#
# nftables-ruleset - Basic nftables rules for bondingadmin
#

flush ruleset

table inet filter {

    # Load flow collector destination sets
    #
    include "/run/bondingadmin/filter-set-*.nft"

    chain input {
        type filter hook input priority 0; policy drop;
        ct state established,related accept
        ct state invalid drop

        # Load rules defined via salt as well as local customisations, if
        # present
        #
        include "/etc/bondingadmin/nftables/filter-input-*.nft"
        include "/run/bondingadmin/filter-input-*.nft"

        # Allow ICMP/ICMPv6
        #
        ip protocol icmp accept
        ip6 nexthdr ipv6-icmp accept

        # Allow openvpn
        #
        udp dport openvpn accept

        # Allow TCP services
        #
        tcp dport {80, 443} accept

        # Allow node services
        #
        iifname mtun0 tcp dport {
            4505 comment "salt master",
            4506 comment "salt master",
            5403 comment "corosync qnetd",
            8003 comment "nodeupdates",
            8004 comment "influxmux",
        } accept

        # Allow from loopback
        iifname lo accept
    }

    chain FORWARD {
        type filter hook forward priority 0; policy drop;
        ct state { established, related } accept
        ct state invalid drop

        iifname mtun0 oifname mtun0 drop comment "Disallow hairpin access between nodes"
        oifname mtun0 accept comment "Allow access to private node addresses from local management systems"

        # Load rules defined via salt as well as local customisations, if
        # present
        #
        include "/etc/bondingadmin/nftables/filter-forward-*.nft"
        include "/run/bondingadmin/filter-forward-*.nft"
    }
}

table ip nat_ipv4 {

    # Load flow collector IPv4 DNAT map
    #
    include "/run/bondingadmin/nat-ipv4-map-*.nft"

    chain postrouting {
        type nat hook postrouting priority 100; policy accept;

        oifname mtun0 masquerade comment "Allow direct node access from local management systems without requiring additional routing"
    }

    chain prerouting {
        type nat hook prerouting priority -100;

        # Load flow collector IPv4 DNAT rules
        #
        include "/run/bondingadmin/nat-ipv4-prerouting-*.nft"
    }
}

table ip6 nat_ipv6 {

    # Load flow collector IPv6 DNAT map
    #
    include "/run/bondingadmin/nat-ipv6-map-*.nft"

    chain postrouting {
        type nat hook postrouting priority 100; policy accept;

        oifname mtun0 masquerade comment "Allow direct node access from local management systems without requiring additional routing"
    }

    chain prerouting {
        type nat hook prerouting priority -100;

        # Load flow collector IPv6 DNAT rules
        #
        include "/run/bondingadmin/nat-ipv6-prerouting-*.nft"
    }
}
