Manage sets and maps definitions in a specific file.
This commit is contained in:
parent
983e77df5d
commit
043bc55dcb
38
README.md
38
README.md
|
@ -24,6 +24,10 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (
|
||||||
* **nft_main_conf_content** : Template used to generate the previous main configuration file [default : `etc/nftables.conf.j2`].
|
* **nft_main_conf_content** : Template used to generate the previous main configuration file [default : `etc/nftables.conf.j2`].
|
||||||
* **nft_input_conf_path** : Input configuration file include in main configuration file [default : `/etc/nftables.d/inet-input.nft`].
|
* **nft_input_conf_path** : Input configuration file include in main configuration file [default : `/etc/nftables.d/inet-input.nft`].
|
||||||
* **nft_input_conf_content** : Template used to generate the previous input configuration file [default : `etc/nftables.d/inet-input.nft.j2`].
|
* **nft_input_conf_content** : Template used to generate the previous input configuration file [default : `etc/nftables.d/inet-input.nft.j2`].
|
||||||
|
* **nft_define_conf_path** : Vars definition file include in main configuration file [default : `/etc/nftables.d/defines.nft`].
|
||||||
|
* **nft_define_conf_content** : Template used to generate the previous vars definition file [default : `etc/nftables.d/defines.nft.j2`].
|
||||||
|
* **nft_sets_conf_path** : Sets and maps definition file include in main configuration file [default : `/etc/nftables.d/inet-sets.nft`].
|
||||||
|
* **nft_sets_conf_content** : Template used to generate the previous sets and maps definition file [default : `etc/nftables.d/inet-sets.nft.j2`].
|
||||||
* **nft_global_default_rules** : Set default rules for `global` chain. Other chains will jump to `global` before apply their specific rules.
|
* **nft_global_default_rules** : Set default rules for `global` chain. Other chains will jump to `global` before apply their specific rules.
|
||||||
* **nft_global_group_rules** : You can add `global` rules or override those defined by **nft_global_default_rules** for a group.
|
* **nft_global_group_rules** : You can add `global` rules or override those defined by **nft_global_default_rules** for a group.
|
||||||
* **nft_global_host_rules:** : Hosts can also add or override `global` rules.
|
* **nft_global_host_rules:** : Hosts can also add or override `global` rules.
|
||||||
|
@ -63,10 +67,25 @@ nft_global_host_rules: {}
|
||||||
nft_input_default_rules:
|
nft_input_default_rules:
|
||||||
000 policy:
|
000 policy:
|
||||||
- type filter hook input priority 0; policy drop;
|
- type filter hook input priority 0; policy drop;
|
||||||
001 global:
|
005 global:
|
||||||
- jump global
|
- jump global
|
||||||
nft_input_group_rules: {}
|
nft_input_group_rules: {}
|
||||||
nft_input_host_rules: {}
|
nft_input_host_rules: {}
|
||||||
|
|
||||||
|
# define nft vars
|
||||||
|
nft_define_default:
|
||||||
|
broadcast and multicast:
|
||||||
|
desc: 'broadcast and multicast'
|
||||||
|
name: badcast_addr
|
||||||
|
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
|
||||||
|
nft_define_group: {}
|
||||||
|
nft_define_host: {}
|
||||||
|
nft_set_default:
|
||||||
|
blackhole:
|
||||||
|
- type ipv4_addr;
|
||||||
|
- elements = $badcast_addr
|
||||||
|
nft_set_group: {}
|
||||||
|
nft_set_host: {}
|
||||||
```
|
```
|
||||||
|
|
||||||
Those default will generate the following configuration :
|
Those default will generate the following configuration :
|
||||||
|
@ -74,20 +93,19 @@ Those default will generate the following configuration :
|
||||||
#!/usr/sbin/nft -f
|
#!/usr/sbin/nft -f
|
||||||
# Ansible managed
|
# Ansible managed
|
||||||
|
|
||||||
|
|
||||||
# clean
|
# clean
|
||||||
flush ruleset
|
flush ruleset
|
||||||
|
|
||||||
|
include "/etc/nftables.d/defines.nft"
|
||||||
|
|
||||||
table inet firewall {
|
table inet firewall {
|
||||||
chain global {
|
chain global {
|
||||||
# 000 state management
|
# 000 state management
|
||||||
ct state established,related accept
|
ct state established,related accept
|
||||||
ct state invalid drop
|
ct state invalid drop
|
||||||
}
|
}
|
||||||
chain input {
|
include "/etc/nftables.d/inet-sets.nft"
|
||||||
type filter hook input priority 0; policy drop;
|
include "/etc/nftables.d/inet-input.nft"
|
||||||
jump global
|
|
||||||
}
|
|
||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority 0;
|
type filter hook output priority 0;
|
||||||
jump global
|
jump global
|
||||||
|
@ -99,6 +117,11 @@ And you get the same result by displaying the ruleset on the host : `$ nft lis
|
||||||
|
|
||||||
```
|
```
|
||||||
table inet firewall {
|
table inet firewall {
|
||||||
|
set blackhole {
|
||||||
|
type ipv4_addr
|
||||||
|
elements = { 255.255.255.255, 224.0.0.1, 224.0.0.251 }
|
||||||
|
}
|
||||||
|
|
||||||
chain global {
|
chain global {
|
||||||
ct state established,related accept
|
ct state established,related accept
|
||||||
ct state invalid drop
|
ct state invalid drop
|
||||||
|
@ -148,8 +171,9 @@ nft_input_group_rules:
|
||||||
|
|
||||||
This role will :
|
This role will :
|
||||||
* Install `nftables` on the system.
