Ensure a Table Exists for Nftables

Docs > Datadog Security > OOTB Rules > Ensure a Table Exists for Nftables

Classification:

compliance

Framework:

Control:

Description

Tables in nftables hold chains. Each table only has one address family and only applies to packets of this family. Tables can have one of six families.

Rationale

Nftables doesn’t have any default tables. Without a table being built, nftables will not filter network traffic. Note: adding rules to a running nftables can cause loss of connectivity to the system.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'nftables' 2>/dev/null | grep -q installed; then

#Set nftables family name
var\_nftables\_family='inet'


#Set nftables table name
var\_nftables\_table='filter'


IS\_TABLE=$(nft list tables)
if [ -z "$IS\_TABLE" ]
then
 nft create table "$var\_nftables\_family" "$var\_nftables\_table"
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Gather the package facts
 package\_facts:
 manager: auto
 tags:
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy
 - set\_nftables\_table
- name: XCCDF Value var\_nftables\_family # promote to variable
 set\_fact:
 var\_nftables\_family: !!str inet
 tags:
 - always
- name: XCCDF Value var\_nftables\_table # promote to variable
 set\_fact:
 var\_nftables\_table: !!str filter
 tags:
 - always

- name: Collect Existing Nftables
 ansible.builtin.command: nft list tables
 register: existing\_nftables
 when: '"nftables" in ansible\_facts.packages'
 tags:
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy
 - set\_nftables\_table

- name: Set Nftable Table
 ansible.builtin.command: nft create table {{ var\_nftables\_family }} {{ var\_nftables\_table
 }}
 when:
 - '"nftables" in ansible\_facts.packages'
 - existing\_nftables.stdout\_lines | length == 0
 tags:
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy
 - set\_nftables\_table

Warning

Adding rules to a running nftables can cause loss of connectivity to the system.