From 290a86e906b514244e9ed39e1d6bef11f070cf9e Mon Sep 17 00:00:00 2001 From: Philipp Rintz Date: Tue, 10 Nov 2020 21:17:11 +0100 Subject: [PATCH 1/7] Support merged firewall rules for multiple groups per host. - Multiple groups for a single server will now lead to all firewall rules being merged instead of overwritten. --- defaults/main.yml | 11 +++++++++ tasks/main.yml | 23 ++++++++++++++++--- templates/etc/nftables.conf.j2 | 12 ++++++---- templates/etc/nftables.d/defines.nft.j2 | 11 +++++---- templates/etc/nftables.d/filter-input.nft.j2 | 12 ++++++---- templates/etc/nftables.d/filter-output.nft.j2 | 12 ++++++---- .../etc/nftables.d/nat-postrouting.nft.j2 | 12 ++++++---- .../etc/nftables.d/nat-prerouting.nft.j2 | 12 ++++++---- templates/etc/nftables.d/sets.nft.j2 | 12 ++++++---- 9 files changed, 86 insertions(+), 31 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 86b73ef..96c8a76 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -74,6 +74,17 @@ nft_global_default_rules: # in the Ansible inventory. nft_global_rules: {} # ]]] +# .. envvar:: merged_groups [[[ +# +# Enable or disable the ability to merge multiple firewall group variables +merged_groups: false + # ]]] +# .. envvar:: merged_groups_dir [[[ +# +# The directory to read the group firewall rules from. +# Relative to the playbook directory. +merged_groups_dir: vars/ + # ]]] # .. envvar:: nft_global_group_rules [[[ # # List of global rules (applied on all tables) to configure for hosts in diff --git a/tasks/main.yml b/tasks/main.yml index 544725a..82199fc 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,16 +2,33 @@ # .. vim: foldmarker=[[[,]]]:foldmethod=marker # # tasks file for nftables +- name: Import nftables-variables if merged_groups is set + when: merged_groups + set_fact: + "{{ groupname }}": "{{ lookup('file',merged_groups_dir ~ groupname) | from_yaml }}" + loop: "{{ group_names }}" + loop_control: + loop_var: groupname + +- name: Combine Rules when merged_groups is set + when: merged_groups + set_fact: + nft_combined_rules: "{{ nft_combined_rules | default({}) | combine ( hostvars[inventory_hostname][groupname], recursive=True ) }}" + loop: "{{ group_names }}" + loop_control: + loop_var: groupname - name: Load specific OS vars for nftables - include_vars: "{{ item }}" + include_vars: "{{ osname }}" with_first_found: - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version }}.yml" - "{{ ansible_distribution|lower }}.yml" - "{{ ansible_os_family|lower }}.yml" + loop_control: + loop_var: osname # Manage packages [[[1 -- name: Ensure Nftables packages are in there desired state +- name: Ensure Nftables packages are in their desired state package: name: '{{ nft_pkg_list | list }}' state: '{{ nft_pkg_state }}' @@ -19,7 +36,7 @@ until: pkg_install_result is success when: nft_enabled|bool -- name: Ensure old Iptables packages are in there desired state +- name: Ensure old Iptables packages are in their desired state apt: name: '{{ nft_old_pkg_list | list }}' state: '{{ nft_old_pkg_state }}' diff --git a/templates/etc/nftables.conf.j2 b/templates/etc/nftables.conf.j2 index 6dde3e7..2cd184d 100755 --- a/templates/etc/nftables.conf.j2 +++ b/templates/etc/nftables.conf.j2 @@ -1,8 +1,12 @@ +#jinja2: lstrip_blocks: "True", trim_blocks: "True" #!