Move input rules to a specific file.

2017-08-07 17:37:41 +02:00 · 2017-08-07 17:37:41 +02:00 · 5ff44ffcfa
parent 817e6d46fd
commit 5ff44ffcfa
5 changed files with 22 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -22,6 +22,8 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (
 * **nft_pkg_state** : State of new `nftables` package(s) [default : `installed`].
 * **nft_main_conf_path** : Main configuration file loaded by systemd unit [default : `/etc/nftables.conf`].
 * **nft_main_conf_content** : Template used to generate the previous main configuration file [default : `etc/nftables.conf.j2`].
+* **nft_input_conf_path** : Input configuration file include in main configuration file [default : `/etc/nftables.d/inet-filter.nft`].
+* **nft_input_conf_content** : Template used to generate the previous input configuration file [default : `etc/nftables.d/inet-filter.nft.j2`].
 * **nft_global_default_rules** : Set default rules for `global` chain. Other chains will jump to `global` before apply their specific rules.
 * **nft_global_group_rules** : You can add `global` rules or override those defined by **nft_global_default_rules** for a group.
 * **nft_global_host_rules:** : Hosts can also add or override `global` rules.
@ -115,6 +117,7 @@ table inet firewall {
 This role will :
 * Install `nftables` on the system.
 * Generate a default configuration file loaded by systemd unit.
+* Generate input rules file include called by the main configuration file.
 * Restart `nftables` service.

 ## Development
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -8,6 +8,8 @@ nft_pkg_state: 'installed'
 # conf
 nft_main_conf_path: '/etc/nftables.conf'
 nft_main_conf_content: 'etc/nftables.conf.j2'
+nft_input_conf_path: '/etc/nftables.d/inet-filter.nft'
+nft_input_conf_content: 'etc/nftables.d/inet-filter.nft.j2'

 # rules
 nft_global_default_rules:
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -29,4 +29,14 @@
    mode: 0755
    backup: yes
  notify: restart nftables service
+
+- name: generate input rules file
+  template:
+    src: "{{ nft_input_conf_content }}"
+    dest: "{{ nft_input_conf_path }}"
+    owner: root
+    group: root
+    mode: 0755
+    backup: yes
+  notify: restart nftables service
 # }}}
--- a/templates/etc/nftables.conf.j2
+++ b/templates/etc/nftables.conf.j2
@ -20,10 +20,7 @@ table inet firewall {
 {% endfor %}
 {% endfor %}
 	}
-	chain input {
-		type filter hook input priority 0;
-		jump global
-	}
+	include "{{ nft_input_conf_path }}"
 	chain output {
 		type filter hook output priority 0;
 		jump global
--- a/templates/etc/nftables.d/inet-filter.nft.j2
+++ b/templates/etc/nftables.d/inet-filter.nft.j2
@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+
+chain input {
+	type filter hook input priority 0; policy drop;
+	jump global
+}