Support merged firewall rules for multiple groups per host.

- Multiple groups for a single server will now lead to all firewall
    rules being merged instead of overwritten.

defaults/main.yml

@@ -74,6 +74,17 @@ nft_global_default_rules:
 # in the Ansible inventory.
 nft_global_rules: {}
                                                                    # ]]]
+# .. envvar:: merged_groups [[[
+#
+# Enable or disable the ability to merge multiple firewall group variables
+merged_groups: false
+                                                                   # ]]]
+# .. envvar:: merged_groups_dir [[[
+#
+# The directory to read the group firewall rules from.
+# Relative to the playbook directory.
+merged_groups_dir: vars/
+                                                                   # ]]]
 # .. envvar:: nft_global_group_rules [[[
 #
 # List of global rules (applied on all tables) to configure for hosts in

tasks/main.yml

@@ -2,16 +2,33 @@
 # .. vim: foldmarker=[[[,]]]:foldmethod=marker
 #
 # tasks file for nftables
+- name: Import nftables-variables if merged_groups is set
+  when: merged_groups
+  set_fact:
+    "{{ groupname }}": "{{ lookup('file',merged_groups_dir ~ groupname) | from_yaml }}"
+  loop: "{{ group_names }}"
+  loop_control:
+    loop_var: groupname
+
+- name: Combine Rules when merged_groups is set
+  when: merged_groups
+  set_fact:
+    nft_combined_rules: "{{ nft_combined_rules | default({}) | combine ( hostvars[inventory_hostname][groupname], recursive=True ) }}"
+  loop: "{{ group_names }}"
+  loop_control:
+    loop_var: groupname
 
 - name: Load specific OS vars for nftables
-  include_vars: "{{ item }}"
+  include_vars: "{{ osname }}"
   with_first_found:
     - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version }}.yml"
     - "{{ ansible_distribution|lower }}.yml"
     - "{{ ansible_os_family|lower }}.yml"
+  loop_control:
+    loop_var: osname
 
 # Manage packages [[[1
-- name: Ensure Nftables packages are in there desired state
+- name: Ensure Nftables packages are in their desired state
   package:
     name: '{{ nft_pkg_list | list }}'
     state: '{{ nft_pkg_state }}'
@@ -19,7 +36,7 @@
   until: pkg_install_result is success
   when: nft_enabled|bool
 
-- name: Ensure old Iptables packages are in there desired state
+- name: Ensure old Iptables packages are in their desired state
   apt:
     name: '{{ nft_old_pkg_list | list }}'
     state: '{{ nft_old_pkg_state }}'

templates/etc/nftables.conf.j2

@@ -1,8 +1,12 @@
+#jinja2: lstrip_blocks: "True", trim_blocks: "True"
 #!/usr/sbin/nft -f
 # {{ ansible_managed }}
 {% set globalmerged = nft_global_default_rules.copy() %}
 {% set _ = globalmerged.update(nft_global_rules) %}
 {% set _ = globalmerged.update(nft_global_group_rules) %}
+{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules is defined%}
+  {% set _ = globalmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules) %}
+{% endif %}
 {% set _ = globalmerged.update(nft_global_host_rules) %}
 
 # clean

templates/etc/nftables.d/defines.nft.j2

@@ -1,10 +1,13 @@
+#jinja2: lstrip_blocks: "True", trim_blocks: "True"
 # {{ ansible_managed }}
 {% set definemerged = nft_define_default.copy() %}
 {% set _ = definemerged.update(nft_define) %}
 {% set _ = definemerged.update(nft_define_group) %}
+{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_define_group is defined%}
+  {% set _ = definemerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_define_group) %}
+{% endif %}
 {% set _ = definemerged.update(nft_define_host) %}
 
-
 {% for definition in definemerged.values() %}
   {% if definition.desc is defined %}
 # {{ definition.desc }}

templates/etc/nftables.d/filter-input.nft.j2

@@ -1,7 +1,11 @@
+#jinja2: lstrip_blocks: "True", trim_blocks: "True"
 # {{ ansible_managed }}
 {% set inputmerged = nft_input_default_rules.copy() %}
 {% set _ = inputmerged.update(nft_input_rules) %}
 {% set _ = inputmerged.update(nft_input_group_rules) %}
+{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_input_group_rules is defined %}
+  {% set _ = inputmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_input_group_rules) %}
+{% endif %}
 {% set _ = inputmerged.update(nft_input_host_rules) %}
 
 chain input {

templates/etc/nftables.d/filter-output.nft.j2

@@ -1,7 +1,11 @@
+#jinja2: lstrip_blocks: "True", trim_blocks: "True"
 # {{ ansible_managed }}
 {% set outputmerged = nft_output_default_rules.copy() %}
 {% set _ = outputmerged.update(nft_output_rules) %}
 {% set _ = outputmerged.update(nft_output_group_rules) %}
+{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_output_group_rules is defined %}
+  {% set _ = outputmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_output_group_rules) %}
+{% endif %}
 {% set _ = outputmerged.update(nft_output_host_rules) %}
 
 chain output {

templates/etc/nftables.d/nat-postrouting.nft.j2

@@ -1,7 +1,11 @@
+#jinja2: lstrip_blocks: "True", trim_blocks: "True"
 # {{ ansible_managed }}
 {% set postroutingmerged = nft__nat_default_postrouting_rules.copy() %}
 {% set _ = postroutingmerged.update(nft__nat_postrouting_rules) %}
 {% set _ = postroutingmerged.update(nft__nat_group_postrouting_rules) %}
+{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft__nat_group_postrouting_rules is defined %}
+  {% set _ = postroutingmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft__nat_group_postrouting_rules) %}
+{% endif %}
 {% set _ = postroutingmerged.update(nft__nat_host_postrouting_rules) %}
 
 chain postrouting {

templates/etc/nftables.d/nat-prerouting.nft.j2

@@ -1,7 +1,11 @@
+#jinja2: lstrip_blocks: "True", trim_blocks: "True"
 # {{ ansible_managed }}
 {% set preroutingmerged = nft__nat_default_prerouting_rules.copy() %}
 {% set _ = preroutingmerged.update(nft__nat_prerouting_rules) %}
 {% set _ = preroutingmerged.update(nft__nat_group_prerouting_rules) %}
+{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft__nat_group_prerouting_rules is defined %}
+  {% set _ = preroutingmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft__nat_group_prerouting_rules) %}
+{% endif %}
 {% set _ = preroutingmerged.update(nft__nat_host_prerouting_rules) %}
 
 chain prerouting {

templates/etc/nftables.d/sets.nft.j2

@@ -1,7 +1,11 @@
+#jinja2: lstrip_blocks: "True", trim_blocks: "True"
 # {{ ansible_managed }}
 {% set setmerged = nft_set_default.copy() %}
 {% set _ = setmerged.update(nft_set) %}
 {% set _ = setmerged.update(nft_set_group) %}
+{% if merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_set_group is defined %}
+  {% set _ = setmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_set_group) %}
+{% endif %}
 {% set _ = setmerged.update(nft_set_host) %}
 
 {% for set, rules in setmerged|dictsort  %}