/usr/sbin/nft -f # {{ ansible_managed }} {% set globalmerged = nft_global_default_rules.copy() %} {% set _ = globalmerged.update(nft_global_rules) %} {% set _ = globalmerged.update(nft_global_group_rules) %} +{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules is defined%} + {% set _ = globalmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules) %} +{% endif %} {% set _ = globalmerged.update(nft_global_host_rules) %} # clean @@ -14,12 +18,12 @@ table inet filter { chain global { {% for group, rules in globalmerged|dictsort %} # {{ group }} -{% if not rules %} + {% if not rules %} # (none) -{% endif %} -{% for rule in rules %} + {% endif %} + {% for rule in rules %} {{ rule }} -{% endfor %} + {% endfor %} {% endfor %} } include "{{ nft_set_conf_path }}" diff --git a/templates/etc/nftables.d/defines.nft.j2 b/templates/etc/nftables.d/defines.nft.j2 index 94516d6..89d8709 100644 --- a/templates/etc/nftables.d/defines.nft.j2 +++ b/templates/etc/nftables.d/defines.nft.j2 @@ -1,16 +1,19 @@ +#jinja2: lstrip_blocks: "True", trim_blocks: "True" # {{ ansible_managed }} {% set definemerged = nft_define_default.copy() %} {% set _ = definemerged.update(nft_define) %} {% set _ = definemerged.update(nft_define_group) %} +{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_define_group is defined%} + {% set _ = definemerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_define_group) %} +{% endif %} {% set _ = definemerged.update(nft_define_host) %} - {% for definition in definemerged.values() %} -{% if definition.desc is defined %} + {% if definition.desc is defined %} # {{ definition.desc }} -{% else %} + {% else %} # {{ definition.name }} -{% endif %} + {% endif %} define {{ definition.name }} = {{ definition.value }} {% endfor %} diff --git a/templates/etc/nftables.d/filter-input.nft.j2 b/templates/etc/nftables.d/filter-input.nft.j2 index a7ff44a..6d0b4b3 100644 --- a/templates/etc/nftables.d/filter-input.nft.j2 +++ b/templates/etc/nftables.d/filter-input.nft.j2 @@ -1,17 +1,21 @@ +#jinja2: lstrip_blocks: "True", trim_blocks: "True" # {{ ansible_managed }} {% set inputmerged = nft_input_default_rules.copy() %} {% set _ = inputmerged.update(nft_input_rules) %} {% set _ = inputmerged.update(nft_input_group_rules) %} +{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_input_group_rules is defined %} + {% set _ = inputmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_input_group_rules) %} +{% endif %} {% set _ = inputmerged.update(nft_input_host_rules) %} chain input { {% for group, rules in inputmerged|dictsort %} # {{ group }} -{% if not rules %} + {% if not rules %} # (none) -{% endif %} -{% for rule in rules %} + {% endif %} + {% for rule in rules %} {{ rule }} -{% endfor %} + {% endfor %} {% endfor %} } diff --git a/templates/etc/nftables.d/filter-output.nft.j2 b/templates/etc/nftables.d/filter-output.nft.j2 index 269ac05..a4a7619 100644 --- a/templates/etc/nftables.d/filter-output.nft.j2 +++ b/templates/etc/nftables.d/filter-output.nft.j2 @@ -1,17 +1,21 @@ +#jinja2: lstrip_blocks: "True", trim_blocks: "True" # {{ ansible_managed }} {% set outputmerged = nft_output_default_rules.copy() %} {% set _ = outputmerged.update(nft_output_rules) %} {% set _ = outputmerged.update(nft_output_group_rules) %} +{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_output_group_rules is defined %} + {% set _ = outputmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_output_group_rules) %} +{% endif %} {% set _ = outputmerged.update(nft_output_host_rules) %} chain output { {% for group, rules in outputmerged|dictsort %} # {{ group }} -{% if not rules %} + {% if not rules %} # (none) -{% endif %} -{% for rule in rules %} + {% endif %} + {% for rule in rules %} {{ rule }} -{% endfor %} + {% endfor %} {% endfor %} } diff --git a/templates/etc/nftables.d/nat-postrouting.nft.j2 b/templates/etc/nftables.d/nat-postrouting.nft.j2 index d4d91c3..1555098 