Move input rules to a specific file.

This commit is contained in:
Jeremy Gardais 2017-08-07 17:37:41 +02:00
parent 817e6d46fd
commit 5ff44ffcfa
5 changed files with 22 additions and 4 deletions

View File

@ -22,6 +22,8 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (
* **nft_pkg_state**: State of new `nftables` package(s) [default: `installed`]. * **nft_pkg_state**: State of new `nftables` package(s) [default: `installed`].
* **nft_main_conf_path**: Main configuration file loaded by systemd unit [default: `/etc/nftables.conf`]. * **nft_main_conf_path**: Main configuration file loaded by systemd unit [default: `/etc/nftables.conf`].
* **nft_main_conf_content**: Template used to generate the previous main configuration file [default: `etc/nftables.conf.j2`]. * **nft_main_conf_content**: Template used to generate the previous main configuration file [default: `etc/nftables.conf.j2`].
* **nft_input_conf_path**: Input configuration file include in main configuration file [default: `/etc/nftables.d/inet-filter.nft`].
* **nft_input_conf_content**: Template used to generate the previous input configuration file [default: `etc/nftables.d/inet-filter.nft.j2`].
* **nft_global_default_rules**: Set default rules for `global` chain. Other chains will jump to `global` before apply their specific rules. * **nft_global_default_rules**: Set default rules for `global` chain. Other chains will jump to `global` before apply their specific rules.
* **nft_global_group_rules**: You can add `global` rules or override those defined by **nft_global_default_rules** for a group. * **nft_global_group_rules**: You can add `global` rules or override those defined by **nft_global_default_rules** for a group.
* **nft_global_host_rules:**: Hosts can also add or override `global` rules. * **nft_global_host_rules:**: Hosts can also add or override `global` rules.
@ -115,6 +117,7 @@ table inet firewall {
This role will: This role will:
* Install `nftables` on the system. * Install `nftables` on the system.
* Generate a default configuration file loaded by systemd unit. * Generate a default configuration file loaded by systemd unit.
* Generate input rules file include called by the main configuration file.
* Restart `nftables` service. * Restart `nftables` service.
## Development ## Development

View File

@ -8,6 +8,8 @@ nft_pkg_state: 'installed'
# conf # conf
nft_main_conf_path: '/etc/nftables.conf' nft_main_conf_path: '/etc/nftables.conf'
nft_main_conf_content: 'etc/nftables.conf.j2' nft_main_conf_content: 'etc/nftables.conf.j2'
nft_input_conf_path: '/etc/nftables.d/inet-filter.nft'
nft_input_conf_content: 'etc/nftables.d/inet-filter.nft.j2'
# rules # rules
nft_global_default_rules: nft_global_default_rules:

View File

@ -29,4 +29,14 @@
mode: 0755 mode: 0755
backup: yes backup: yes
notify: restart nftables service notify: restart nftables service
- name: generate input rules file
template:
src: "{{ nft_input_conf_content }}"
dest: "{{ nft_input_conf_path }}"
owner: root
group: root
mode: 0755
backup: yes
notify: restart nftables service
# }}} # }}}

View File

@ -20,10 +20,7 @@ table inet firewall {
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
} }
chain input { include "{{ nft_input_conf_path }}"
type filter hook input priority 0;
jump global
}
chain output { chain output {
type filter hook output priority 0; type filter hook output priority 0;
jump global jump global

View File

@ -0,0 +1,6 @@
# {{ ansible_managed }}
chain input {
type filter hook input priority 0; policy drop;
jump global
}