2017-08-07 12:09:13 +02:00
|
|
|
|
---
|
2018-05-16 14:38:33 +02:00
|
|
|
|
# .. vim: foldmarker=[[[,]]]:foldmethod=marker
|
|
|
|
|
|
#
|
2021-01-04 16:53:16 +01:00
|
|
|
|
# ipr-cnrs.nftables default variables
|
|
|
|
|
|
# ===================================
|
2018-05-16 14:38:33 +02:00
|
|
|
|
|
|
|
|
|
|
# Packages and installation [[[
|
|
|
|
|
|
# -----------------------------
|
|
|
|
|
|
|
|
|
|
|
|
# .. envvar:: nft_enabled [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Enable or disable support for Nftables on a given host. Disabling this
|
|
|
|
|
|
# option does not remove existing installation and configuration.
|
|
|
|
|
|
#
|
|
|
|
|
|
nft_enabled: true
|
|
|
|
|
|
# ]]]
|
2019-04-16 15:21:48 +02:00
|
|
|
|
# .. envvar:: nft_pkg_state [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# What is the desired state for Nftables packages ? Possible options :
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``present``
|
|
|
|
|
|
# Default. Nftables packages will be installed.
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``absent``
|
|
|
|
|
|
# Ensure to remove Nftables related packages.
|
2018-07-25 15:09:04 +02:00
|
|
|
|
nft_pkg_state: 'present'
|
2019-04-16 15:21:48 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_old_pkg_list [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of old Iptables packages to remove to avoid duplicate firewall.
|
|
|
|
|
|
#
|
2019-05-31 15:28:45 +02:00
|
|
|
|
nft_old_pkg_list:
|
|
|
|
|
|
- 'iptables'
|
2019-05-31 20:02:19 +02:00
|
|
|
|
- 'libiptc0'
|
2019-04-16 15:21:48 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_old_pkg_state [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# What is the desired state for Iptables packages ? Possible options :
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``absent``
|
|
|
|
|
|
# Default. Ensure to remove Iptables related packages.
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``present``
|
|
|
|
|
|
# Iptables packages will be kept.
|
2017-08-18 09:25:28 +02:00
|
|
|
|
nft_old_pkg_state: 'absent'
|
2019-04-16 15:21:48 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_old_pkg_manage [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# If the old Iptables packages should be managed ? Possible options :
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``true``
|
|
|
|
|
|
# Default. Ensure to apply the required state for Iptables related packages.
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``false``
|
|
|
|
|
|
# Iptables packages will not be touched.
|
2017-08-18 09:25:28 +02:00
|
|
|
|
nft_old_pkg_manage: true
|
2019-04-16 15:21:48 +02:00
|
|
|
|
# ]]]
|
2018-05-16 14:38:33 +02:00
|
|
|
|
# ]]]
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# Nftables global rules [[[
|
|
|
|
|
|
# -------------------------
|
|
|
|
|
|
|
|
|
|
|
|
# .. envvar:: nft_global_default_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of global rules (applied on all tables) to configure for all hosts
|
|
|
|
|
|
# inherited from this role.
|
2017-08-07 17:07:35 +02:00
|
|
|
|
nft_global_default_rules:
|
2017-08-09 14:56:20 +02:00
|
|
|
|
005 state management:
|
2017-08-07 17:07:35 +02:00
|
|
|
|
- ct state established,related accept
|
|
|
|
|
|
- ct state invalid drop
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_global_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of global rules (applied on all tables) to configure for all hosts
