Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Description
nftables provides a new in-kernel packet classification framework that is based on a
network-specific Virtual Machine (VM) and a new nft userspace command line tool.
nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure,
the connection tracking system, NAT, userspace queuing and logging subsystem.
The nftables package can be installed with the following command:
$ apt-get install nftables
Rationale
nftables is a subsystem of the Linux kernel that can protect against threats
originating from within a corporate network to include malicious mobile code and poorly
configured software on a host.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] ); then
DEBIAN_FRONTEND=noninteractive apt-get install -y "nftables"
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Ensure nftables is installed
package:
name: nftables
state: present
when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
"container"] )
tags:
- PCI-DSSv4-1.2.1
- enable_strategy
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- package_nftables_installed
