ansible.nftables/templates/etc/nftables.conf.j2

#jinja2: lstrip_blocks: "True", trim_blocks: "True"
#!/usr/sbin/nft -f
# {{ ansible_managed }}
{% set globalmerged = nft_global_default_rules.copy() %}
{% set _ = globalmerged.update(nft_global_rules) %}
{% set _ = globalmerged.update(nft_global_group_rules) %}
{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules is defined%}
  {% set _ = globalmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules) %}
{% endif %}
{% set _ = globalmerged.update(nft_global_host_rules) %}

# clean
flush ruleset

include "{{ nft_define_conf_path }}"

table inet filter {
	chain global {
{% for group, rules in globalmerged|dictsort  %}
		# {{ group }}
  {% if not rules %}
		# (none)
  {% endif %}
  {% for rule in rules %}
		{{ rule }}
  {% endfor %}
{% endfor %}
	}
	include "{{ nft_set_conf_path }}"
	include "{{ nft_input_conf_path }}"
	include "{{ nft_output_conf_path }}"
{% if nft__forward_table_manage %}
	include "{{ nft_forward_conf_path }}"
{% endif %}
{% if nft_custom_includes | default() %}
  {% if nft_custom_includes is string %}
	include "{{ nft_custom_includes }}"
  {% elif nft_custom_includes is iterable and (nft_custom_includes is not string and nft_custom_includes is not mapping) %}
    {% for include in nft_custom_includes %}
	include "{{ include }}"
    {% endfor %}
  {% endif %}
{% endif %}
}

{% if nft__nat_table_manage %}
# Additionnal table for Network Address Translation (NAT)
table ip nat {
	include "{{ nft_set_conf_path }}"
	include "{{ nft__nat_prerouting_conf_path }}"
	include "{{ nft__nat_postrouting_conf_path }}"
}
{% endif %}

{% if nft__custom_content|d() %}
# Custom content from ipr-cnrs.nftables
{{ nft__custom_content }}
{% endif %}
Support merged firewall rules for multiple groups per host. - Multiple groups for a single server will now lead to all firewall rules being merged instead of overwritten. 2020-11-10 21:17:11 +01:00			`#jinja2: lstrip_blocks: "True", trim_blocks: "True"`
Generate main configuration file. 2017-08-07 13:48:54 +02:00			`#!/usr/sbin/nft -f`
			`# {{ ansible_managed }}`
Add dict to manage global config rules. 2017-08-07 17:07:35 +02:00			`{% set globalmerged = nft_global_default_rules.copy() %}`
Add a additionnal level for all vars for all hosts It can be defined in group_vars/all . 2018-08-06 15:09:20 +02:00			`{% set _ = globalmerged.update(nft_global_rules) %}`
Add dict to manage global config rules. 2017-08-07 17:07:35 +02:00			`{% set _ = globalmerged.update(nft_global_group_rules) %}`
Change variable names + add debug toggle. 2020-12-30 17:12:50 +01:00			`{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules is defined%}`
Support merged firewall rules for multiple groups per host. - Multiple groups for a single server will now lead to all firewall rules being merged instead of overwritten. 2020-11-10 21:17:11 +01:00			`{% set _ = globalmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules) %}`
			`{% endif %}`
Add dict to manage global config rules. 2017-08-07 17:07:35 +02:00			`{% set _ = globalmerged.update(nft_global_host_rules) %}`

Generate main configuration file. 2017-08-07 13:48:54 +02:00			`# clean`
			`flush ruleset`

Use var to include defines.nft file − Fix #9 2020-06-02 09:22:17 +02:00			`include "{{ nft_define_conf_path }}"`
Add possibility to have nftables vars. 2017-08-08 12:11:58 +02:00
Rename firewall table to filter table (most use on Debian). 2018-02-06 15:50:31 +01:00			`table inet filter {`
Add dict to manage global config rules. 2017-08-07 17:07:35 +02:00			`chain global {`
			`{% for group, rules in globalmerged\|dictsort %}`
			`# {{ group }}`
Support merged firewall rules for multiple groups per host. - Multiple groups for a single server will now lead to all firewall rules being merged instead of overwritten. 2020-11-10 21:17:11 +01:00			`{% if not rules %}`
Add dict to manage global config rules. 2017-08-07 17:07:35 +02:00			`# (none)`
Support merged firewall rules for multiple groups per host. - Multiple groups for a single server will now lead to all firewall rules being merged instead of overwritten. 2020-11-10 21:17:11 +01:00			`{% endif %}`
			`{% for rule in rules %}`
Add dict to manage global config rules. 2017-08-07 17:07:35 +02:00			`{{ rule }}`
Support merged firewall rules for multiple groups per host. - Multiple groups for a single server will now lead to all firewall rules being merged instead of overwritten. 2020-11-10 21:17:11 +01:00			`{% endfor %}`
Add dict to manage global config rules. 2017-08-07 17:07:35 +02:00			`{% endfor %}`
			`}`
Manage sets and maps definitions in a specific file. 2017-08-08 14:32:59 +02:00			`include "{{ nft_set_conf_path }}"`
Move input rules to a specific file. 2017-08-07 17:37:41 +02:00			`include "{{ nft_input_conf_path }}"`
Move output rules to a specific file. 2017-08-08 15:35:05 +02:00			`include "{{ nft_output_conf_path }}"`
Added the option to manage the forwarding firewall table. 2021-03-03 10:47:02 +01:00			`{% if nft__forward_table_manage %}`
			`include "{{ nft_forward_conf_path }}"`
			`{% endif %}`
Add nft_custom_includes option for optional includes in the main filter table. 2021-03-03 10:40:24 +01:00			`{% if nft_custom_includes \| default() %}`
			`{% if nft_custom_includes is string %}`
			`include "{{ nft_custom_includes }}"`
			`{% elif nft_custom_includes is iterable and (nft_custom_includes is not string and nft_custom_includes is not mapping) %}`
			`{% for include in nft_custom_includes %}`
			`include "{{ include }}"`
			`{% endfor %}`
			`{% endif %}`
			`{% endif %}`
Generate main configuration file. 2017-08-07 13:48:54 +02:00			`}`
Add a variable to manage custom content (table, include,…) 2019-04-16 11:50:30 +02:00
Include Nat rules files in main configuration 2019-04-16 15:59:08 +02:00			`{% if nft__nat_table_manage %}`
			`# Additionnal table for Network Address Translation (NAT)`
			`table ip nat {`
Include set definitions in nat table 2019-04-16 18:57:31 +02:00			`include "{{ nft_set_conf_path }}"`
Include Nat rules files in main configuration 2019-04-16 15:59:08 +02:00			`include "{{ nft__nat_prerouting_conf_path }}"`
			`include "{{ nft__nat_postrouting_conf_path }}"`
			`}`
			`{% endif %}`

Add a variable to manage custom content (table, include,…) 2019-04-16 11:50:30 +02:00			`{% if nft__custom_content\|d() %}`
			`# Custom content from ipr-cnrs.nftables`
			`{{ nft__custom_content }}`
			`{% endif %}`