|
|
|
|
|
|
# in the Ansible inventory.
|
2018-08-06 15:09:20 +02:00
|
|
|
|
nft_global_rules: {}
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
2020-12-30 17:12:50 +01:00
|
|
|
|
# .. envvar:: nft_merged_groups [[[
|
2020-11-10 21:17:11 +01:00
|
|
|
|
#
|
|
|
|
|
|
# Enable or disable the ability to merge multiple firewall group variables
|
2020-12-30 17:12:50 +01:00
|
|
|
|
nft_merged_groups: false
|
2020-11-10 21:17:11 +01:00
|
|
|
|
# ]]]
|
2020-12-30 17:12:50 +01:00
|
|
|
|
# .. envvar:: nft_merged_groups_dir [[[
|
2020-11-10 21:17:11 +01:00
|
|
|
|
#
|
|
|
|
|
|
# The directory to read the group firewall rules from.
|
|
|
|
|
|
# Relative to the playbook directory.
|
2020-12-30 17:12:50 +01:00
|
|
|
|
nft_merged_groups_dir: vars/
|
2020-11-10 21:17:11 +01:00
|
|
|
|
# ]]]
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# .. envvar:: nft_global_group_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of global rules (applied on all tables) to configure for hosts in
|
|
|
|
|
|
# specific Ansible inventory group.
|
2017-08-07 17:07:35 +02:00
|
|
|
|
nft_global_group_rules: {}
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_global_host_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of global rules (applied on all tables) to configure for specific hosts
|
|
|
|
|
|
# in the Ansible inventory.
|
2017-08-07 17:07:35 +02:00
|
|
|
|
nft_global_host_rules: {}
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
2019-04-16 11:50:30 +02:00
|
|
|
|
# .. envvar:: nft__custom_content [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Custom content (tables, include,…) to add in Nftables configuration.
|
|
|
|
|
|
nft__custom_content: ''
|
|
|
|
|
|
# ]]]
|
2021-03-03 10:40:24 +01:00
|
|
|
|
# .. envvar:: nft_custom_includes [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Custom includes to add into the main Nftables filter configuration.
|
|
|
|
|
|
nft_custom_includes: ''
|
|
|
|
|
|
# ]]]
|
2019-04-16 15:21:48 +02:00
|
|
|
|
# .. envvar:: nft_conf_dir_path [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Path to the sub directory for Nftables configuration files.
|
|
|
|
|
|
#
|
|
|
|
|
|
# Should be an absolut path and this var will be used in all *_path vars.
|
|
|
|
|
|
nft_conf_dir_path: '/etc/nftables.d'
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_main_conf_path [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Path to the main configuration file called by the Systemd Nftables service.
|
|
|
|
|
|
#
|
|
|
|
|
|
# Should be an absolut path.
|
|
|
|
|
|
nft_main_conf_path: '/etc/nftables.conf'
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_main_conf_content [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Template used to provide the previous main configuration file.
|
|
|
|
|
|
#
|
|
|
|
|
|
# Must be a relative path from default/ directory of this role or from your
|
|
|
|
|
|
# Ansible inventory directory.
|
|
|
|
|
|
nft_main_conf_content: 'etc/nftables.conf.j2'
|
|
|
|
|
|
# ]]]
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# Nftables vars definition [[[
|
|
|
|
|
|
# ----------------------------
|
2019-04-16 15:21:48 +02:00
|
|
|
|
#
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# These lists allow to define some vars that can be used in nftables rules.
|
|
|
|
|
|
# See the official Nftables wiki page for more informations and examples :
|
|
|
|
|
|
# https://wiki.nftables.org/wiki-nftables/index.php/Scripting#Defining_variables
|
2017-08-07 17:07:35 +02:00
|
|
|
|
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# .. envvar:: nft_define_default [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of vars definition to configure for all hosts inherited from this role.
|
2017-08-08 12:11:58 +02:00
|
|
|
|
nft_define_default:
|
|
|
|
|
|
broadcast and multicast:
|
|
|
|
|
|
desc: 'broadcast and multicast'
|
|
|
|
|
|
name: badcast_addr
|
|
|
|
|
|
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
|
2020-04-21 08:31:51 +02:00
|
|
|
|
ip6 broadcast and multicast:
|
|
|
|
|
|
desc: 'broadcast and multicast'
|
|
|
|
|
|
name: ip6_badcast_addr
|
|
|
|
|
|
value: '{ ff02::16 }'
|
2017-08-09 17:14:26 +02:00
|
|
|
|
input tcp accepted:
|
2018-01-05 15:01:30 +01:00
|
|
|
|
name: in_tcp_accept
|
2017-08-09 17:14:26 +02:00
|
|
|
|
value: '{ ssh }'
|
2017-08-09 14:56:20 +02:00
|
|
|
|
output tcp accepted:
|
2018-01-05 15:01:30 +01:00
|
|
|
|
name: out_tcp_accept
|
2017-08-11 13:46:50 +02:00
|
|
|
|
value: '{ http, https, hkp }'
|
2017-08-09 14:56:20 +02:00
|
|
|
|
output udp accepted:
|
2018-01-05 15:01:30 +01:00
|
|
|
|
name: out_udp_accept
|
2017-08-09 14:56:20 +02:00
|
|
|
|
value: '{ bootps, domain, ntp }'
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_define [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of vars definition to configure for all hosts in the Ansible inventory.
