ansible.nftables/tasks/main.yml

---
# .. vim: foldmarker=[[[,]]]:foldmethod=marker
#
# tasks file for nftables

- name: Check for group files
  become: no
  delegate_to: localhost
  stat:
    path: "{{ nft_merged_groups_dir ~ groupname }}"
  register: nftables_group_rules
  loop: "{{ group_names }}"
  loop_control:
    loop_var: groupname

- debug: var=nftables_group_rules
  when: nft_debug

- name: Import nftables-variables if nft_merged_groups is set
  when: nft_merged_groups and varfile.stat.exists
  include_vars:
    file: "{{ nft_merged_groups_dir ~ varfile.groupname }}"
    name: "{{ varfile.groupname }}"
  loop: "{{ nftables_group_rules.results }}"
  loop_control:
    loop_var: varfile

- name: Combine Rules when nft_merged_groups is set
  when: nft_merged_groups and (hostvars[inventory_hostname][varfile.groupname] is defined and hostvars[inventory_hostname][varfile.groupname]|length > 0) and varfile.stat.exists
  set_fact:
    nft_combined_rules: "{{ nft_combined_rules | default({}) | combine ( hostvars[inventory_hostname][varfile.groupname], recursive=True ) }}"
  loop: "{{ nftables_group_rules.results }}"
  loop_control:
    loop_var: varfile

- debug: var=nft_combined_rules
  when: nft_debug

- name: Load specific OS vars for nftables
  include_vars: "{{ osname }}"
  with_first_found:
    - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version }}.yml"
    - "{{ ansible_distribution|lower }}.yml"
    - "{{ ansible_os_family|lower }}.yml"
  loop_control:
    loop_var: osname

# Manage packages [[[1
- name: Ensure Nftables packages are in their desired state
  package:
    name: '{{ nft_pkg_list | list }}'
    state: '{{ nft_pkg_state }}'
  register: pkg_install_result
  until: pkg_install_result is success
  when: nft_enabled|bool

- name: Ensure old Iptables packages are in their desired state
  package:
    name: '{{ nft_old_pkg_list | list }}'
    state: '{{ nft_old_pkg_state }}'
  register: pkg_remove_result
  until: pkg_remove_result is success
  when: (nft_enabled|bool and
         nft_old_pkg_manage|bool)

# Common configuration [[[1
- name: Ensure to create nftables.d directory
  file:
    path: "{{ nft_conf_dir_path }}"
    state: directory
    mode: 0755
  when: nft_enabled|bool

- name: CONFIG generate main conf file
  template:
    src: "{{ nft_main_conf_content }}"
    dest: "{{ nft_main_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: yes
  notify: ['Reload nftables service']
  when: nft_enabled|bool

- name: CONFIG generate vars definition file
  template:
    src: "{{ nft_define_conf_content }}"
    dest: "{{ nft_define_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: yes
  notify: ['Reload nftables service']
  when: nft_enabled|bool

- name: CONFIG generate sets file
  template:
    src: "{{ nft_set_conf_content }}"
    dest: "{{ nft_set_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: yes
  notify: ['Reload nftables service']
  when: nft_enabled|bool

# Filter table content [[[1
- name: Filter table - generate input rules file
  template:
    src: "{{ nft_input_conf_content }}"
    dest: "{{ nft_input_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: yes
  notify: ['Reload nftables service']
  when: nft_enabled|bool

- name: Filter table - generate output rules file
  template:
    src: "{{ nft_output_conf_content }}"
    dest: "{{ nft_output_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: yes
  notify: ['Reload nftables service']
  when: nft_enabled|bool

# Nat table content [[[1
- name: Nat table - generate prerouting rules file
  template:
    src: "{{ nft__nat_prerouting_conf_content }}"
    dest: "{{ nft__nat_prerouting_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: yes
  notify: ['Reload nftables service']
  when: (nft_enabled|bool and
         nft__nat_table_manage|bool)

- name: Nat table - generate postrouting rules file
  template:
    src: "{{ nft__nat_postrouting_conf_content }}"
    dest: "{{ nft__nat_postrouting_conf_path }}"
    owner: root
    group: root
    mode: 0755
    backup: yes
  notify: ['Reload nftables service']
  when: (nft_enabled|bool and
         nft__nat_table_manage|bool)

