NFTables lacks some functionality, that is commonly used in firewalling.
Having variables that hold the IPs of some DNS-record is one of those.
NFTables CAN resolve DNS-records - but will throw an error if the record resolves to more than one IP.. (Error: Hostname resolves to multiple addresses
)
NFTables documentation: docs.o-x-l.com
-
Create directories:
mkdir -p /var/local/lib/nftables_addons /etc/nftables.d/addons/
-
Add the script-files:
-
Add the config file:
/etc/nftables.d/addons/dns.json
-
Optional: Create a service user
- Add sudoers privileges
- Allow to read lib-dir
- Allow to write to addons-config-dir
-
Add cron or systemd-timer to execute the script on a schedule:
python3 /var/local/lib/nftables_addons/dns.py
-
Test it and verify it's working as expected
cat /etc/nftables.d/addons/dns.nft
> # Auto-Generated config - DO NOT EDIT MANUALLY!
>
> define site_github_v4 = { 140.82.121.3, 140.82.121.10 }
> define site_github_v6 = { :: }
> define repo_debian_v4 = { 151.101.86.132 }
> define repo_debian_v6 = { 2a04:4e42:14::644 }
> define ntp_pool_v4 = { 158.43.128.33, 178.62.250.107, 194.58.207.20, 37.252.127.156 }
> define ntp_pool_v6 = { :: }
-
A configuration file needs to be created:
/etc/nftables.d/addons/dns.json
{ "dns": { "site_github": ["github.com", "codeload.github.com"], "repo_debian": "deb.debian.org", "ntp_pool": "europe.pool.ntp.org" } }
Note: If your variable ends in
_1
it will only contain ONE IP address! This can be useful if you need a DNAT target. -
The script is executed
python3 /var/local/lib/nftables_addons/dns.py
-
It will load the configuration
-
Resolve IPv4 and IPv6 (if enabled) for all configured variables
-
If it was unable to resolve some record - a placeholder-value will be set:
IPv4:
0.0.0.0
IPv6:
::
-
The new addon-config is written to
/tmp/nftables_dns.nft
-
Its md5-hash is compared to the existing config to check if it changed
-
If it has changed:
-
Config validation is done:
-
An include-file is written to
/tmp/nftables_main.nft
:include /tmp/nftables_dns.nft # including all other adoon configs include /etc/nftables.d/addons/other_addon1.nft include /etc/nftables.d/addons/other_addon2.nft # include other main configs include /etc/nftables.d/*.nft
-
This include-file is validated:
sudo nft -cf /tmp/nftables_main.nft
-
-
The new config is written to
/etc/nftables.d/addons/dns.nft
-
The actual config is validated:
sudo nft -cf /etc/nftables.conf
-
NFTables is reloaded:
sudo systemctl reload nftables.service
-
-
You will have to include the addon-config in your main-config file
/etc/nftables.conf
:... include "/etc/nftables.d/addons/*.nft" ...
If the script should be run as non-root user - you will need to add a sudoers.d file to add the needed privileges:
Cmnd_Alias NFTABLES_ADDON = \
/usr/bin/systemctl reload nftables.service,
/usr/sbin/nft -cf *
service_user ALL=(ALL) NOPASSWD: NFTABLES_ADDON
You may not change the owner of the addon-files as the script will not be able to overwrite them.
As explained above - there is a config-validation process to ensure the addon will not supply a bad config and lead to a failed nftables reload/restart.
If you want to be even safer - you can add a config-validation inside the nftables.service
:
# /etc/systemd/system/nftables.service.d/override.conf
[Service]
# catch errors at start
ExecStartPre=/usr/sbin/nft -cf /etc/nftables.conf
# catch errors at reload
ExecReload=
ExecReload=/usr/sbin/nft -cf /etc/nftables.conf
ExecReload=/usr/sbin/nft -f /etc/nftables.conf
# catch errors at restart
ExecStop=
ExecStop=/usr/sbin/nft -cf /etc/nftables.conf
ExecStop=/usr/sbin/nft flush ruleset
Restart=on-failure
RestartSec=5s
This will catch and log config-errors before doing a reload/restart.
You can either:
- Add a Systemd Timer: example
- Add a cron job
Here you can find an Ansible Role to manage NFTables Addons:
MIT