From 5ff44ffcfad252fd2579af6a40205462ad815971 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?= Date: Mon, 7 Aug 2017 17:37:41 +0200 Subject: [PATCH] Move input rules to a specific file. --- README.md | 3 +++ defaults/main.yml | 2 ++ tasks/main.yml | 10 ++++++++++ templates/etc/nftables.conf.j2 | 5 +---- templates/etc/nftables.d/inet-filter.nft.j2 | 6 ++++++ 5 files changed, 22 insertions(+), 4 deletions(-) create mode 100644 templates/etc/nftables.d/inet-filter.nft.j2 diff --git a/README.md b/README.md index fa19254..42f21f8 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,8 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] ( * **nft_pkg_state** : State of new `nftables` package(s) [default : `installed`]. * **nft_main_conf_path** : Main configuration file loaded by systemd unit [default : `/etc/nftables.conf`]. * **nft_main_conf_content** : Template used to generate the previous main configuration file [default : `etc/nftables.conf.j2`]. +* **nft_input_conf_path** : Input configuration file include in main configuration file [default : `/etc/nftables.d/inet-filter.nft`]. +* **nft_input_conf_content** : Template used to generate the previous input configuration file [default : `etc/nftables.d/inet-filter.nft.j2`]. * **nft_global_default_rules** : Set default rules for `global` chain. Other chains will jump to `global` before apply their specific rules. * **nft_global_group_rules** : You can add `global` rules or override those defined by **nft_global_default_rules** for a group. * **nft_global_host_rules:** : Hosts can also add or override `global` rules. @@ -115,6 +117,7 @@ table inet firewall { This role will : * Install `nftables` on the system. * Generate a default configuration file loaded by systemd unit. +* Generate input rules file include called by the main configuration file. * Restart `nftables` service. ## Development diff --git a/defaults/main.yml b/defaults/main.yml index 3b74875..af02dcf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -8,6 +8,8 @@ nft_pkg_state: 'installed' # conf nft_main_conf_path: '/etc/nftables.conf' nft_main_conf_content: 'etc/nftables.conf.j2' +nft_input_conf_path: '/etc/nftables.d/inet-filter.nft' +nft_input_conf_content: 'etc/nftables.d/inet-filter.nft.j2' # rules nft_global_default_rules: diff --git a/tasks/main.yml b/tasks/main.yml index 6ddd1de..92e19f7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -29,4 +29,14 @@ mode: 0755 backup: yes notify: restart nftables service + +- name: generate input rules file + template: + src: "{{ nft_input_conf_content }}" + dest: "{{ nft_input_conf_path }}" + owner: root + group: root + mode: 0755 + backup: yes + notify: restart nftables service # }}} diff --git a/templates/etc/nftables.conf.j2 b/templates/etc/nftables.conf.j2 index 9e7c23b..9f28db8 100755 --- a/templates/etc/nftables.conf.j2 +++ b/templates/etc/nftables.conf.j2 @@ -20,10 +20,7 @@ table inet firewall { {% endfor %} {% endfor %} } - chain input { - type filter hook input priority 0; - jump global - } + include "{{ nft_input_conf_path }}" chain output { type filter hook output priority 0; jump global diff --git a/templates/etc/nftables.d/inet-filter.nft.j2 b/templates/etc/nftables.d/inet-filter.nft.j2 new file mode 100644 index 0000000..26c274b --- /dev/null +++ b/templates/etc/nftables.d/inet-filter.nft.j2 @@ -0,0 +1,6 @@ +# {{ ansible_managed }} + +chain input { + type filter hook input priority 0; policy drop; + jump global +}