我正在为 CIS Ubuntu 20.04 安全基准创建一堆剧本。基准测试之一希望我确保为 nftables 配置环回流量。我对 Ansible 和 CIS Benchmarks 完全陌生,但我正在学习。
首先,我创建了一个剧本并运行它:
- name: "3.5.2.6 Ensure nftables loopback traffic is configured | Part 2"
shell: nft create rule inet "{{ item }}" input ip saddr 127.0.0.0/8 counter drop
with_items:
- filter_traffic
但我收到一个错误,指出存在语法错误:
failed: [ubuntu@18.170.217.240] (item=filter_traffic) => {"ansible_loop_var": "item", "changed": true, "cmd": "nft create rule inet \"filter_traffic\" input ip saddr 127.0.0.0/8 counter drop", "delta": "0:00:00.004370", "end": "2021-09-03 11:38:36.155591", "item": "filter_traffic", "msg": "non-zero return code", "rc": 1, "start": "2021-09-03 11:38:36.151221", "stderr": "Error: syntax error, unexpected rule\ncreate rule inet filter_traffic input ip saddr 127.0.0.0/8 counter drop\n ^^^^", "stderr_lines": ["Error: syntax error, unexpected rule", "create rule inet filter_traffic input ip saddr 127.0.0.0/8 counter drop", " ^^^^"], "stdout": "", "stdout_lines": []}
然后我尝试手动运行它以查看它是否有效:
nft create rule inet filter_traffic input ip saddr 127.0.0.0/8 counter drop
收到此错误后,它不起作用:
Error: syntax error, unexpected rule
create rule inet filter input ip saddr 127.0.0.0/8 counter drop
^^^^
我不确定我去了哪里。一些论坛建议我需要升级 nftables,但是当我搜索可以做到这一点的方法时,我没有找到任何方法。
任何帮助都将不胜感激。