states/fwrules/templates/firewall.nft.j2

{%- set grains = salt["grains.get"] -%}
{%- set nodetype = grains("app") -%}
{%- set datacenter = grains("datacenter") -%}

#!/usr/sbin/nft -f

table inet firewall {
    include "/etc/firewall/sets.nft";
    include "/etc/firewall/chains.nft";

    chain input {
        type filter hook input priority -10; policy drop;

        # Fixup ICMPv6 to allow IPv6 communication
        icmpv6 type {
            nd-neighbor-solicit,
            echo-request,
            nd-router-advert,
            nd-neighbor-advert,
        } accept

        # Accept established and related, but drop invalid
        ct state established,related accept
        ct state invalid drop

        # Accept loopback and docker network traffic
        iifname lo accept
        iifname docker0 accept

        # Allow all from management
        ip saddr $management4 accept
        ip6 saddr $management6 accept

        # Extra perimeter chain jumps
        jump critical_services
        jump node_exporter_private
        jump http_public
        {%- if datacenter == "usc2" %}
        jump usc2_privnet
        {%- elif datacenter == "int" %}
        jump int_privnet
        {%- endif %}
        {%- if nodetype == "builder" %}
        jump concourse_worker
        {%- elif nodetype == "matrix" %}
        jump matrix_public
        {%- elif nodetype == "saltbox" %}
        jump salt_private
        {%- elif nodetype == "vault" %}
        jump vault_private
        {%- endif %}
        {%- if nodetype in ["es-data", "es-master", "vector"] and datacenter == "fsn1" %}
        jump elasticsearch_cluster
        {%- endif %}
        {%- if nodetype == "docker" and datacenter == "usc2" %}
        jump docker_usc2_ingress
        {%- endif %}

        # Don't insert any rules after this log.
        log prefix "nft-blocked " flags all counter drop
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}