Support for nftables
salt.modules.nftables.
append
(table='filter', chain=None, rule=None, family='ipv4')¶Append a rule to the specified table & chain.
命令行接口CLI 范例:
salt '*' nftables.append filter input \
rule='input tcp dport 22 log accept'
IPv6:
salt '*' nftables.append filter input \
rule='input tcp dport 22 log accept' \
family=ipv6
salt.modules.nftables.
build_rule
(table=None, chain=None, command=None, position='', full=None, family='ipv4', **kwargs)¶Build a well-formatted nftables rule based on kwargs. A table and chain are not required, unless full is True.
If full is True, then table, chain and command are required. command may be specified as either insert, append, or delete. This will return the nftables command, exactly as it would be used from the command line.
If a position is required (as with insert or delete), it may be specified as position. This will only be useful if full is True.
If connstate is passed in, it will automatically be changed to state.
CLI范例:
salt '*' nftables.build_rule match=state \
connstate=RELATED,ESTABLISHED jump=ACCEPT
salt '*' nftables.build_rule filter input command=insert position=3 \
full=True match=state state=related,established jump=accept
IPv6:
salt '*' nftables.build_rule match=state \
connstate=related,established jump=accept \
family=ipv6
salt '*' nftables.build_rule filter input command=insert position=3 \
full=True match=state state=related,established jump=accept \
family=ipv6
salt.modules.nftables.
check
(table='filter', chain=None, rule=None, family='ipv4')¶Check for the existence of a rule in the table and chain
命令行接口CLI 范例:
salt '*' nftables.check filter input \
rule='input tcp dport 22 log accept'
IPv6:
salt '*' nftables.check filter input \
rule='input tcp dport 22 log accept' \
family=ipv6
salt.modules.nftables.
check_chain
(table='filter', chain=None, family='ipv4')¶2014.7.0 新版功能.
Check for the existence of a chain in the table
命令行接口CLI 范例:
salt '*' nftables.check_chain filter input
IPv6:
salt '*' nftables.check_chain filter input family=ipv6
salt.modules.nftables.
check_table
(table=None, family='ipv4')¶Check for the existence of a table
命令行接口CLI 范例:
salt '*' nftables.check_table nat
salt.modules.nftables.
delete
(table, chain=None, position=None, rule=None, family='ipv4')¶CLI范例:
salt '*' nftables.delete filter input position=3
salt '*' nftables.delete filter input \
rule='input tcp dport 22 log accept'
IPv6:
salt '*' nftables.delete filter input position=3 family=ipv6
salt '*' nftables.delete filter input \
rule='input tcp dport 22 log accept' \
family=ipv6
salt.modules.nftables.
delete_chain
(table='filter', chain=None, family='ipv4')¶2014.7.0 新版功能.
Delete the chain from the specified table.
命令行接口CLI 范例:
salt '*' nftables.delete_chain filter input
salt '*' nftables.delete_chain filter foo
IPv6:
salt '*' nftables.delete_chain filter input family=ipv6
salt '*' nftables.delete_chain filter foo family=ipv6
salt.modules.nftables.
delete_table
(table, family='ipv4')¶2014.7.0 新版功能.
Create new custom table.
命令行接口CLI 范例:
salt '*' nftables.delete_table filter
IPv6:
salt '*' nftables.delete_table filter family=ipv6
salt.modules.nftables.
flush
(table='filter', chain='', family='ipv4')¶Flush the chain in the specified table, flush all chains in the specified table if chain is not specified.
命令行接口CLI 范例:
salt '*' nftables.flush filter
salt '*' nftables.flush filter input
IPv6:
salt '*' nftables.flush filter input family=ipv6
salt.modules.nftables.
get_rule_handle
(table='filter', chain=None, rule=None, family='ipv4')¶Get the handle for a particular rule
命令行接口CLI 范例:
salt '*' nftables.get_rule_handle filter input \
rule='input tcp dport 22 log accept'
IPv6:
salt '*' nftables.get_rule_handle filter input \
rule='input tcp dport 22 log accept' \
family=ipv6
salt.modules.nftables.
get_rules
(family='ipv4')¶Return a data structure of the current, in-memory rules
命令行接口CLI 范例:
salt '*' nftables.get_rules
salt '*' nftables.get_rules family=ipv6
salt.modules.nftables.
get_saved_rules
(conf_file=None, family='ipv4')¶Return a data structure of the rules in the conf file
命令行接口CLI 范例:
salt '*' nftables.get_saved_rules
salt.modules.nftables.
insert
(table='filter', chain=None, position=None, rule=None, family='ipv4')¶Insert a rule into the specified table & chain, at the specified position.
If position is not specified, rule will be inserted in first position.
CLI范例:
salt '*' nftables.insert filter input \
rule='input tcp dport 22 log accept'
salt '*' nftables.insert filter input position=3 \
rule='input tcp dport 22 log accept'
IPv6:
salt '*' nftables.insert filter input \
rule='input tcp dport 22 log accept' \
family=ipv6
salt '*' nftables.insert filter input position=3 \
rule='input tcp dport 22 log accept' \
family=ipv6
salt.modules.nftables.
new_chain
(table='filter', chain=None, table_type=None, hook=None, priority=None, family='ipv4')¶2014.7.0 新版功能.
Create new chain to the specified table.
命令行接口CLI 范例:
salt '*' nftables.new_chain filter input
salt '*' nftables.new_chain filter input \
table_type=filter hook=input priority=0
salt '*' nftables.new_chain filter foo
IPv6:
salt '*' nftables.new_chain filter input family=ipv6
salt '*' nftables.new_chain filter input \
table_type=filter hook=input priority=0 family=ipv6
salt '*' nftables.new_chain filter foo family=ipv6
salt.modules.nftables.
new_table
(table, family='ipv4')¶2014.7.0 新版功能.
Create new custom table.
命令行接口CLI 范例:
salt '*' nftables.new_table filter
IPv6:
salt '*' nftables.new_table filter family=ipv6
salt.modules.nftables.
save
(filename=None, family='ipv4')¶Save the current in-memory rules to disk
命令行接口CLI 范例:
salt '*' nftables.save /etc/nftables
salt.modules.nftables.
version
()¶Return version from nftables --version
命令行接口CLI 范例:
salt '*' nftables.version