Merge pull request #11991 from marcusburghardt/set_nftables_table

Better description and test scenarios for set_nftables_table
ComplianceAsCode · May 16, 2024 · 1a61085 · 1a61085
2 parents 712a82b + c79fac7
commit 1a61085
Show file tree

Hide file tree

Showing 6 changed files with 69 additions and 18 deletions.
diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_table/ansible/shared.yml b/linux_os/guide/system/network/network-nftables/set_nftables_table/ansible/shared.yml
@@ -8,11 +8,13 @@
 {{{ ansible_instantiate_variables("var_nftables_table") }}}
 
 - name: Collect Existing Nftables
-  ansible.builtin.command: nft list tables
-  register: existing_nftables
+  ansible.builtin.command: nft list table {{ var_nftables_family }} {{ var_nftables_table }}
+  register: result_nftables_table_family
+  changed_when: false
+  failed_when: result_nftables_table_family.rc not in [0, 1]
 
 - name: Set Nftable Table
   ansible.builtin.command: nft create table {{ var_nftables_family }} {{ var_nftables_table }}
   when:
-    - existing_nftables is not skipped
-    - existing_nftables.stdout_lines | length == 0
+    - result_nftables_table_family is not skipped
+    - result_nftables_table_family.rc != 0
diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_table/bash/shared.sh b/linux_os/guide/system/network/network-nftables/set_nftables_table/bash/shared.sh
@@ -1,13 +1,12 @@
 # platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
 
-#Set nftables family name
 {{{ bash_instantiate_variables("var_nftables_family") }}}
-
-#Set nftables table name
 {{{ bash_instantiate_variables("var_nftables_table") }}}
 
-IS_TABLE=$(nft list tables)
-if [ -z "$IS_TABLE" ]
-then
+if ! nft list table $var_nftables_family $var_nftables_table; then
   nft create table "$var_nftables_family" "$var_nftables_table"
 fi
diff --git a/linux_os/guide/system/network/network-nftables/set_nftables_table/rule.yml b/linux_os/guide/system/network/network-nftables/set_nftables_table/rule.yml
@@ -1,16 +1,26 @@
 documentation_complete: true
 
-
 title: 'Ensure a Table Exists for Nftables'
 
 description: |-
-   Tables in nftables hold chains. Each table only has one address family and only applies
-   to packets of this family. Tables can have one of six families.
+    Tables in nftables hold chains. Each table only has one address family and only applies
+    to packets of this family. Tables can have one of six families.
+    {{% if "rhel" in product %}}
+    {{{ full_name }}} uses <tt>firewalld</tt> for firewall management. When <tt>nftables</tt> is
+    the firewall backend used by <tt>firewalld</tt>, an <tt>{{{ xccdf_value("var_nftables_family") }}}</tt>
+    family table called <tt>{{{ xccdf_value("var_nftables_table") }}}</tt> is used.
+
+    To verify that the <tt>nftables</tt> table used by <tt>firewalld</tt> exists, run the following
+    command:
+    <pre>$ sudo nft list tables
+    table {{{ xccdf_value("var_nftables_family") }}} {{{ xccdf_value("var_nftables_table") }}}
+    </pre>
+    This table is automatically created by <tt>firewalld</tt> when it is started.
+    {{%- endif %}}
 
 rationale: |-
-    Nftables doesn't have any default tables. Without a table being built, nftables will not filter
-    network traffic.
-    Note: adding rules to a running nftables can cause loss of connectivity to the system.
+    Nftables doesn't have any default tables. Without a table being built, nftables will not
+    filter network traffic.
 
 severity: medium
 
@@ -30,12 +40,21 @@ references:
 ocil_clause: 'a nftables table does not exist'
 
 warnings:
-   - general: "Adding rules to a running nftables can cause loss of connectivity to the system."
+    - general: |-
+        Adding or editing rules in a running nftables can cause loss of connectivity to the system.
+    - general: |-
+        Both the SCE check and remediation for this rule only consider runtime settings.
+        There is no specific file to check as it depends on each site's policy. Therefore, check
+        and remediation use the nft command directly. The fix is not persistent across system
+        reboots.
+    - functionality: |-
+        SCE check does not support variables, therefore the SCE check in this rule only checks the
+        address family, regardless of the table name.
 
 ocil: |-
     To verify that a nftables table exists, run the following command:
     <pre>$ sudo nft list tables</pre>
     Output should include a list of nftables similar to:
     <tt>
-      table inet filter
+      table {{{ xccdf_value("var_nftables_family") }}} {{{ xccdf_value("var_nftables_table") }}}
     </tt>
diff --git a/...ystem/network/network-nftables/set_nftables_table/tests/nftables_incorrect_family.fail.sh b/...ystem/network/network-nftables/set_nftables_table/tests/nftables_incorrect_family.fail.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# variables = var_nftables_family=inet,var_nftables_table=filter
+
+var_nftables_family="ip"
+var_nftables_table="filter"
+
+nft list tables |
+while read table; do
+	nft delete $table
+done
+
+nft create table "$var_nftables_family" "$var_nftables_table"
diff --git a/...guide/system/network/network-nftables/set_nftables_table/tests/nftables_no_tables.fail.sh b/...guide/system/network/network-nftables/set_nftables_table/tests/nftables_no_tables.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# variables = var_nftables_family=inet,var_nftables_table=filter
+
+nft list tables |
+while read table; do
+	nft delete $table
+done
diff --git a/...e/system/network/network-nftables/set_nftables_table/tests/nftables_table_present.pass.sh b/...e/system/network/network-nftables/set_nftables_table/tests/nftables_table_present.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+# variables = var_nftables_family=inet,var_nftables_table=filter
+
+var_nftables_family="inet"
+var_nftables_table="filter"
+
+nft list tables |
+while read table; do
+	nft delete $table
+done
+
+nft create table "$var_nftables_family" "$var_nftables_table"