|
2018-08-06 15:09:20 +02:00
|
|
|
|
nft_define: {}
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_define_group [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of vars definition to configure for hosts in specific
|
|
|
|
|
|
# Ansible inventory group.
|
2017-08-08 12:11:58 +02:00
|
|
|
|
nft_define_group: {}
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_define_host [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of vars definition to configure for specific hosts
|
|
|
|
|
|
# in the Ansible inventory.
|
2017-08-08 12:11:58 +02:00
|
|
|
|
nft_define_host: {}
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
2019-04-16 15:21:48 +02:00
|
|
|
|
# .. envvar:: nft_define_conf_path [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Path to the defined vars file to include in the main configuration file
|
|
|
|
|
|
# in order to use the previous defined lists.
|
|
|
|
|
|
#
|
|
|
|
|
|
# Should include the '{{ nft_conf_dir_path }}' var or be an absolut path.
|
|
|
|
|
|
nft_define_conf_path: '{{ nft_conf_dir_path }}/defines.nft'
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_define_conf_content [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Template used to provide the previous defined vars file.
|
|
|
|
|
|
#
|
|
|
|
|
|
# Must be a relative path from default/ directory of this role or from your
|
|
|
|
|
|
# Ansible inventory directory.
|
|
|
|
|
|
nft_define_conf_content: 'etc/nftables.d/defines.nft.j2'
|
|
|
|
|
|
# ]]]
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# Nftables sets definition [[[
|
|
|
|
|
|
# ----------------------------
|
2019-04-16 15:21:48 +02:00
|
|
|
|
#
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# These "set" lists allow to define sets that can be used in Nftables rules.
|
|
|
|
|
|
# See the official Nftables wiki page for more informations and examples :
|
|
|
|
|
|
# https://wiki.nftables.org/wiki-nftables/index.php/Sets
|
2017-08-08 14:53:29 +02:00
|
|
|
|
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# .. envvar:: nft_define_default [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of sets to configure for all hosts inherited from this role.
|
2017-08-08 14:32:59 +02:00
|
|
|
|
nft_set_default:
|
|
|
|
|
|
blackhole:
|
|
|
|
|
|
- type ipv4_addr;
|
|
|
|
|
|
- elements = $badcast_addr
|
2020-04-21 08:31:51 +02:00
|
|
|
|
ip6blackhole:
|
|
|
|
|
|
- type ipv6_addr;
|
|
|
|
|
|
- elements = $ip6_badcast_addr
|
2018-01-05 15:01:30 +01:00
|
|
|
|
in_tcp_accept:
|
2017-08-09 17:14:26 +02:00
|
|
|
|
- type inet_service; flags interval;
|
2018-01-05 15:01:30 +01:00
|
|
|
|
- elements = $in_tcp_accept
|
|
|
|
|
|
out_tcp_accept:
|
2017-08-09 14:56:20 +02:00
|
|
|
|
- type inet_service; flags interval;
|
2018-01-05 15:01:30 +01:00
|
|
|
|
- elements = $out_tcp_accept
|
|
|
|
|
|
out_udp_accept:
|
2017-08-09 14:56:20 +02:00
|
|
|
|
- type inet_service; flags interval;
|
2018-01-05 15:01:30 +01:00
|
|
|
|
- elements = $out_udp_accept
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_set [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of sets to configure for all hosts in the Ansible inventory.
|
2018-08-06 15:09:20 +02:00
|
|
|
|
nft_set: {}
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_set_group [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of sets to configure for hosts in specific Ansible inventory group.
|
2017-08-08 14:32:59 +02:00
|
|
|
|
nft_set_group: {}
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_set_host [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of sets to configure for specific hosts in the Ansible inventory.
|
2017-08-08 14:32:59 +02:00
|
|
|
|
nft_set_host: {}
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
2019-04-16 15:21:48 +02:00
|
|
|
|
# .. envvar:: nft_set_conf_path [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Path to the "sets" file to include in the main configuration file
|
|
|
|
|
|
# in order to use the previous defined lists.
|
|
|
|
|
|
#
|
|
|
|
|
|
# Should include the '{{ nft_conf_dir_path }}' var or be an absolut path.
|
|
|
|
|
|
nft_set_conf_path: '{{ nft_conf_dir_path }}/sets.nft'
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_set_conf_content [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Template used to provide the previous "sets" file.
