Change variable names + add debug toggle.

README.md

@@ -70,8 +70,9 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (
 * **nft_service_enabled** : Set `nftables` service available at startup [default : `true`].
 * **nft__service_protect** : If systemd unit should protect system and home [default : `true`].
 * **nft__fail2ban_service** : If the Nftables service should also restart the Fail2ban service [default : `False`].
-* **merged_groups** : If variables from the hosts Ansible groups should be merged [default : `false`].
-* **merged_groups_dir** : The dictionary where the nftables group rules, named like the Ansible groups, are located in [default : `vars/`].
+* **nft_merged_groups** : If variables from the hosts Ansible groups should be merged [default : `false`].
+* **nft_merged_groups_dir** : The dictionary where the nftables group rules, named like the Ansible groups, are located in [default : `vars/`].
+* **nft_debug** : Toggle more verbose output on/off. [default: 'false'].
 
 ### OS Specific Variables
 
@@ -85,7 +86,7 @@ Each type of rules dictionaries will be merged and rules will be applied in the
   * **nft_*_default_rules** : Define default rules for all nodes. You can define it in `group_vars/all`.
   * **nft_*_rules** : Can add rules and override those defined by **nft_*_default_rules**. You can define it in `group_vars/all`.
   * **nft_*_group_rules** : Can add rules and override those defined by **nft_*_default_rules** and **nft_*_rules**. You can define it in `group_vars/webservers`.
-    * If 'merged_groups' is set to true, multiple group rules from the ansible groups will also be merged together.
+    * If 'nft_merged_groups' is set to true, multiple group rules from the ansible groups will also be merged together.
   * **nft_*_host_rules** : Can add rules and override those define by **nft_*_default_rules**, **nft_*_group_rules** and **nft_*_rules**. You can define it in `host_vars/www.local.domain`.
 
 `defaults/main.yml`:
@@ -97,8 +98,8 @@ nft_global_default_rules:
     - ct state established,related accept
     - ct state invalid drop
 nft_global_rules: {}
-merged_groups: false
-merged_groups_dir: vars/
+nft_merged_groups: false
+nft_merged_groups_dir: vars/
 nft_global_group_rules: {}
 nft_global_host_rules: {}
 
@@ -293,8 +294,8 @@ nft_input_group_rules:
 ``` yml
 - hosts: serverXYZ
   vars:
-    merged_groups: true
-    merged_groups_dir: vars/
+    nft_merged_groups: true
+    nft_merged_groups_dir: vars/
   roles:
     - role: ipr-cnrs.nftables
 ```

defaults/main.yml

@@ -74,16 +74,16 @@ nft_global_default_rules:
 # in the Ansible inventory.
 nft_global_rules: {}
                                                                    # ]]]
-# .. envvar:: merged_groups [[[
+# .. envvar:: nft_merged_groups [[[
 #
 # Enable or disable the ability to merge multiple firewall group variables
-merged_groups: false
+nft_merged_groups: false
                                                                    # ]]]
-# .. envvar:: merged_groups_dir [[[
+# .. envvar:: nft_merged_groups_dir [[[
 #
 # The directory to read the group firewall rules from.
 # Relative to the playbook directory.
-merged_groups_dir: vars/
+nft_merged_groups_dir: vars/
                                                                    # ]]]
 # .. envvar:: nft_global_group_rules [[[
 #
@@ -525,5 +525,17 @@ nft__service_protect: true
 #   Any Nftables service (re)start will also restart Fail2ban service.
 nft__fail2ban_service: False
                                                                    # ]]]
+# .. envvar:: nft_debug [
+#
+# Toggle on/off more verbose output. Possible options are:
+#
+# ''Flase''
+# Default. No additional output will be given.
+#
+# ''True''
+# More verbose output.
+nft_debug: False
+
+
                                                                    # ]]]
                                                                    # ]]]

tasks/main.yml

@@ -7,31 +7,35 @@
   become: no
   delegate_to: localhost
   stat:
-    path: "{{ merged_groups_dir ~ groupname }}"
-  register: nftable_group_rules
+    path: "{{ nft_merged_groups_dir ~ groupname }}"
+  register: nftables_group_rules
   loop: "{{ group_names }}"
   loop_control:
     loop_var: groupname
 
-- debug: var=nftable_group_rules
+- debug: var=nftables_group_rules
+  when: nft_debug
 
-- name: Import nftables-variables if merged_groups is set
-  when: merged_groups and varfile.stat.exists
+- name: Import nftables-variables if nft_merged_groups is set
+  when: nft_merged_groups and varfile.stat.exists
   include_vars:
-    file: "{{ merged_groups_dir ~ varfile.groupname }}"
+    file: "{{ nft_merged_groups_dir ~ varfile.groupname }}"
     name: "{{ varfile.groupname }}"
-  loop: "{{ nftable_group_rules.results }}"
+  loop: "{{ nftables_group_rules.results }}"
   loop_control:
     loop_var: varfile
 