|
* Install `nftables` on the system.
|
||||||
* Generate a default configuration file loaded by systemd unit.
|
* Generate a default configuration file which include all following files and loaded by systemd unit.
|
||||||
* Generate input rules file include called by the main configuration file.
|
* Generate input rules file include called by the main configuration file.
|
||||||
|
* Generate vars in a file and sets and maps in another file.
|
||||||
* Restart `nftables` service.
|
* Restart `nftables` service.
|
||||||
|
|
||||||
## Development
|
## Development
|
||||||
|
|
|
@ -12,6 +12,8 @@ nft_input_conf_path: '/etc/nftables.d/inet-input.nft'
|
||||||
nft_input_conf_content: 'etc/nftables.d/inet-input.nft.j2'
|
nft_input_conf_content: 'etc/nftables.d/inet-input.nft.j2'
|
||||||
nft_define_conf_path: '/etc/nftables.d/defines.nft'
|
nft_define_conf_path: '/etc/nftables.d/defines.nft'
|
||||||
nft_define_conf_content: 'etc/nftables.d/defines.nft.j2'
|
nft_define_conf_content: 'etc/nftables.d/defines.nft.j2'
|
||||||
|
nft_set_conf_path: '/etc/nftables.d/inet-sets.nft'
|
||||||
|
nft_set_conf_content: 'etc/nftables.d/inet-sets.nft.j2'
|
||||||
|
|
||||||
# rules
|
# rules
|
||||||
nft_global_default_rules:
|
nft_global_default_rules:
|
||||||
|
@ -23,7 +25,7 @@ nft_global_host_rules: {}
|
||||||
nft_input_default_rules:
|
nft_input_default_rules:
|
||||||
000 policy:
|
000 policy:
|
||||||
- type filter hook input priority 0; policy drop;
|
- type filter hook input priority 0; policy drop;
|
||||||
001 global:
|
005 global:
|
||||||
- jump global
|
- jump global
|
||||||
nft_input_group_rules: {}
|
nft_input_group_rules: {}
|
||||||
nft_input_host_rules: {}
|
nft_input_host_rules: {}
|
||||||
|
@ -36,6 +38,12 @@ nft_define_default:
|
||||||
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
|
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
|
||||||
nft_define_group: {}
|
nft_define_group: {}
|
||||||
nft_define_host: {}
|
nft_define_host: {}
|
||||||
|
nft_set_default:
|
||||||
|
blackhole:
|
||||||
|
- type ipv4_addr;
|
||||||
|
- elements = $badcast_addr
|
||||||
|
nft_set_group: {}
|
||||||
|
nft_set_host: {}
|
||||||
|
|
||||||
# service
|
# service
|
||||||
nft_service_manage: true
|
nft_service_manage: true
|
||||||
|
|
|
@ -49,4 +49,14 @@
|
||||||
mode: 0755
|
mode: 0755
|
||||||
backup: yes
|
backup: yes
|
||||||
notify: restart nftables service
|
notify: restart nftables service
|
||||||
|
|
||||||
|
- name: generate sets and maps file
|
||||||
|
template:
|
||||||
|
src: "{{ nft_set_conf_content }}"
|
||||||
|
dest: "{{ nft_set_conf_path }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0755
|
||||||
|
backup: yes
|
||||||
|
notify: restart nftables service
|
||||||
# }}}
|
# }}}
|
||||||
|
|
|
@ -21,6 +21,7 @@ table inet firewall {
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
}
|
}
|
||||||
|
include "{{ nft_set_conf_path }}"
|
||||||
include "{{ nft_input_conf_path }}"
|
include "{{ nft_input_conf_path }}"
|
||||||
chain output {
|
chain output {
|
||||||
type filter hook output priority 0;
|
type filter hook output priority 0;
|
||||||
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
{% set setmerged = nft_set_default.copy() %}
|
||||||
|
{% set _ = setmerged.update(nft_set_group) %}
|
||||||
|
{% set _ = setmerged.update(nft_set_host) %}
|
||||||
|
|
||||||
|
{% for set, rules in setmerged|dictsort %}
|
||||||
|
{% if rules %}
|
||||||
|
set {{ set }} {
|
||||||
|
{% for rule in rules %}
|
||||||
|
{{ rule }}
|
||||||
|
{% endfor %}
|
||||||
|
}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
{% endfor %}
|
Loading…
Reference in New Issue