salt.states.nftables¶
Management of nftables¶
This is an nftables-specific module designed to manage Linux firewalls. It is expected that this state module, and other system-specific firewall states, may at some point be deprecated in favor of a more generic firewall state.
httpd:
nftables.append:
- table: filter
- chain: input
- jump: accept
- match: state
- connstate: new
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
nftables.append:
- table: filter
- family: ipv6
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
nftables.insert:
- position: 1
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
nftables.insert:
- position: 1
- table: filter
- family: ipv6
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
nftables.delete:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
nftables.delete:
- position: 1
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
nftables.delete:
- table: filter
- family: ipv6
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
-
salt.states.nftables.append(name, family='ipv4', **kwargs)¶ 0.17.0 新版功能.
Append a rule to a chain
- name
- A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.
- family
- Network family, ipv4 or ipv6.
All other arguments are passed in with the same name as the long option that would normally be used for nftables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate).
-
salt.states.nftables.chain_absent(name, table='filter', family='ipv4')¶ 2014.7.0 新版功能.
Verify the chain is absent.
- family
- Networking family, either ipv4 or ipv6
-
salt.states.nftables.chain_present(name, table='filter', table_type=None, hook=None, priority=None, family='ipv4')¶ 2014.7.0 新版功能.
Verify the chain is exist.
- name
- A user-defined chain name.
- table
- The table to own the chain.
- family
- Networking family, either ipv4 or ipv6
-
salt.states.nftables.delete(name, family='ipv4', **kwargs)¶ 2014.7.0 新版功能.
Delete a rule to a chain
- name
- A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.
- family
- Networking family, either ipv4 or ipv6
All other arguments are passed in with the same name as the long option that would normally be used for nftables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate).
-
salt.states.nftables.flush(name, family='ipv4', **kwargs)¶ 2014.7.0 新版功能.
Flush current nftables state
- family
- Networking family, either ipv4 or ipv6
-
salt.states.nftables.insert(name, family='ipv4', **kwargs)¶ 2014.7.0 新版功能.
Insert a rule into a chain
- name
- A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.
- family
- Networking family, either ipv4 or ipv6
All other arguments are passed in with the same name as the long option that would normally be used for nftables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate).
Version 2016.3.0-182-gbed98d8