-- name: Combine Rules when merged_groups is set
-  when: merged_groups and (hostvars[inventory_hostname][varfile.groupname] is defined and hostvars[inventory_hostname][varfile.groupname]|length > 0) and varfile.stat.exists
+- name: Combine Rules when nft_merged_groups is set
+  when: nft_merged_groups and (hostvars[inventory_hostname][varfile.groupname] is defined and hostvars[inventory_hostname][varfile.groupname]|length > 0) and varfile.stat.exists
   set_fact:
     nft_combined_rules: "{{ nft_combined_rules | default({}) | combine ( hostvars[inventory_hostname][varfile.groupname], recursive=True ) }}"
-  loop: "{{ nftable_group_rules.results }}"
+  loop: "{{ nftables_group_rules.results }}"
   loop_control:
     loop_var: varfile
 
+- debug: var=nft_combined_rules
+  when: nft_debug
+
 - name: Load specific OS vars for nftables
   include_vars: "{{ osname }}"
   with_first_found:

templates/etc/nftables.conf.j2

@@ -4,7 +4,7 @@
 {% set globalmerged = nft_global_default_rules.copy() %}
 {% set _ = globalmerged.update(nft_global_rules) %}
 {% set _ = globalmerged.update(nft_global_group_rules) %}
-{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules is defined%}
+{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules is defined%}
   {% set _ = globalmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules) %}
 {% endif %}
 {% set _ = globalmerged.update(nft_global_host_rules) %}

templates/etc/nftables.d/defines.nft.j2

@@ -3,7 +3,7 @@
 {% set definemerged = nft_define_default.copy() %}
 {% set _ = definemerged.update(nft_define) %}
 {% set _ = definemerged.update(nft_define_group) %}
-{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_define_group is defined%}
+{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_define_group is defined%}
   {% set _ = definemerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_define_group) %}
 {% endif %}
 {% set _ = definemerged.update(nft_define_host) %}

templates/etc/nftables.d/filter-input.nft.j2

@@ -3,7 +3,7 @@
 {% set inputmerged = nft_input_default_rules.copy() %}
 {% set _ = inputmerged.update(nft_input_rules) %}
 {% set _ = inputmerged.update(nft_input_group_rules) %}
-{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_input_group_rules is defined %}
+{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_input_group_rules is defined %}
   {% set _ = inputmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_input_group_rules) %}
 {% endif %}
 {% set _ = inputmerged.update(nft_input_host_rules) %}

templates/etc/nftables.d/filter-output.nft.j2

@@ -3,7 +3,7 @@
 {% set outputmerged = nft_output_default_rules.copy() %}
 {% set _ = outputmerged.update(nft_output_rules) %}
 {% set _ = outputmerged.update(nft_output_group_rules) %}
-{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_output_group_rules is defined %}
+{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_output_group_rules is defined %}
   {% set _ = outputmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_output_group_rules) %}
 {% endif %}
 {% set _ = outputmerged.update(nft_output_host_rules) %}

templates/etc/nftables.d/nat-postrouting.nft.j2

@@ -3,7 +3,7 @@
 {% set postroutingmerged = nft__nat_default_postrouting_rules.copy() %}
 {% set _ = postroutingmerged.update(nft__nat_postrouting_rules) %}
 {% set _ = postroutingmerged.update(nft__nat_group_postrouting_rules) %}
-{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft__nat_group_postrouting_rules is defined %}
+{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft__nat_group_postrouting_rules is defined %}
   {% set _ = postroutingmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft__nat_group_postrouting_rules) %}
 {% endif %}
 {% set _ = postroutingmerged.update(nft__nat_host_postrouting_rules) %}

templates/etc/nftables.d/nat-prerouting.nft.j2

@@ -3,7 +3,7 @@
 {% set preroutingmerged = nft__nat_default_prerouting_rules.copy() %}
 {% set _ = preroutingmerged.update(nft__nat_prerouting_rules) %}
 {% set _ = preroutingmerged.update(nft__nat_group_prerouting_rules) %}
-{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft__nat_group_prerouting_rules is defined %}
+{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft__nat_group_prerouting_rules is defined %}
   {% set _ = preroutingmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft__nat_group_prerouting_rules) %}
 {% endif %}
 {% set _ = preroutingmerged.update(nft__nat_host_prerouting_rules) %}

templates/etc/nftables.d/sets.nft.j2

@@ -3,7 +3,7 @@
 {% set setmerged = nft_set_default.copy() %}
 {% set _ = setmerged.update(nft_set) %}
 {% set _ = setmerged.update(nft_set_group) %}
-{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_set_group is defined %}
+{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_set_group is defined %}
   {% set _ = setmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_set_group) %}
 {% endif %}
 {% set _ = setmerged.update(nft_set_host) %}