100644 --- a/templates/etc/nftables.d/nat-postrouting.nft.j2 +++ b/templates/etc/nftables.d/nat-postrouting.nft.j2 @@ -1,17 +1,21 @@ +#jinja2: lstrip_blocks: "True", trim_blocks: "True" # {{ ansible_managed }} {% set postroutingmerged = nft__nat_default_postrouting_rules.copy() %} {% set _ = postroutingmerged.update(nft__nat_postrouting_rules) %} {% set _ = postroutingmerged.update(nft__nat_group_postrouting_rules) %} +{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft__nat_group_postrouting_rules is defined %} + {% set _ = postroutingmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft__nat_group_postrouting_rules) %} +{% endif %} {% set _ = postroutingmerged.update(nft__nat_host_postrouting_rules) %} chain postrouting { {% for group, rules in postroutingmerged|dictsort %} # {{ group }} -{% if not rules %} + {% if not rules %} # (none) -{% endif %} -{% for rule in rules %} + {% endif %} + {% for rule in rules %} {{ rule }} -{% endfor %} + {% endfor %} {% endfor %} } diff --git a/templates/etc/nftables.d/nat-prerouting.nft.j2 b/templates/etc/nftables.d/nat-prerouting.nft.j2 index c14d0c4..3bb217e 100644 --- a/templates/etc/nftables.d/nat-prerouting.nft.j2 +++ b/templates/etc/nftables.d/nat-prerouting.nft.j2 @@ -1,17 +1,21 @@ +#jinja2: lstrip_blocks: "True", trim_blocks: "True" # {{ ansible_managed }} {% set preroutingmerged = nft__nat_default_prerouting_rules.copy() %} {% set _ = preroutingmerged.update(nft__nat_prerouting_rules) %} {% set _ = preroutingmerged.update(nft__nat_group_prerouting_rules) %} +{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft__nat_group_prerouting_rules is defined %} + {% set _ = preroutingmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft__nat_group_prerouting_rules) %} +{% endif %} {% set _ = preroutingmerged.update(nft__nat_host_prerouting_rules) %} chain prerouting { {% for group, rules in preroutingmerged|dictsort %} # {{ group }} -{% if not rules %} + {% if not rules %} # (none) -{% endif %} -{% for rule in rules %} + {% endif %} + {% for rule in rules %} {{ rule }} -{% endfor %} + {% endfor %} {% endfor %} } diff --git a/templates/etc/nftables.d/sets.nft.j2 b/templates/etc/nftables.d/sets.nft.j2 index b7eba99..004db3c 100644 --- a/templates/etc/nftables.d/sets.nft.j2 +++ b/templates/etc/nftables.d/sets.nft.j2 @@ -1,16 +1,20 @@ +#jinja2: lstrip_blocks: "True", trim_blocks: "True" # {{ ansible_managed }} {% set setmerged = nft_set_default.copy() %} {% set _ = setmerged.update(nft_set) %} {% set _ = setmerged.update(nft_set_group) %} +{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_set_group is defined %} + {% set _ = setmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_set_group) %} +{% endif %} {% set _ = setmerged.update(nft_set_host) %} {% for set, rules in setmerged|dictsort %} -{% if rules %} + {% if rules %} set {{ set }} { -{% for rule in rules %} + {% for rule in rules %} {{ rule }} -{% endfor %} + {% endfor %} } -{% endif %} + {% endif %} {% endfor %} From 2b61973d1c325d0d919bfbbbaa45fc45709cc4c6 Mon Sep 17 00:00:00 2001 From: Philipp Rintz Date: Wed, 11 Nov 2020 15:27:08 +0100 Subject: [PATCH 2/7] Fix error when variables were empty --- tasks/main.yml | 10 ++++++---- vars/centos.yml | 4 ++++ 2 files changed, 10 insertions(+), 4 deletions(-) create mode 100644 vars/centos.yml diff --git a/tasks/main.yml b/tasks/main.yml index 82199fc..02d08c1 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,16 +2,18 @@ # .. vim: foldmarker=[[[,]]]:foldmethod=marker # # tasks file for nftables + - name: Import nftables-variables if merged_groups is set when: merged_groups - set_fact: - "{{ groupname }}": "{{ lookup('file',merged_groups_dir ~ groupname) | from_yaml }}" + include_vars: + file: "{{ merged_groups_dir ~ groupname }}" + name: "{{ groupname }}" loop: "{{ group_names }}" loop_control: loop_var: groupname - name: Combine Rules when merged_groups is set - when: merged_groups + when: merged_groups and hostvars[inventory_hostname][groupname]|length > 0 set_fact: nft_combined_rules: "{{ nft_combined_rules | default({}) | combine ( hostvars[inventory_hostname][groupname], recursive=True ) }}" loop: "{{ group_names }}" @@ -37,7 +39,7 @@ when: nft_enabled|bool - name: Ensure old Iptables packages are in their desired state - apt: + package: name: '{{ nft_old_pkg_list | list }}' state: '{{ nft_old_pkg_state }}' register: pkg_remove_result diff --git a/vars/centos.yml b/vars/centos.yml new file mode 100644 index 0000000..8de5ba2 --- /dev/null +++ b/vars/centos.yml @@ -0,0 +1,4 @@ +--- +# vars file for Centos-based distros +nft_pkg_list: + - nftables From 65d741478535e90b4ae591ca6ce90086704491bd Mon Sep 17 00:00:00 2001 From: Philipp Rintz Date: Sun, 29 Nov 2020 15:29:22 +0100 Subject: [PATCH 3/7] Added merged_groups info to README. --- README.md | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/README.md b/README.md index 9fba6ac..ff4cc40 100644 --- a/README.md +++ b/README.md @@ -83,6 +83,7 @@ Each type of rules dictionaries will be merged and rules will be applied in the * **nft_*_default_rules** : Define default rules for all nodes. You can define it in `group_vars/all`. * **nft_*_rules** : Can add rules and override those defined by **nft_*_default_rules**. You can define it in `group_vars/all`. * **nft_*_group_rules** : Can add rules and override those defined by **nft_*_default_rules** and **nft_*_rules**. You can define it in `group_vars/webservers`. + * If 'merged_groups' is set to true, multiple group rules from the ansible groups will also be merged together. * **nft_*_host_rules** : Can add rules and override those define by **nft_*_default_rules**, **nft_*_group_rules** and **nft_*_rules**. You can define it in `host_vars/www.local.domain`. `defaults/main.yml`: @@ -94,6 +95,8 @@ nft_global_default_rules: - ct state established,related accept - ct state invalid drop nft_global_rules: {} +merged_groups: false +merged_groups_dir: vars/ nft_global_group_rules: {} nft_global_host_rules: {} @@ -283,6 +286,39 @@ nft_input_group_rules: - counter ``` +* Use merged group rules from multiple ansible groups: + +``` yml +- hosts: serverXYZ + vars: + merged_groups: true + merged_groups_dir: vars/ + roles: + - role: ipr-cnrs.nftables +``` + +And put the rules inside the "vars" folder named after your ansible groups of the server: + +`vars/first_group` : + +``` yaml +nft_input_group_rules: + 020 icmp: + - ip protocol icmp icmp type echo-request ip length <= 84 counter limit rate 1/minute accept + 999 count policy packet: + - counter +``` + +`vars/second_group` : + +``` yaml +nft_input_group_rules: + 021 LAN: + - iif eth0 accept +``` + +These rulesets from the two groups will be merged if the host has the two groups as ansible roles. + ## Known Issue * The 10 minutes delay at the first run is finally fixed by allowing the host to reset SSH connection (flags `rst, psh | ack`) (see #1). From 3d5edb45b9d5c7323aa6858226b3596a3f162f1f Mon Sep 17 00:00:00 2001 From: Philipp Rintz Date: Sun, 29 Nov 2020 15:36:26 +0100 Subject: [PATCH 4/7] Add additional variables to README --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index ff4cc40..8b393a2 100644 --- a/README.md +++ b/README.md @@ -70,6 +70,8 