This is a small set of scripts and modules that ease management of named sets in nftables
Named sets in nftables provide a good way to enable dynamically adjusting data sets in the firewall.
A good example of this is mantaining IP address whitelists of the various services that your server may need to contact, in order to restrict outbound traffic from the server to only those IP addresses. However, the IP address of, say, api.example.com
may change in a way that's out of your control. One way to manage this is to periodically issue a DNS query, get the current IP address, and update the named set for that whitelist accordingly.
nftables-set-manager
handles the management of the sets based upon:
- A simple YAML configuration file
- Re-usable plugins that handle building the updated elements of a particular configured set
Several plugins come with the pagkage:
- resolv: Extracts IP elements for nameservers from
/etc/resolv.conf
- dns: Gets the IP address(es) of a hostname (requires berserker_resolver package)
- apt_list: Gets IP addresses for all Apt sources files (requires berserker_resolver package)
- s3_ips: Gets IP addresses for AWS S3 regions
- github_ips: Gets IP addresses for Github IP types
- google_ips: Gets IP addresses for all of Google, or just Google Cloud services
- microsoft_office_ips: Gets IP addresses for all of Microsoft Office 365 services
- cloudflare_ips: Gets IP addresses for Google Cloud services
- saas_ips: Gets IP addresses DRBD's spatch as a service
...and it's easy to write additional ones for your needs.
- Create the named sets in your nftables configuration, e.g.
nft add table inet filter nft add set inet filter dns_ips { type ipv4_addr\;}
- Create a
config.yaml
(see config.sample.yaml for format), and configure the sets you want to manage - Run
manage-sets.py --help
to see the arguments for the script - See plugins/example.py for an example of how to write a custom plugin.
- Consider setting up a cron job to automatically update your sets
- The named sets themselves are not managed by this code