1 files changed, 16 insertions, 8 deletions

diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2
index d788457..bbc0e7c 100755
--- a/roles/common/templates/etc/nftables.conf.j2
+++ b/roles/common/templates/etc/nftables.conf.j2
@@ -36,40 +36,54 @@ define out-tcp-ports = {
   , 636     # ldaps
 {% endif %}
 {% if 'IMAP' in group_names %}
   , 2703    # Razor2
 {% endif %}
 }
 
 
 ###############################################################################
 
 flush ruleset
 
 table netdev filter {
 {% for if in ansible_interfaces %}
 {% if if != "lo" and ansible_facts[if].active %}
 {% set addr = (ansible_facts[if].ipv4 | default({'address': '0.0.0.0'})).address %}
     chain INGRESS-{{ if }} {
         type filter hook ingress device {{ if }} priority -499
         policy accept
 
+        # IPsec traffic (refined later in the filter rule)
+        ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} meta secpath exists accept
+
+        # rate-limiting is done directly by the kernel (net.ipv4.icmp_{ratelimit,ratemask} runtime options)
+        icmp   type { echo-reply, echo-request, destination-unreachable } counter accept
+        icmpv6 type { echo-reply, echo-request, destination-unreachable,
+                      packet-too-big, time-exceeded, parameter-problem } counter accept
+
+        # accept neighbour discovery for autoconfiguration, RFC 4890 sec. 4.4.1
+        ip6 hoplimit 255 icmpv6 type { 133,134,135,136,141,142 } counter accept
+
+        # reject all remaining ICMP/ICMPv6 traffic
+        meta l4proto { icmp, icmpv6 } drop
+
         # bogon filter (cf. RFC 6890 for non-global ip addresses)
         define bogon = {
             0.0.0.0/8          # this host, on this network (RFC 1122 sec. 3.2.1.3)
 {% if not addr | ipaddr('10.0.0.0/8') %}
           , 10.0.0.0/8         # private-use (RFC 1918)
 {% endif %}
           , 100.64.0.0/10      # shared address space (RFC 6598)
           , 127.0.0.0/8        # loopback (RFC 1122, sec. 3.2.1.3)
           , 169.254.0.0/16     # link local (RFC 3927)
 {% if not addr | ipaddr('172.16.0.0/12') %}
           , 172.16.0.0/12      # private-use (RFC 1918)
 {% endif %}
           , 192.0.0.0/24       # IETF protocol assignments (RFC 6890 sec. 2.1)
           , 192.0.2.0/24       # documentation (RFC 5737)
 {% if not addr | ipaddr('192.168.0.0/16') %}
           , 192.168.0.0/16     # private-use (RFC 1918)
 {% endif %}
           , 198.18.0.0/15      # benchmarking (RFC 2544)
           , 198.51.100.0/24    # documentation (RFC 5737)
           , 203.0.113.0/24     # documentation (RFC 5737)
@@ -134,85 +148,79 @@ table inet filter {
     set fail2ban  { type ipv4_addr; timeout 10m; }
     set fail2ban6 { type ipv6_addr; timeout 10m; }
 
     chain input {
         type filter hook input priority 0
         policy drop
 
         iif lo accept
 
         # XXX Bullseye: this is a rather crude match as nftables 0.9.0 lacks support for ipsec expressions
         # to match match inbound resp. outbound policies and source resp. destination tunnel addresses.
         # https://serverfault.com/questions/971735/how-to-match-reqid-in-nftables
         # https://blog.fraggod.net/2016/09/25/nftables-re-injected-ipsec-matching-without-xt_policy.html
         # (We can't use marks to match post-ESP decapsulation here because that doesn't work well with UDP
         # encapsulation.)  We'll also pin the reqid to the lowest address byte in ipsec.conf(5); that way
         # peers can't impersonate each other.
         meta l4proto esp accept
         # ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} ipsec in reqid $i accept
         ip saddr {{ ipsec_subnet }} ip daddr {{ ipsec[inventory_hostname_short] }} meta secpath exists accept
 
-        # rate-limiting is done directly by the kernel (net.ipv4.icmp_{ratelimit,ratemask} runtime options)
-        icmp   type { echo-reply, echo-request, destination-unreachable } counter accept
-        icmpv6 type { echo-reply, echo-request, destination-unreachable,
-                      packet-too-big, time-exceeded, parameter-problem } counter accept
-
-        # accept neighbour discovery for autoconfiguration, RFC 4890 sec. 4.4.1
-        icmpv6 type { 133,134,135,136,141,142 } ip6 hoplimit 255 counter accept
+        meta l4proto { icmp, icmpv6 } counter accept
 
         udp sport  123 udp dport  123 ct state     related,established accept
 {% if groups.all | length > 1 %}
         udp sport  500 udp dport  500 ct state new,related,established accept
 {% if groups.NATed | length > 0 %}
         udp sport 4500 udp dport 4500 ct state new,related,established accept
 {% endif %}
 {% endif %}
 
         udp sport 53 ct state related,established accept
         tcp sport 53 ct state related,established accept
 {% if 'dhclient' in group_names %}
         ip  version 4 udp sport  67 udp dport  68 ct state related,established accept
         ip6 version 6 udp sport 547 udp dport 546 ct state related,established accept
 {% endif %}
 
         meta l4proto tcp ip  saddr @fail2ban  counter drop
         meta l4proto tcp ip6 saddr @fail2ban6 counter drop
 
         tcp dport $in-tcp-ports  ct state related,established accept
         tcp dport $in-tcp-ports  ct state new counter accept
         tcp sport $out-tcp-ports ct state related,established accept
     }
 
     chain output {
         type filter hook output priority 0
         policy drop
 
         oif lo accept
 
         # XXX Bullseye: unlike for input we can't use marks or test for
         # secpath existence here, because by the time we see a packet to
         # 172.16.0.0/24 we don't know if it'll be encapsulated
         meta l4proto esp accept
         # ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} ipsec out reqid $i accept
         ip saddr {{ ipsec[inventory_hostname_short] }} ip daddr {{ ipsec_subnet }} accept
 
-        meta l4proto { icmp, icmpv6 } accept
+        meta l4proto { icmp, icmpv6 } counter accept
 
         udp sport  123 udp dport  123 ct state new,related,established accept
 {% if groups.all | length > 1 %}
         udp sport  500 udp dport  500 ct state new,related,established accept
 {% if groups.NATed | length > 0 %}
         udp sport 4500 udp dport 4500 ct state new,related,established accept
 {% endif %}
 {% endif %}
 
         udp dport 53 ct state new,related,established accept
         tcp dport 53 ct state new,related,established accept
 {% if 'dhclient' in group_names %}
         ip  version 4 udp sport  68 udp dport  67 ct state new,related,established accept
         ip6 version 6 udp sport 546 udp dport 547 ct state new,related,established accept
 {% endif %}
 
         tcp sport $in-tcp-ports  ct state related,established accept
         tcp dport $out-tcp-ports ct state related,established accept
         tcp dport $out-tcp-ports ct state new counter accept