|
|
|
|
|
|
#
|
|
|
|
|
|
# Must be a relative path from default/ directory of this role or from your
|
|
|
|
|
|
# Ansible inventory directory.
|
|
|
|
|
|
nft_set_conf_content: 'etc/nftables.d/sets.nft.j2'
|
|
|
|
|
|
# ]]]
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# inet filter table rules [[[
|
|
|
|
|
|
# ---------------------------
|
2019-04-16 15:21:48 +02:00
|
|
|
|
#
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# All these rules will be set up in an inet table in order to filter the
|
|
|
|
|
|
# input and output traffic.
|
|
|
|
|
|
|
|
|
|
|
|
# .. envvar:: nft_input_default_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of input rules to configure for all hosts inherited from this role.
|
|
|
|
|
|
nft_input_default_rules:
|
|
|
|
|
|
000 policy:
|
|
|
|
|
|
- type filter hook input priority 0; policy drop;
|
|
|
|
|
|
005 global:
|
|
|
|
|
|
- jump global
|
|
|
|
|
|
010 drop unwanted:
|
|
|
|
|
|
- ip daddr @blackhole counter drop
|
2020-04-21 08:31:51 +02:00
|
|
|
|
011 drop unwanted ipv6:
|
|
|
|
|
|
- ip6 daddr @ip6blackhole counter drop
|
2019-04-15 15:28:27 +02:00
|
|
|
|
015 localhost:
|
|
|
|
|
|
- iif lo accept
|
2020-05-24 09:51:27 +02:00
|
|
|
|
050 icmp:
|
|
|
|
|
|
- meta l4proto {icmp,icmpv6} accept
|
2019-04-15 15:28:27 +02:00
|
|
|
|
210 input tcp accepted:
|
|
|
|
|
|
- tcp dport @in_tcp_accept ct state new accept
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_input_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of input rules to configure for all hosts in the Ansible inventory.
|
|
|
|
|
|
nft_input_rules: {}
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_input_group_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of input rules to configure for hosts in specific Ansible inventory group.
|
|
|
|
|
|
nft_input_group_rules: {}
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_input_host_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of input rules to configure for specific hosts in the Ansible inventory.
|
|
|
|
|
|
nft_input_host_rules: {}
|
|
|
|
|
|
# ]]]
|
2019-04-16 15:21:48 +02:00
|
|
|
|
# .. envvar:: nft_input_conf_path [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Path to the input rules file for the filter table to include in the main
|
|
|
|
|
|
# configuration file in order to use the previous defined lists.
|
|
|
|
|
|
#
|
|
|
|
|
|
# Should include the '{{ nft_conf_dir_path }}' var or be an absolut path.
|
|
|
|
|
|
nft_input_conf_path: '{{ nft_conf_dir_path }}/filter-input.nft'
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_input_conf_content [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Template used to provide the previous input rules file.
|
|
|
|
|
|
#
|
|
|
|
|
|
# Must be a relative path from default/ directory of this role or from your
|
|
|
|
|
|
# Ansible inventory directory.
|
|
|
|
|
|
nft_input_conf_content: 'etc/nftables.d/filter-input.nft.j2'
|
|
|
|
|
|
# ]]]
|
2019-04-15 15:28:27 +02:00
|
|
|
|
|
|
|
|
|
|
# .. envvar:: nft_output_default_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of output rules to configure for all hosts inherited from this role.
|
|
|
|
|
|
nft_output_default_rules:
|
|
|
|
|
|
000 policy:
|
|
|
|
|
|
- type filter hook output priority 0; policy drop;
|
|
|
|
|
|
005 global:
|
|
|
|
|
|
- jump global
|
|
|
|
|
|
015 localhost:
|
|
|
|
|
|
- oif lo accept
|
|
|
|
|
|
050 icmp:
|
|
|
|
|
|
- ip protocol icmp accept
|
|
|
|
|
|
- ip6 nexthdr icmpv6 counter accept
|
|
|
|
|
|
200 output udp accepted:
|
|
|
|
|
|
- udp dport @out_udp_accept ct state new accept
|
|
|
|
|
|
210 output tcp accepted:
|
|
|
|
|
|
- tcp dport @out_tcp_accept ct state new accept
|
2020-04-21 08:40:31 +02:00
|
|
|
|
250 reset-ssh: # allow the host to reset SSH connections to avoid 10 min delay from Ansible controller
|
|
|
|
|
|
- tcp sport ssh tcp flags { rst, psh | ack } counter accept
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_output_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of output rules to configure for all hosts in the Ansible inventory.
