.tmpl
+++ b/internal/nftables/template/addresses.tmpl
--- a/internal/nftables/template/destination_nat_rules.tmpl
+++ b/internal/nftables/template/destination_nat_rules.tmpl
@ -1,2 +0,0 @@
-{{ range $rule := .Firewall.DestinationNATRules }}
-        {{ matcher $.Object.Services $.Object.Addresses $rule.Match }}{{ if $rule.Counter }} counter{{ end }}{{ if ne $rule.Comment "" }} comment "{{ $rule.Comment }}"{{ end }}{{ end }}
--- a/internal/nftables/template/forward_rules.tmpl
+++ b/internal/nftables/template/forward_rules.tmpl
@ -1,2 +0,0 @@
-{{range $rule := .Firewall.ForwardRules}}
-        {{ matcher $.Object.Services $.Object.Addresses $rule.Match }}{{ if $rule.Counter }} counter{{ end }} {{ $rule.Verdict.String }}{{ if ne $rule.Comment "" }} comment "{{ $rule.Comment }}"{{ end }}{{ end }}
--- a/internal/nftables/template/inbound_rules.tmpl
+++ b/internal/nftables/template/inbound_rules.tmpl
@ -1 +0,0 @@
-counter accept comment "temp inbound allow"
--- a/internal/nftables/template/nftables.tmpl
+++ b/internal/nftables/template/nftables.tmpl
@ -2,12 +2,36 @@

 flush ruleset

-# Address object ipsets
-{{template "addresses.tmpl" .}}
-
 # nfsense nftables inet (ipv4 + ipv6) table
 table inet nfsense_inet {

+    # Rule Counters for Forward Rules
+    {{- range $i, $rule := $.Firewall.ForwardRules }}
+    {{- if $rule.Counter }}
+    counter fw_{{ $i }} {
+        comment "{{ $rule.Name }}"
+    }
+    {{- end}}
+    {{- end}}
+
+    # Rule Counters for Destination NAT Rules
+    {{- range $i, $rule := $.Firewall.DestinationNATRules }}
+    {{- if $rule.Counter }}
+    counter dnat_{{ $i }} {
+        comment "{{ $rule.Name }}"
+    }
+    {{- end}}
+    {{- end}}
+
+    # Rule Counters for Source NAT Rules
+    {{- range $i, $rule := $.Firewall.SourceNATRules }}
+    {{- if $rule.Counter }}
+    counter snat_{{ $i }} {
+        comment "{{ $rule.Name }}"
+    }
+    {{- end}}
+    {{- end}}
+
    # Inbound Rules
    chain inbound {
        type filter hook input priority 0; policy drop;
@ -15,9 +39,11 @@ table inet nfsense_inet {
        # Allow traffic from established and related packets, drop invalid
        ct state vmap { established : accept, related : accept, invalid : drop }

-        # allow loopback traffic
+        # Allow loopback traffic
        iifname lo accept
-        {{template "inbound_rules.tmpl" .}}
+        
+        # temp Allow Inbound traffic
+        counter accept comment "temp inbound allow"
    }

    # Forward Rules
@ -26,19 +52,46 @@ table inet nfsense_inet {

        # Allow traffic from established and related packets, drop invalid
        ct state vmap { established : accept, related : accept, invalid : drop }
-        {{template "forward_rules.tmpl" .}}
+
+        # Generated Forward Rules
+        {{- range $i, $rule := $.Firewall.ForwardRules }}
+        {{ addressMatcher $.Object.Addresses $rule.Match }} jump {
+            {{- $baseServices := getBaseServices $.Object.Services $rule.Match.Services }}
+            {{- range $service := $baseServices }}
+            {{ serviceMatcher $service }}{{ if $rule.Counter }} counter name fw_{{ $i }}{{ end }} {{ $rule.Verdict.String }}
+            {{- end}}
+        }
+        {{- end}}
    }

    # Destination NAT Rules
    chain prerouting {
        type nat hook prerouting priority -100; policy accept;
-        {{template "destination_nat_rules.tmpl" .}}
+
+        # Generated Destination NAT Rules
+        {{- range $i, $rule := $.Firewall.DestinationNATRules }}
+            {{ addressMatcher $.Object.Addresses $rule.Match }} jump {
+            {{- $baseServices := getBaseServices $.Object.Services $rule.Match.Services }}
+            {{- range $service := $baseServices }}
+            {{ serviceMatcher $service }}{{ if $rule.Counter }} counter name dnat_{{ $i }}{{ end }} {{ destinationNatAction $ $rule }}
+            {{- end}}
+        }
+        {{- end}}
    }

    # Source NAT Rules
    chain postrouting {
        type nat hook postrouting priority 100; policy accept;
-        {{template "source_nat_rules.tmpl" .}}
+
+        # Generated Source NAT Rules
+        {{- range $i, $rule := $.Firewall.SourceNATRules }}
+            {{ addressMatcher $.Object.Addresses $rule.Match }} jump {
+            {{- $baseServices := getBaseServices $.Object.Services $rule.Match.Services }}
+            {{- range $service := $baseServices }}
+            {{ serviceMatcher $service }}{{ if $rule.Counter }} counter name snat_{{ $i }}{{ end }} {{ sourceNatAction $ $rule }}
+            {{- end}}
+        }
+        {{- end}}
    }
 }

--- a/internal/nftables/template/source_nat_rules.tmpl
+++ b/internal/nftables/template/source_nat_rules.tmpl
@ -1,2 +0,0 @@
-{{ range $rule := .Firewall.SourceNATRules }}
-        {{ matcher $.Object.Services $.Object.Addresses $rule.Match }}{{ if $rule.Counter }} counter{{ end }}{{ if ne $rule.Comment "" }} comment "{{ $rule.Comment }}"{{ end }}{{ end }}