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] ( * **nft_service_enabled** : Set `nftables` service available at startup [default : `true`]. * **nft__service_protect** : If systemd unit should protect system and home [default : `true`]. * **nft__fail2ban_service** : If the Nftables service should also restart the Fail2ban service [default : `False`]. +* **merged_groups** : If variables from the hosts Ansible groups should be merged [default : `false`]. +* **merged_groups_dir** : The dictionary where the nftables group rules, named like the Ansible groups, are located in [default : `vars/`]. ### OS Specific Variables From b3e26a435e5b5b05be5b3263c854dd69cb3e172f Mon Sep 17 00:00:00 2001 From: Philipp Rintz Date: Tue, 1 Dec 2020 16:17:01 +0100 Subject: [PATCH 5/7] Allow for undefined group variables for merged_groups. --- tasks/main.yml | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 02d08c1..a4bdfa0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,22 +3,34 @@ # # tasks file for nftables -- name: Import nftables-variables if merged_groups is set - when: merged_groups - include_vars: - file: "{{ merged_groups_dir ~ groupname }}" - name: "{{ groupname }}" +- name: Check for group files + become: no + delegate_to: localhost + stat: + path: "{{ merged_groups_dir ~ groupname }}" + register: nftable_group_rules loop: "{{ group_names }}" loop_control: loop_var: groupname -- name: Combine Rules when merged_groups is set - when: merged_groups and hostvars[inventory_hostname][groupname]|length > 0 - set_fact: - nft_combined_rules: "{{ nft_combined_rules | default({}) | combine ( hostvars[inventory_hostname][groupname], recursive=True ) }}" - loop: "{{ group_names }}" +- debug: var=nftable_group_rules + +- name: Import nftables-variables if merged_groups is set + when: merged_groups and varfile.stat.exists + include_vars: + file: "{{ merged_groups_dir ~ varfile.groupname }}" + name: "{{ varfile.groupname }}" + loop: "{{ nftable_group_rules.results }}" loop_control: - loop_var: groupname + loop_var: varfile + +- name: Combine Rules when merged_groups is set + when: merged_groups and (hostvars[inventory_hostname][varfile.groupname] is defined and hostvars[inventory_hostname][varfile.groupname]|length > 0) and varfile.stat.exists + set_fact: + nft_combined_rules: "{{ nft_combined_rules | default({}) | combine ( hostvars[inventory_hostname][varfile.groupname], recursive=True ) }}" + loop: "{{ nftable_group_rules.results }}" + loop_control: + loop_var: varfile - name: Load specific OS vars for nftables include_vars: "{{ osname }}" From 19ee0ed2bce7a49a45aae33d5fdef42f3027f37d Mon Sep 17 00:00:00 2001 From: Philipp Rintz Date: Wed, 30 Dec 2020 17:12:50 +0100 Subject: [PATCH 6/7] Change variable names + add debug toggle. --- README.md | 15 ++++++------ defaults/main.yml | 20 ++++++++++++---- tasks/main.yml | 24 +++++++++++-------- templates/etc/nftables.conf.j2 | 2 +- templates/etc/nftables.d/defines.nft.j2 | 2 +- templates/etc/nftables.d/filter-input.nft.j2 | 2 +- templates/etc/nftables.d/filter-output.nft.j2 | 2 +- .../etc/nftables.d/nat-postrouting.nft.j2 | 2 +- .../etc/nftables.d/nat-prerouting.nft.j2 | 2 +- templates/etc/nftables.d/sets.nft.j2 | 2 +- 10 files changed, 45 insertions(+), 28 deletions(-) diff --git a/README.md b/README.md index 8b393a2..57aff86 100644 --- a/README.md +++ b/README.md @@ -70,8 +70,9 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] ( * **nft_service_enabled** : Set `nftables` service available at startup [default : `true`]. * **nft__service_protect** : If systemd unit should protect system and