Anapaya appliance configuration (firewall only)
firewall object
The firewall section applies ONLY to non-IP-in-SCION tunneling traffic! The section contains the configuration for the Anapaya appliance firewall to filter non-IP-in-SCION tunneling traffic. The Anapaya appliance firewall makes use of the Linux kernel packet classification framework nftables, thus it is highly recommended that you familiarize yourself with nftables by reading the following short overview: nftables in 10 minutes.
The Anapaya appliance's firewall configuration contains tables of chains, which in turn contain the actual rules for enforcing the desired filtering.
The firewall mode declares how the Anapaya appliance handles firewall rules. Depending on the mode, the Anapaya appliance either generates a default set of rules, prepends some custom rules, or uses only the specified custom rules.
| Enum Value | Description |
|---|---|
| AUTO | 'AUTO' is the default mode, it generates set of rules based on the rest of the Anapaya appliance configuration. The Anapaya appliance uses the default table called 'appliance' of type INET with the generated rules. The mode locks down the Anapaya appliance to only allow traffic required for the Anapaya appliance to function properly. If you do not have any special requirements, this is the recommended mode. No customizations are possible in this mode. If you want to specify the mode explicitly the tables section must be empty. |
| CUSTOM | 'CUSTOM' mode does not generate any rules and allows the user to configure the Anapaya appliance firewall from scratch. This mode is useful if you want to have full control over the Anapaya appliance firewall. Be cautious when using this mode. |
| PREPEND | 'PREPEND' mode uses the rules generated by the 'AUTO' mode and allows prepending additional rules to the generated ones. The configuration only allows a single table named 'appliance' of type 'INET'. This mode is useful if you want to add custom rules to the Anapaya appliance firewall without having to reconfigure the whole firewall. To prepend rules, add them in the table 'appliance' and in chains named 'default_input', or 'default_forward'. For other hooks, no specific naming of chains is required, but there can only be one chain per hook. |
| UNMANAGED | 'UNMANAGED' mode disables the Anapaya appliance firewall and does not interfere with existing firewall configurations. This mode should only be used when transitioning from iptables to the Anapaya appliance-managed firewall. |
Possible values: [AUTO, PREPEND, CUSTOM, UNMANAGED]
tables object[]
Define the nftables tables that should be configured on the system. A table is a top-level container within an nftables ruleset, they hold chains and counters. A table belongs to exactly one family.
chains object[]
Chains defined within the nftables table.
The type and usage of the chain. This must be set for base chains and unset for regular chains.
| Enum Value | Description |
|---|---|
| FILTER | The chain type is Filter. |
| NAT | The chain type is NAT. |
| ROUTE | The chain type is Route. |
Possible values: [FILTER, ROUTE, NAT]
The packet processing step during which the chain should be executed. This must be set for base chains and unset for regular chains. For more information on the chain hooks, please refer to Base chain hooks.
| Enum Value | Description |
|---|---|
| FORWARD | The chain should be executed on all incoming packets that are not addressed to the local system. |
| INPUT | The chain should be executed when an incoming packet is adddressed to and has been routed to the local system and processes running there. |
| OUTPUT | The chain should be executed on packets that have originated from processes in the local machine system. |
| POSTROUTING | The chain should be executed after routing, just before the packet leaves the local system. |
| PREROUTING | The chain should be executed when receiving any incoming packet, before any routing decision has been made. |
Possible values: [PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING]
The name of the chain.
The default policy that will be applied to packets that reach the end of the chain. For more information on chain policies, please refer to Base chain policy.
| Enum Value | Description |
|---|---|
| ACCEPT | The chain policy is Accept, which means that the packet will keep traversing the network stack. |
| DROP | The chain policy is Drop, which means that the packet will be discarded if it reaches the end of hte base chain. |
Possible values: [ACCEPT, DROP]
The priority of the chain. This must be set for base chains and unset for regular chains.
rules object[]
Rules defined as part of a chain within a firewall table.
Description, or comment, for the firewall rule.
The rule definition consists of expressions and statements in string format. The expressions are evaluated from left to right and if the packet matches the expressions the statement is executed. For information on the supported syntax for expressions and statements, please refer to Expressions: Matching packets and Statements: Acting on packet matches.
The sequence ID determines the order in which sequence the firewall rules are applied. The sequence ID must be unique for each entry. Target devices apply the rules in order of ascending sequence ID (low to high).
1counters object[]
Optional named counters defined within the nftables table.
The name of the counter.
The family type of the nftables. For more information on table families, please refer to Nftables families.
| Enum Value | Description |
|---|---|
| INET | The table is applied to IPv4 and IPv6 packets |
| IP | The table is applied to IPv4 packets |
| IP6 | The table is applied to IPv6 packets |
Possible values: [IP, IP6, INET]
Name of the nftables table.
{
"firewall": {
"mode": "AUTO",
"tables": [
{
"chains": [
{
"chaintype": "FILTER",
"hook": "PREROUTING",
"name": "string",
"policy": "ACCEPT",
"priority": 0,
"rules": [
{
"comment": "string",
"rule": "string",
"sequence_id": 1
}
]
}
],
"counters": [
{
"name": "string"
}
],
"family": "IP",
"name": "string"
}
]
}
}