diff --git a/CHANGELOG.md b/CHANGELOG.md index 396d28d..81e0003 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,8 @@ * New rules (disable by default) can be define in *forward* chain (thanks to @p-rintz − PR #14). * Possibility to toggle file's backup (thanks to @p-rintz − PR #15). +* Gentoo-specific variables +* Ability to specify nft binary path through **nft__bin_location** ### Removed * Remove everything related to **in_udp_accept** (see conversation in PR #13). diff --git a/README.md b/README.md index 5d01124..677987c 100644 --- a/README.md +++ b/README.md @@ -89,6 +89,7 @@ complexify his philosophy… (I'm pretty sure, i now did complexify it :D) ^^ Please see default value by Operating System file in [vars][vars directory] directory. * **nft_pkg_list** : The list of package(s) to provide `nftables`. +* **nft__bin_location** : Path to `nftables` executable. [default : `/usr/sbin/nft`] ### Rules Dictionaries diff --git a/defaults/main.yml b/defaults/main.yml index 02f7512..75904ee 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -599,3 +599,13 @@ nft_backup_conf: True # ]]] # ]]] # ]]] +# OS specific variables defaults [[[ +# ---------------------------------- + +# .. envvar:: nft__bin_location [[[ +# +# Specify Nftables executable location. +# +nft__bin_location: '/usr/sbin/nft' + # ]]] + # ]]] diff --git a/templates/etc/nftables.conf.j2 b/templates/etc/nftables.conf.j2 index c68075d..c385709 100755 --- a/templates/etc/nftables.conf.j2 +++ b/templates/etc/nftables.conf.j2 @@ -1,5 +1,5 @@ #jinja2: lstrip_blocks: "True", trim_blocks: "True" -#!/usr/sbin/nft -f +#!{{ nft__bin_location }} -f # {{ ansible_managed }} {% set globalmerged = nft_global_default_rules.copy() %} {% set _ = globalmerged.update(nft_global_rules) %} diff --git a/templates/lib/systemd/system/nftables.service.j2 b/templates/lib/systemd/system/nftables.service.j2 index 3bc973d..87c51f5 100644 --- a/templates/lib/systemd/system/nftables.service.j2 +++ b/templates/lib/systemd/system/nftables.service.j2 @@ -13,13 +13,13 @@ ProtectSystem=full ProtectHome=true {% endif %} {% if nft__fail2ban_service %} -ExecStart=/usr/sbin/nft -f {{ nft_main_conf_path }} ; /bin/systemctl restart fail2ban.service -ExecReload=/usr/sbin/nft -f {{ nft_main_conf_path }} ; /bin/systemctl restart fail2ban.service -ExecStop=/bin/systemctl stop fail2ban.service ; /usr/sbin/nft flush ruleset +ExecStart={{ nft__bin_location }} -f {{ nft_main_conf_path }} ; /bin/systemctl restart fail2ban.service +ExecReload={{ nft__bin_location }} -f {{ nft_main_conf_path }} ; /bin/systemctl restart fail2ban.service +ExecStop=/bin/systemctl stop fail2ban.service ; {{ nft__bin_location }} flush ruleset {% else %} -ExecStart=/usr/sbin/nft -f {{ nft_main_conf_path }} -ExecReload=/usr/sbin/nft -f {{ nft_main_conf_path }} -ExecStop=/usr/sbin/nft flush ruleset +ExecStart={{ nft__bin_location }} -f {{ nft_main_conf_path }} +ExecReload={{ nft__bin_location }} -f {{ nft_main_conf_path }} +ExecStop={{ nft__bin_location }} flush ruleset {% endif %} [Install] diff --git a/vars/gentoo.yml b/vars/gentoo.yml new file mode 100644 index 0000000..72f42e3 --- /dev/null +++ b/vars/gentoo.yml @@ -0,0 +1,5 @@ +--- +# vars file for Gentoo +nft_pkg_list: + - net-firewall/nftables +nft__bin_location: "/sbin/nft"