Verify nftables Service is Enabled
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Description
The nftables service allows for the loading of nftables rulesets during boot,
or starting on the nftables service
The nftables service can be enabled with the following command:
$ sudo systemctl enable nftables.service
Rationale
The nftables service restores the nftables rules from the rules files referenced
in the /etc/sysconfig/nftables.conf file during boot or the starting of
the nftables service
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'nftables' 2>/dev/null | grep -q installed ); then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'nftables.service'
"$SYSTEMCTL_EXEC" start 'nftables.service'
"$SYSTEMCTL_EXEC" enable 'nftables.service'
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Gather the package facts
package_facts:
manager: auto
tags:
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_nftables_enabled
- name: Verify nftables Service is Enabled - Enable service nftables
block:
- name: Gather the package facts
package_facts:
manager: auto
- name: Verify nftables Service is Enabled - Enable Service nftables
ansible.builtin.systemd:
name: nftables
enabled: true
state: started
masked: false
when:
- '"nftables" in ansible_facts.packages'
when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
"container"] and "nftables" in ansible_facts.packages )
tags:
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- service_nftables_enabled