|
|
|
|
|
|
nft_output_rules: {}
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_output_group_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of output rules to configure for hosts in specific Ansible inventory group.
|
|
|
|
|
|
nft_output_group_rules: {}
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_output_host_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of output rules to configure for specific hosts in the Ansible inventory.
|
|
|
|
|
|
nft_output_host_rules: {}
|
|
|
|
|
|
# ]]]
|
2019-04-16 15:21:48 +02:00
|
|
|
|
# .. envvar:: nft_output_conf_path [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Path to the output rules file for the filter table to include in the main
|
|
|
|
|
|
# configuration file in order to use the previous defined lists.
|
|
|
|
|
|
#
|
|
|
|
|
|
# Should include the '{{ nft_conf_dir_path }}' var or be an absolut path.
|
|
|
|
|
|
nft_output_conf_path: '{{ nft_conf_dir_path }}/filter-output.nft'
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_output_conf_content [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Template used to provide the previous output rules file.
|
|
|
|
|
|
#
|
|
|
|
|
|
# Must be a relative path from default/ directory of this role or from your
|
|
|
|
|
|
# Ansible inventory directory.
|
|
|
|
|
|
nft_output_conf_content: 'etc/nftables.d/filter-output.nft.j2'
|
|
|
|
|
|
# ]]]
|
2021-03-03 10:47:02 +01:00
|
|
|
|
# .. envvar:: nft__forward_table_manage [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# If the forward table should be managed ? Possible options are :
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``False``
|
|
|
|
|
|
# Default. The forward table is not managed and rules will not be added.
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``True``
|
|
|
|
|
|
# Add the forwarding rules that follow.
|
|
|
|
|
|
nft__forward_table_manage: false
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_forward_default_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of forward rules to configure for all hosts inherited from this role.
|
|
|
|
|
|
nft_forward_default_rules:
|
|
|
|
|
|
000 policy:
|
|
|
|
|
|
- type filter hook forward priority 0; policy drop;
|
|
|
|
|
|
005 global:
|
|
|
|
|
|
- jump global
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_forward_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of forward rules to configure for all hosts in the Ansible inventory.
|
|
|
|
|
|
nft_forward_rules: {}
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_forward_group_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of forward rules to configure for hosts in specific Ansible inventory group.
|
|
|
|
|
|
nft_forward_group_rules: {}
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_forward_host_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of forward rules to configure for specific hosts in the Ansible inventory.
|
|
|
|
|
|
nft_forward_host_rules: {}
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_forward_conf_path [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Path to the forward rules file for the filter table to include in the main
|
|
|
|
|
|
# configuration file in order to use the previous defined lists.
|
|
|
|
|
|
#
|
|
|
|
|
|
# Should include the '{{ nft_conf_dir_path }}' var or be an absolut path.
|
|
|
|
|
|
nft_forward_conf_path: '{{ nft_conf_dir_path }}/filter-forward.nft'
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_forward_conf_content [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Template used to provide the previous forward rules file.
|
|
|
|
|
|
#
|
|
|
|
|
|
# Must be a relative path from default/ directory of this role or from your
|
|
|
|
|
|
# Ansible inventory directory.
|
|
|
|
|
|
nft_forward_conf_content: 'etc/nftables.d/filter-forward.nft.j2'
|
|
|
|
|
|
# ]]]
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
2019-04-16 15:48:30 +02:00
|
|
|
|
# ip nat table rules [[[
|
|
|
|
|
|
# ---------------------------
|
|
|
|
|
|
#
|
|
|
|
|
|
# All these rules will be set up in an ip table in order to perform some
|
|
|
|
|
|
# Network Address Translation (NAT).
|
|
|
|
|
|
|
|
|
|
|
|
# .. envvar:: nft__nat_table_manage [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# If the nat table should be managed ? Possible options are :
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``False``
|
|
|
|
|
|
# Default. The nat table is not managed and rules will not be added.
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``True``
|
|
|
|
|
|
# Add the pre and postrouting rules that follow.
|
|
|
|
|
|
nft__nat_table_manage: False
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft__nat_default_prerouting_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of prerouting rules to configure for all hosts inherited from this role.