home [default : `true`]. * **nft__fail2ban_service** : If the Nftables service should also restart the Fail2ban service [default : `False`]. -* **merged_groups** : If variables from the hosts Ansible groups should be merged [default : `false`]. -* **merged_groups_dir** : The dictionary where the nftables group rules, named like the Ansible groups, are located in [default : `vars/`]. +* **nft_merged_groups** : If variables from the hosts Ansible groups should be merged [default : `false`]. +* **nft_merged_groups_dir** : The dictionary where the nftables group rules, named like the Ansible groups, are located in [default : `vars/`]. +* **nft_debug** : Toggle more verbose output on/off. [default: 'false']. ### OS Specific Variables @@ -85,7 +86,7 @@ Each type of rules dictionaries will be merged and rules will be applied in the * **nft_*_default_rules** : Define default rules for all nodes. You can define it in `group_vars/all`. * **nft_*_rules** : Can add rules and override those defined by **nft_*_default_rules**. You can define it in `group_vars/all`. * **nft_*_group_rules** : Can add rules and override those defined by **nft_*_default_rules** and **nft_*_rules**. You can define it in `group_vars/webservers`. - * If 'merged_groups' is set to true, multiple group rules from the ansible groups will also be merged together. + * If 'nft_merged_groups' is set to true, multiple group rules from the ansible groups will also be merged together. * **nft_*_host_rules** : Can add rules and override those define by **nft_*_default_rules**, **nft_*_group_rules** and **nft_*_rules**. You can define it in `host_vars/www.local.domain`. `defaults/main.yml`: @@ -97,8 +98,8 @@ nft_global_default_rules: - ct state established,related accept - ct state invalid drop nft_global_rules: {} -merged_groups: false -merged_groups_dir: vars/ +nft_merged_groups: false +nft_merged_groups_dir: vars/ nft_global_group_rules: {} nft_global_host_rules: {} @@ -293,8 +294,8 @@ nft_input_group_rules: ``` yml - hosts: serverXYZ vars: - merged_groups: true - merged_groups_dir: vars/ + nft_merged_groups: true + nft_merged_groups_dir: vars/ roles: - role: ipr-cnrs.nftables ``` diff --git a/defaults/main.yml b/defaults/main.yml index 96c8a76..4970d45 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -74,16 +74,16 @@ nft_global_default_rules: # in the Ansible inventory. nft_global_rules: {} # ]]] -# .. envvar:: merged_groups [[[ +# .. envvar:: nft_merged_groups [[[ # # Enable or disable the ability to merge multiple firewall group variables -merged_groups: false +nft_merged_groups: false # ]]] -# .. envvar:: merged_groups_dir [[[ +# .. envvar:: nft_merged_groups_dir [[[ # # The directory to read the group firewall rules from. # Relative to the playbook directory. -merged_groups_dir: vars/ +nft_merged_groups_dir: vars/ # ]]] # .. envvar:: nft_global_group_rules [[[ # @@ -525,5 +525,17 @@ nft__service_protect: true # Any Nftables service (re)start will also restart Fail2ban service. nft__fail2ban_service: False # ]]] +# .. envvar:: nft_debug [ +# +# Toggle on/off more verbose output. Possible options are: +# +# ''Flase'' +# Default. No additional output will be given. +# +# ''True'' +# More verbose output. +nft_debug: False + + # ]]] # ]]] diff --git a/tasks/main.yml b/tasks/main.yml index a4bdfa0..67bcaa8 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -7,31 +7,35 @@ become: no delegate_to: localhost stat: - path: "{{ merged_groups_dir ~ groupname }}" - register: nftable_group_rules + path: "{{ nft_merged_groups_dir ~ groupname }}" + register: nftables_group_rules loop: "{{ group_names }}" loop_control: loop_var: groupname -- debug: var=nftable_group_rules +- debug: var=nftables_group_rules + when: nft_debug -- name: Import nftables-variables if merged_groups is set - when: merged_groups and varfile.stat.exists +- name: Import nftables-variables if nft_merged_groups is set + when: nft_merged_groups and varfile.stat.exists include_vars: - file: "{{ merged_groups_dir ~ varfile.groupname }}" + file: "{{ nft_merged_groups_dir ~ varfile.groupname }}" name: "{{ varfile.groupname }}" - loop: "{{ nftable_group_rules.results }}" + loop: "{{ nftables_group_rules.results }}" loop_control: loop_var: varfile -- name: Combine Rules when merged_groups is set - when: merged_groups and (hostvars[inventory_hostname][varfile.groupname] is defined and hostvars[inventory_hostname][varfile.groupname]|length > 0) and varfile.stat.exists +- name: Combine Rules when nft_merged_groups is set + when: nft_merged_groups and (hostvars[inventory_hostname][varfile.groupname] is defined and hostvars[inventory_hostname][varfile.groupname]|length > 0) and varfile.stat.exists set_fact: nft_combined_rules: "{{ nft_combined_rules | default({}) | combine ( hostvars[inventory_hostname][varfile.groupname], recursive=True ) }}" - loop: "{{ nftable_group_rules.results }}" + loop: "{{ nftables_group_rules.results }}" loop_control: loop_var: varfile +- debug: var=nft_combined_rules + when: nft_debug + - name: Load specific OS vars for nftables include_vars: "{{ osname }}" with_first_found: diff --git a/templates/etc/nftables.conf.j2 b/templates/etc/nftables.conf.j2 index 2cd184d..b7a46c5 100755 --- a/templates/etc/nftables.conf.j2 +++ b/templates/etc/nftables.conf.j2 @@ -4,7 +4,7 @@ {% set globalmerged = nft_global_default_rules.copy() %} {% set _ = globalmerged.update(nft_global_rules) %} {% set _ = globalmerged.update(nft_global_group_rules) %} -{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules is defined%} +{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules is defined%} {% set _ = globalmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules) %} {% endif %} {% set _ = globalmerged.update(nft_global_host_rules) %} diff --git a/templates/etc/nftables.d/defines.nft.j2 b/templates/etc/nftables.d/defines.nft.j2 index 89d8709..43d15e4 100644 --- a/templates/etc/nftables.d/defines.nft.j2 +++ b/templates/etc/nftables.d/defines.nft.j2 @@ -3,7 +3,7 @@ {% set definemerged = nft_define_default.copy() %} {% set _ = definemerged.update(nft_define) %} {% set _ = definemerged.update(nft_define_group) %} -{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_define_group is defined%} +{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_define_group is defined%} {% set _ = definemerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_define_group) %} {% endif %} {% set _ = definemerged.update(nft_define_host) %} diff --git a/templates/etc/nftables.d/filter-input.nft.j2 b/templates/etc/nftables.d/filter-input.nft.j2 index 6d0b4b3..1692390 100644 --- a/templates/etc/nftables.d/filter-input.nft.j2 +++ b/templates/etc/nftables.d/filter-input.nft.j2 @@ -3,7 +3,7 @@ {% set inputmerged = nft_input_default_rules.copy() %} {% set _ = inputmerged.update(nft_input_rules) %} {% set _ = inputmerged.update(nft_input_group_rules) %} -{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_input_group_rules is defined %} +{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_input_group_rules is defined %} {% set _ = inputmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_input_group_rules) %} {% endif %} {% set _ = inputmerged.update(nft_input_host_rules) %} diff --git a/templates/etc/nftables.d/filter-output.nft.j2 b/templates/etc/nftables.d/filter-output.nft.j2 index a4a7619..9920c26 100644 --- a/templates/etc/nftables.d/filter-output.nft.j2 +++ b/templates/etc/nftables.d/filter-output.nft.j2 @@ -3,7 +3,7 @@ {% set outputmerged = nft_output_default_rules.copy() %} {% set _ = outputmerged.update(nft_output_rules) %} {% set _ = outputmerged.update(nft_output_group_rules) %} -{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_output_group_rules is defined %} +{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_output_group_rules is defined %} {% set _ = outputmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_output_group_rules) %} {% endif %} {% set _ = outputmerged.update(nft_output_host_rules) %} diff --git a/templates/etc/nftables.d/nat-postrouting.nft.j2 b/templates/etc/nftables.d/nat-postrouting.nft.j2 index 1555098..5d4483d 100644 --- a/templates/etc/nftables.d/nat-postrouting.nft.j2 +++ b/templates/etc/nftables.d/nat-postrouting.nft.j2 @@ -3,7 +3,7 @@ {% set postroutingmerged = nft__nat_default_postrouting_rules.copy() %} {% set _ = postroutingmerged.update(nft__nat_postrouting_rules) %} {% set _ = postroutingmerged.update(nft__nat_group_postrouting_rules) %} -{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft__nat_group_postrouting_rules is defined %} +{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft__nat_group_postrouting_rules is defined %} {% set _ = postroutingmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft__nat_group_postrouting_rules) %} {% endif %} {% set _ = postroutingmerged.update(nft__nat_host_postrouting_rules) %} diff --git a/templates/etc/nftables.d/nat-prerouting.nft.j2 b/templates/etc/nftables.d/nat-prerouting.nft.j2 index 3bb217e..82e079b 100644 --- a/templates/etc/nftables.d/nat-prerouting.nft.j2 +++ b/templates/etc/nftables.d/nat-prerouting.nft.j2 @@ -3,7 +3,7 @@ {% set preroutingmerged = nft__nat_default_prerouting_rules.copy() %} {% set _ = preroutingmerged.update(nft__nat_prerouting_rules) %} {% set _ = preroutingmerged.update(nft__nat_group_prerouting_rules) %} -{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft__nat_group_prerouting_rules is defined %} +{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft__nat_group_prerouting_rules is defined %} {% set _ = preroutingmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft__nat_group_prerouting_rules) %} {% endif %} {% set _ = preroutingmerged.update(nft__nat_host_prerouting_rules) %} diff --git a/templates/etc/nftables.d/sets.nft.j2 b/templates/etc/nftables.d/sets.nft.j2 index 004db3c..46cd459 100644 --- a/templates/etc/nftables.d/sets.nft.j2 +++ b/templates/etc/nftables.d/sets.nft.j2 @@ -3,7 +3,7 @@ {% set setmerged = nft_set_default.copy() %} {% set _ = setmerged.update(nft_set) %} {% set _ = setmerged.update(nft_set_group) %} -{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_set_group is defined %} +{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_set_group is defined %} {% set _ = setmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_set_group) %} {% endif %} {% set _ = setmerged.update(nft_set_host) %} From 639a9f7109a526021bf80782f1710b3805761de6 Mon Sep 17 00:00:00 2001 From: Philipp Rintz Date: Wed, 30 Dec 2020 17:23:18 +0100 Subject: [PATCH 7/7] Fix formatting mistake in defaults/main.yml --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 4970d45..c4dc7b0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -536,6 +536,6 @@ nft__fail2ban_service: False # More verbose output. nft_debug: False - + # ]]] # ]]] # ]]]