Skip to content

Ensure a Table Exists for Nftables

An XCCDF Rule

Description

Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six families.

warning alert: Warning

Adding rules to a running nftables can cause loss of connectivity to the system.

Rationale

Nftables doesn't have any default tables. Without a table being built, nftables will not filter network traffic. Note: adding rules to a running nftables can cause loss of connectivity to the system.

ID
xccdf_org.ssgproject.content_rule_set_nftables_table
Severity
Medium
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'nftables' 2>/dev/null | grep -q installed; then

#Set nftables family name
var_nftables_family='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_nftables_family" use="legacy"/>'


Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - low_complexity
  - low_disruption