|
|
|
|
|
|
nft__nat_default_prerouting_rules:
|
|
|
|
|
|
000 policy:
|
|
|
|
|
|
- type nat hook prerouting priority 0;
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft__nat_prerouting_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of prerouting rules to configure for all hosts in the Ansible inventory.
|
|
|
|
|
|
nft__nat_prerouting_rules: {}
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft__nat_group_prerouting_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of prerouting rules to configure for hosts in specific
|
|
|
|
|
|
# Ansible inventory group.
|
|
|
|
|
|
nft__nat_group_prerouting_rules: {}
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft__nat_host_prerouting_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of prerouting rules to configure for specific hosts
|
|
|
|
|
|
# in the Ansible inventory.
|
|
|
|
|
|
nft__nat_host_prerouting_rules: {}
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft__nat_prerouting_conf_path [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Path to the prerouting rules file for the nat table to include in the main
|
|
|
|
|
|
# configuration file in order to use the previous defined lists.
|
|
|
|
|
|
#
|
|
|
|
|
|
# Should include the '{{ nft_conf_dir_path }}' var or be an absolut path.
|
|
|
|
|
|
nft__nat_prerouting_conf_path: '{{ nft_conf_dir_path }}/nat-prerouting.nft'
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft__nat_prerouting_conf_content [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Template used to provide the previous prerouting rules file.
|
|
|
|
|
|
#
|
|
|
|
|
|
# Must be a relative path from default/ directory of this role or from your
|
|
|
|
|
|
# Ansible inventory directory.
|
|
|
|
|
|
nft__nat_prerouting_conf_content: 'etc/nftables.d/nat-prerouting.nft.j2'
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
|
|
|
|
|
|
# .. envvar:: nft__nat_default_postrouting_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of postrouting rules to configure for all hosts inherited from this role.
|
|
|
|
|
|
nft__nat_default_postrouting_rules:
|
|
|
|
|
|
000 policy:
|
|
|
|
|
|
- type nat hook postrouting priority 100;
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft__nat_postrouting_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of postrouting rules to configure for all hosts in the Ansible inventory.
|
|
|
|
|
|
nft__nat_postrouting_rules: {}
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft__nat_group_postrouting_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of postrouting rules to configure for hosts in specific
|
|
|
|
|
|
# Ansible inventory group.
|
|
|
|
|
|
nft__nat_group_postrouting_rules: {}
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft__nat_host_postrouting_rules [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# List of postrouting rules to configure for specific hosts
|
|
|
|
|
|
# in the Ansible inventory.
|
|
|
|
|
|
nft__nat_host_postrouting_rules: {}
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft__nat_postrouting_conf_path [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Path to the postrouting rules file for the nat table to include in the main
|
|
|
|
|
|
# configuration file in order to use the previous defined lists.
|
|
|
|
|
|
#
|
|
|
|
|
|
# Should include the '{{ nft_conf_dir_path }}' var or be an absolut path.
|
|
|
|
|
|
nft__nat_postrouting_conf_path: '{{ nft_conf_dir_path }}/nat-postrouting.nft'
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft__nat_postrouting_conf_content [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Template used to provide the previous postrouting rules file.
|
|
|
|
|
|
#
|
|
|
|
|
|
# Must be a relative path from default/ directory of this role or from your
|
|
|
|
|
|
# Ansible inventory directory.
|
|
|
|
|
|
nft__nat_postrouting_conf_content: 'etc/nftables.d/nat-postrouting.nft.j2'
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# ]]]
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# Service management [[[
|
|
|
|
|
|
# ----------------------
|
2019-04-16 15:21:48 +02:00
|
|
|
|
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# .. envvar:: nft_service_manage [[[
|
|
|
|
|
|
#
|
2019-04-16 15:21:48 +02:00
|
|
|
|
# If the Nftables service should be managed ? Possible options are :
|
2019-04-15 15:28:27 +02:00
|
|
|
|
#
|
|
|
|
|
|
# ``True``
|
|
|
|
|
|
# Default. The service is started.
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``False``
|
|
|
|
|
|
# The service will not be touched.
|
2017-08-07 14:14:14 +02:00
|
|
|
|
nft_service_manage: true
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_service_name [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# The service name to manage.