# Manage service [[[1
- name: Install Debian systemd service unit
  template:
    src: '{{ nft_service_unit_content }}'
    dest: '{{ nft_service_unit_path }}'
    owner: 'root'
    group: 'root'
    mode: '0644'
  register: nftables__register_systemd_service
  when: (nft_enabled|bool and
         nft_service_manage|bool)
  notify: ['Restart nftables service']
Install nftables. 2017-08-07 12:09:13 +02:00			`---`
Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`# .. vim: foldmarker=[[[,]]]:foldmethod=marker`
			`#`
Install nftables. 2017-08-07 12:09:13 +02:00			`# tasks file for nftables`
Fix error when variables were empty 2020-11-11 15:27:08 +01:00
Allow for undefined group variables for merged_groups. 2020-12-01 16:17:01 +01:00			`- name: Check for group files`
			`become: no`
			`delegate_to: localhost`
			`stat:`
Change variable names + add debug toggle. 2020-12-30 17:12:50 +01:00			`path: "{{ nft_merged_groups_dir ~ groupname }}"`
			`register: nftables_group_rules`
Support merged firewall rules for multiple groups per host. - Multiple groups for a single server will now lead to all firewall rules being merged instead of overwritten. 2020-11-10 21:17:11 +01:00			`loop: "{{ group_names }}"`
			`loop_control:`
			`loop_var: groupname`

Change variable names + add debug toggle. 2020-12-30 17:12:50 +01:00			`- debug: var=nftables_group_rules`
			`when: nft_debug`
Allow for undefined group variables for merged_groups. 2020-12-01 16:17:01 +01:00
Change variable names + add debug toggle. 2020-12-30 17:12:50 +01:00			`- name: Import nftables-variables if nft_merged_groups is set`
			`when: nft_merged_groups and varfile.stat.exists`
Allow for undefined group variables for merged_groups. 2020-12-01 16:17:01 +01:00			`include_vars:`
Change variable names + add debug toggle. 2020-12-30 17:12:50 +01:00			`file: "{{ nft_merged_groups_dir ~ varfile.groupname }}"`
Allow for undefined group variables for merged_groups. 2020-12-01 16:17:01 +01:00			`name: "{{ varfile.groupname }}"`
Change variable names + add debug toggle. 2020-12-30 17:12:50 +01:00			`loop: "{{ nftables_group_rules.results }}"`
Allow for undefined group variables for merged_groups. 2020-12-01 16:17:01 +01:00			`loop_control:`
			`loop_var: varfile`

Change variable names + add debug toggle. 2020-12-30 17:12:50 +01:00			`- name: Combine Rules when nft_merged_groups is set`
			`when: nft_merged_groups and (hostvars[inventory_hostname][varfile.groupname] is defined and hostvars[inventory_hostname][varfile.groupname]\|length > 0) and varfile.stat.exists`
Support merged firewall rules for multiple groups per host. - Multiple groups for a single server will now lead to all firewall rules being merged instead of overwritten. 2020-11-10 21:17:11 +01:00			`set_fact:`
Allow for undefined group variables for merged_groups. 2020-12-01 16:17:01 +01:00			`nft_combined_rules: "{{ nft_combined_rules \| default({}) \| combine ( hostvars[inventory_hostname][varfile.groupname], recursive=True ) }}"`
Change variable names + add debug toggle. 2020-12-30 17:12:50 +01:00			`loop: "{{ nftables_group_rules.results }}"`
Support merged firewall rules for multiple groups per host. - Multiple groups for a single server will now lead to all firewall rules being merged instead of overwritten. 2020-11-10 21:17:11 +01:00			`loop_control:`
Allow for undefined group variables for merged_groups. 2020-12-01 16:17:01 +01:00			`loop_var: varfile`
Install nftables. 2017-08-07 12:09:13 +02:00
Change variable names + add debug toggle. 2020-12-30 17:12:50 +01:00			`- debug: var=nft_combined_rules`
			`when: nft_debug`

Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`- name: Load specific OS vars for nftables`
Support merged firewall rules for multiple groups per host. - Multiple groups for a single server will now lead to all firewall rules being merged instead of overwritten. 2020-11-10 21:17:11 +01:00			`include_vars: "{{ osname }}"`
Install nftables. 2017-08-07 12:09:13 +02:00			`with_first_found:`
			`- "{{ ansible_distribution\|lower }}-{{ ansible_distribution_version }}.yml"`
			`- "{{ ansible_distribution\|lower }}.yml"`
			`- "{{ ansible_os_family\|lower }}.yml"`
Support merged firewall rules for multiple groups per host. - Multiple groups for a single server will now lead to all firewall rules being merged instead of overwritten. 2020-11-10 21:17:11 +01:00			`loop_control:`
			`loop_var: osname`
Install nftables. 2017-08-07 12:09:13 +02:00
Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`# Manage packages [[[1`
Support merged firewall rules for multiple groups per host. - Multiple groups for a single server will now lead to all firewall rules being merged instead of overwritten. 2020-11-10 21:17:11 +01:00			`- name: Ensure Nftables packages are in their desired state`
Install nftables. 2017-08-07 12:09:13 +02:00			`package:`
Fix deprecation warning with ansible 2.7 [DEPRECATION WARNING]: Invoking "apt" only once while using a loop via squash_actions is deprecated. Instead of using a loop to supply multiple items and specifying `name: "{{ item }}"`, please use `name: ['{{ nft_old_pkg_list }}']` and remove the loop. This feature will be removed in version 2.11. Signed-off-by: Julien Viard de Galbert <julien@vdg.name> 2019-05-07 00:00:48 +02:00			`name: '{{ nft_pkg_list \| list }}'`
Install nftables. 2017-08-07 12:09:13 +02:00			`state: '{{ nft_pkg_state }}'`
Fix E405 Remote package tasks should have a retry 2019-02-27 13:31:25 +01:00			`register: pkg_install_result`
			`until: pkg_install_result is success`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: nft_enabled\|bool`
Install nftables. 2017-08-07 12:09:13 +02:00
Support merged firewall rules for multiple groups per host. - Multiple groups for a single server will now lead to all firewall rules being merged instead of overwritten. 2020-11-10 21:17:11 +01:00			`- name: Ensure old Iptables packages are in their desired state`
Fix error when variables were empty 2020-11-11 15:27:08 +01:00			`package:`
Fix deprecation warning with ansible 2.7 [DEPRECATION WARNING]: Invoking "apt" only once while using a loop via squash_actions is deprecated. Instead of using a loop to supply multiple items and specifying `name: "{{ item }}"`, please use `name: ['{{ nft_old_pkg_list }}']` and remove the loop. This feature will be removed in version 2.11. Signed-off-by: Julien Viard de Galbert <julien@vdg.name> 2019-05-07 00:00:48 +02:00			`name: '{{ nft_old_pkg_list \| list }}'`
Ensure to remove old packages (iptables,…). 2017-08-18 09:25:28 +02:00			`state: '{{ nft_old_pkg_state }}'`
Fix E405 Remote package tasks should have a retry 2019-02-27 13:31:25 +01:00			`register: pkg_remove_result`
			`until: pkg_remove_result is success`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: (nft_enabled\|bool and`
			`nft_old_pkg_manage\|bool)`

Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`# Common configuration [[[1`
			`- name: Ensure to create nftables.d directory`
Ensure to create the the directory to store the differents configuration files (/etc/nftables.d). 2017-08-18 09:18:43 +02:00			`file:`
			`path: "{{ nft_conf_dir_path }}"`
			`state: directory`
			`mode: 0755`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: nft_enabled\|bool`
Ensure to create the the directory to store the differents configuration files (/etc/nftables.d). 2017-08-18 09:18:43 +02:00
			`- name: CONFIG generate main conf file`
Generate main configuration file. 2017-08-07 13:48:54 +02:00			`template:`
			`src: "{{ nft_main_conf_content }}"`
			`dest: "{{ nft_main_conf_path }}"`
			`owner: root`
			`group: root`
			`mode: 0755`
			`backup: yes`
Reload nftables service to apply new rules Fix #3 Github 2020-04-21 09:53:57 +02:00			`notify: ['Reload nftables service']`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: nft_enabled\|bool`
Move input rules to a specific file. 2017-08-07 17:37:41 +02:00
Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`- name: CONFIG generate vars definition file`
Move input rules to a specific file. 2017-08-07 17:37:41 +02:00			`template:`
Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`src: "{{ nft_define_conf_content }}"`
			`dest: "{{ nft_define_conf_path }}"`
Move input rules to a specific file. 2017-08-07 17:37:41 +02:00			`owner: root`
			`group: root`
			`mode: 0755`
			`backup: yes`
Reload nftables service to apply new rules Fix #3 Github 2020-04-21 09:53:57 +02:00			`notify: ['Reload nftables service']`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: nft_enabled\|bool`
Add possibility to have nftables vars. 2017-08-08 12:11:58 +02:00
Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`- name: CONFIG generate sets file`
Move output rules to a specific file. 2017-08-08 15:35:05 +02:00			`template:`
Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`src: "{{ nft_set_conf_content }}"`
			`dest: "{{ nft_set_conf_path }}"`
Move output rules to a specific file. 2017-08-08 15:35:05 +02:00			`owner: root`
			`group: root`
			`mode: 0755`
			`backup: yes`
Reload nftables service to apply new rules Fix #3 Github 2020-04-21 09:53:57 +02:00			`notify: ['Reload nftables service']`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: nft_enabled\|bool`
Move output rules to a specific file. 2017-08-08 15:35:05 +02:00
Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`# Filter table content [[[1`
			`- name: Filter table - generate input rules file`
Add possibility to have nftables vars. 2017-08-08 12:11:58 +02:00			`template:`
Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`src: "{{ nft_input_conf_content }}"`
			`dest: "{{ nft_input_conf_path }}"`
Add possibility to have nftables vars. 2017-08-08 12:11:58 +02:00			`owner: root`
			`group: root`
			`mode: 0755`
			`backup: yes`
Reload nftables service to apply new rules Fix #3 Github 2020-04-21 09:53:57 +02:00			`notify: ['Reload nftables service']`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: nft_enabled\|bool`
Manage sets and maps definitions in a specific file. 2017-08-08 14:32:59 +02:00
Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`- name: Filter table - generate output rules file`
Manage sets and maps definitions in a specific file. 2017-08-08 14:32:59 +02:00			`template:`
Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`src: "{{ nft_output_conf_content }}"`
			`dest: "{{ nft_output_conf_path }}"`
Manage sets and maps definitions in a specific file. 2017-08-08 14:32:59 +02:00			`owner: root`
			`group: root`
			`mode: 0755`
			`backup: yes`
Reload nftables service to apply new rules Fix #3 Github 2020-04-21 09:53:57 +02:00			`notify: ['Reload nftables service']`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: nft_enabled\|bool`
Manage nftables service at startup. 2017-08-09 14:27:07 +02:00
Generate Nat table rules files 2019-04-16 15:48:30 +02:00			`# Nat table content [[[1`
			`- name: Nat table - generate prerouting rules file`
			`template:`
			`src: "{{ nft__nat_prerouting_conf_content }}"`
			`dest: "{{ nft__nat_prerouting_conf_path }}"`
			`owner: root`
			`group: root`
			`mode: 0755`
			`backup: yes`
Reload nftables service to apply new rules Fix #3 Github 2020-04-21 09:53:57 +02:00			`notify: ['Reload nftables service']`
Generate Nat table rules files 2019-04-16 15:48:30 +02:00			`when: (nft_enabled\|bool and`
			`nft__nat_table_manage\|bool)`

			`- name: Nat table - generate postrouting rules file`
			`template:`
			`src: "{{ nft__nat_postrouting_conf_content }}"`
			`dest: "{{ nft__nat_postrouting_conf_path }}"`
			`owner: root`
			`group: root`
			`mode: 0755`
			`backup: yes`
Reload nftables service to apply new rules Fix #3 Github 2020-04-21 09:53:57 +02:00			`notify: ['Reload nftables service']`
Generate Nat table rules files 2019-04-16 15:48:30 +02:00			`when: (nft_enabled\|bool and`
			`nft__nat_table_manage\|bool)`

Clean tasks name and comments in tasks/main.yml file 2019-04-16 13:48:48 +02:00			`# Manage service [[[1`
			`- name: Install Debian systemd service unit`
Provide the systemd unit. 2018-02-06 16:58:18 +01:00			`template:`
			`src: '{{ nft_service_unit_content }}'`
			`dest: '{{ nft_service_unit_path }}'`
			`owner: 'root'`
			`group: 'root'`
			`mode: '0644'`
			`register: nftables__register_systemd_service`
Set a variable to enable/disable Nftables 2018-05-16 14:38:33 +02:00			`when: (nft_enabled\|bool and`
			`nft_service_manage\|bool)`
Move two task in systemd handler (try to fix #1) Try to fix the long delay at the first run. 2018-07-25 15:06:31 +02:00			`notify: ['Restart nftables service']`