cellinfo
/
ansible.nftables
2
0
Fork 0
Code Issues Pull Requests Releases Activity

Manage input rule with dict.

This commit is contained in:
Jeremy Gardais 2017-08-07 17:41:03 +02:00
parent 5ff44ffcfa
commit 2611dce9d9
3 changed files with 33 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
README.md
View File

@ -27,6 +27,9 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (
* **nft_global_default_rules**: Set default rules for `global` chain. Other chains will jump to `global` before apply their specific rules. * **nft_global_default_rules**: Set default rules for `global` chain. Other chains will jump to `global` before apply their specific rules.
* **nft_global_group_rules**: You can add `global` rules or override those defined by **nft_global_default_rules** for a group. * **nft_global_group_rules**: You can add `global` rules or override those defined by **nft_global_default_rules** for a group.
* **nft_global_host_rules:**: Hosts can also add or override `global` rules. * **nft_global_host_rules:**: Hosts can also add or override `global` rules.
* **nft_input_default_rules**: Set default rules for `input` chain.
* **nft_input_group_rules**: You can add `input` rules or override those defined by **nft_input_default_rules** for a group.
* **nft_input_host_rules:**: Hosts can also add or override `input` rules.
* **nft_service_manage**: If `nftables` service should be managed with this role [default: `true`]. * **nft_service_manage**: If `nftables` service should be managed with this role [default: `true`].
* **nft_service_name**: `nftables` service name [default: `nftables`]. * **nft_service_name**: `nftables` service name [default: `nftables`].
@ -53,6 +56,14 @@ nft_global_default_rules:
- ct state invalid drop - ct state invalid drop
nft_global_group_rules: {} nft_global_group_rules: {}
nft_global_host_rules: {} nft_global_host_rules: {}
nft_input_default_rules:
000 policy:
- type filter hook input priority 0; policy drop;
001 global:
- jump global
nft_input_group_rules: {}
nft_input_host_rules: {}
``` ```
Those default will generate the following configuration: Those default will generate the following configuration:
@ -71,7 +82,7 @@ table inet firewall {
ct state invalid drop ct state invalid drop
} }
chain input { chain input {
type filter hook input priority 0; type filter hook input priority 0; policy drop;
jump global jump global
} }
chain output { chain output {
@ -91,7 +102,7 @@ table inet firewall {
} }
chain input { chain input {
type filter hook input priority 0; policy accept; type filter hook input priority 0; policy drop;
jump global jump global
} }

7
defaults/main.yml
View File

@ -18,6 +18,13 @@ nft_global_default_rules:
- ct state invalid drop - ct state invalid drop
nft_global_group_rules: {} nft_global_group_rules: {}
nft_global_host_rules: {} nft_global_host_rules: {}
nft_input_default_rules:
000 policy:
- type filter hook input priority 0; policy drop;
001 global:
- jump global
nft_input_group_rules: {}
nft_input_host_rules: {}
# service # service
nft_service_manage: true nft_service_manage: true

15
templates/etc/nftables.d/inet-filter.nft.j2
View File

@ -1,6 +1,17 @@
# {{ ansible_managed }} # {{ ansible_managed }}
{% set inputmerged = nft_input_default_rules.copy() %}
{% set _ = inputmerged.update(nft_input_group_rules) %}
{% set _ = inputmerged.update(nft_input_host_rules) %}
chain input { chain input {
type filter hook input priority 0; policy drop; {% for group, rules in inputmerged|dictsort %}
jump global # {{ group }}
{% if not rules %}
# (none)
{% endif %}
{% for rule in rules %}
{{ rule }}
{% endfor %}
{% endfor %}
} }