|
2017-08-07 14:14:14 +02:00
|
|
|
|
nft_service_name: 'nftables'
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_service_enabled [[[
|
|
|
|
|
|
#
|
2019-04-16 15:21:48 +02:00
|
|
|
|
# If the Nftables service should be enabled at startup ? Possible options are :
|
2019-04-15 15:28:27 +02:00
|
|
|
|
#
|
|
|
|
|
|
# ``True``
|
|
|
|
|
|
# Default. The service is enabled.
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``False``
|
|
|
|
|
|
# The service is disabled from startup.
|
2017-08-09 14:27:07 +02:00
|
|
|
|
nft_service_enabled: true
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_service_unit_path [[[
|
|
|
|
|
|
#
|
2019-04-16 15:21:48 +02:00
|
|
|
|
# Path to store Nftables service.
|
2018-02-06 16:58:18 +01:00
|
|
|
|
nft_service_unit_path: '/lib/systemd/system/nftables.service'
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft_service_unit_content [[[
|
|
|
|
|
|
#
|
2019-04-16 15:21:48 +02:00
|
|
|
|
# Template used to provide systemd unit for Nftables service.
|
2018-02-06 16:58:18 +01:00
|
|
|
|
nft_service_unit_content: 'lib/systemd/system/nftables.service.j2'
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft__service_protect [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# If the systemd unit should have the Protect directives ? Possible options :
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``True``
|
|
|
|
|
|
# Default. Directives will be set (ProtectSystem, ProtectHome,…).
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``False``
|
|
|
|
|
|
# The directives will be ignored.
|
2019-03-15 11:13:26 +01:00
|
|
|
|
nft__service_protect: true
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
|
|
|
|
|
# .. envvar:: nft__fail2ban_service [[[
|
|
|
|
|
|
#
|
2019-04-16 15:21:48 +02:00
|
|
|
|
# If the Nftables systemd unit should also restart Fail2ban service. Possible
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# options are :
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``False``
|
|
|
|
|
|
# Default. Nftables service will not affect Fail2ban service.
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``True``
|
|
|
|
|
|
# Any Nftables service (re)start will also restart Fail2ban service.
|
2018-08-07 11:03:29 +02:00
|
|
|
|
nft__fail2ban_service: False
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
2021-01-04 16:53:16 +01:00
|
|
|
|
# .. envvar:: nft_debug [[[
|
2020-12-30 17:12:50 +01:00
|
|
|
|
#
|
|
|
|
|
|
# Toggle on/off more verbose output. Possible options are:
|
|
|
|
|
|
#
|
|
|
|
|
|
# ''Flase''
|
|
|
|
|
|
# Default. No additional output will be given.
|
|
|
|
|
|
#
|
|
|
|
|
|
# ''True''
|
|
|
|
|
|
# More verbose output.
|
|
|
|
|
|
nft_debug: False
|
|
|
|
|
|
|
2021-03-12 09:28:45 +01:00
|
|
|
|
# .. envvar:: nft_backup_conf [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# If the nftables config files should be backuped when changed ?
|
|
|
|
|
|
# Possible options are:
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``True``
|
|
|
|
|
|
# Default. Backup all nftables config files inside the nftables directory.
|
|
|
|
|
|
#
|
|
|
|
|
|
# ``False``
|
|
|
|
|
|
# Configs will not be backuped.
|
|
|
|
|
|
nft_backup_conf: True
|
|
|
|
|
|
# ]]]
|
2020-12-30 17:23:18 +01:00
|
|
|
|
# ]]]
|
2019-04-15 15:28:27 +02:00
|
|
|
|
# ]]]
|
2021-08-07 01:23:36 +02:00
|
|
|
|
# OS specific variables defaults [[[
|
|
|
|
|
|
# ----------------------------------
|
|
|
|
|
|
|
|
|
|
|
|
# .. envvar:: nft__bin_location [[[
|
|
|
|
|
|
#
|
|
|
|
|
|
# Specify Nftables executable location.
|
|
|
|
|
|
#
|
|
|
|
|
|
nft__bin_location: '/usr/sbin/nft'
|
|
|
|
|
|
# ]]]
|
|
|
|
|
|
# ]]]
|
