Merge branch 'feature_forwarding' of https://github.com/p-rintz/nftables into p-rintz-feature_forwarding

2021-03-09 18:02:31 +01:00 · 2021-03-09 18:02:31 +01:00 · 60b7d49555
parent db3fbdc9b4 51d768539f
commit 60b7d49555
5 changed files with 108 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -34,6 +34,8 @@ complexify his philosophy… (I'm pretty sure, i now did complexify it :D) ^^
 * **nft_input_conf_content** : Template used to generate the previous input configuration file [default : `etc/nftables.d/filter-input.nft.j2`].
 * **nft_output_conf_path** : Output configuration file include in main configuration file [default : `{{ nft_conf_dir_path }}/filter-output.nft`].
 * **nft_output_conf_content** : Template used to generate the previous output configuration file [default : `etc/nftables.d/filter-output.nft.j2`].
+* **nft_forward_conf_path** : forward configuration file include in main configuration file [default : `{{ nft_conf_dir_path }}/filter-forward.nft`].
+* **nft_forward_conf_content** : Template used to generate the previous forward configuration file [default : `etc/nftables.d/filter-forward.nft.j2`].
 * **nft_define_conf_path** : Vars definition file include in main configuration file [default : `{{ nft_conf_dir_path }}/defines.nft`].
 * **nft_define_conf_content** : Template used to generate the previous vars definition file [default : `etc/nftables.d/defines.nft.j2`].
 * **nft_sets_conf_path** : Sets and maps definition file include in main configuration file [default : `{{ nft_conf_dir_path }}/sets.nft`].
@ -51,6 +53,11 @@ complexify his philosophy… (I'm pretty sure, i now did complexify it :D) ^^
 * **nft_output_rules** : You can add `output` rules or override those defined by **nft_output_default_rules** for all hosts.
 * **nft_output_group_rules** : You can add `output` rules or override those defined by **nft_output_default_rules** and **nft_output_rules** for a group.
 * **nft_output_host_rules** : Hosts can also add or override all previous `output` rules.
+* **nft_forward_default_rules** : Set default rules for `forward` chain.
+* **nft_forward_rules** : You can add `forward` rules or override those defined by **nft_forward_default_rules** for all hosts.
+* **nft_forward_group_rules** : You can add `forward` rules or override those defined by **nft_forward_default_rules** and **nft_forward_rules** for a group.
+* **nft_forward_host_rules** : Hosts can also add or override all previous `forward` rules.
+* **nft__forward_table_manage** : If the forward table should be managed [default : `False`].
 * **nft__nat_table_manage** : If the nat table should be managed [default : `False`].
 * **nft__nat_default_prerouting_rules** : Set default rules for `prerouting` chain of **nat** table.
 * **nft__nat_prerouting_rules** : Set rules for `prerouting` chain of **nat** table for all hosts in the Ansible inventory.
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -102,6 +102,11 @@ nft_global_host_rules: {}
 # Custom content (tables, include,…) to add in Nftables configuration.
 nft__custom_content: ''
                                                                   # ]]]
+# .. envvar:: nft_custom_includes [[[
+#
+# Custom includes to add into the main Nftables filter configuration.
+nft_custom_includes: ''
+                                                                   # ]]]
 # .. envvar:: nft_conf_dir_path [[[
 #
 # Path to the sub directory for Nftables configuration files.
@ -355,6 +360,57 @@ nft_output_conf_path: '{{ nft_conf_dir_path }}/filter-output.nft'
 # Ansible inventory directory.
 nft_output_conf_content: 'etc/nftables.d/filter-output.nft.j2'
                                                                   # ]]]
+# .. envvar:: nft__forward_table_manage [[[
+#
+# If the forward table should be managed ? Possible options are :
+#
+# ``False``
+#   Default. The forward table is not managed and rules will not be added.
+#
+# ``True``
+#   Add the forwarding rules that follow.
+nft__forward_table_manage: false
+                                                                   # ]]]
+# .. envvar:: nft_forward_default_rules [[[
+#
+# List of forward rules to configure for all hosts inherited from this role.
+nft_forward_default_rules:
+  000 policy:
+    - type filter hook forward priority 0; policy drop;
+  005 global:
+    - jump global
+                                                                   # ]]]
+# .. envvar:: nft_forward_rules [[[
+#
+# List of forward rules to configure for all hosts in the Ansible inventory.
+nft_forward_rules: {}
+                                                                   # ]]]
+# .. envvar:: nft_forward_group_rules [[[
+#
+# List of forward rules to configure for hosts in specific Ansible inventory group.
+nft_forward_group_rules: {}
+                                                                   # ]]]
+# .. envvar:: nft_forward_host_rules [[[
+#
+# List of forward rules to configure for specific hosts in the Ansible inventory.
+nft_forward_host_rules: {}
+                                                                   # ]]]
+# .. envvar:: nft_forward_conf_path [[[
+#
+# Path to the forward rules file for the filter table to include in the main
+# configuration file in order to use the previous defined lists.
+#
+# Should include the '{{ nft_conf_dir_path }}' var or be an absolut path.
+nft_forward_conf_path: '{{ nft_conf_dir_path }}/filter-forward.nft'
+                                                                   # ]]]
+# .. envvar:: nft_forward_conf_content [[[
+#
+# Template used to provide the previous forward rules file.
+#
+# Must be a relative path from default/ directory of this role or from your
+# Ansible inventory directory.
+nft_forward_conf_content: 'etc/nftables.d/filter-forward.nft.j2'
+                                                                   # ]]]
                                                                   # ]]]
 # ip nat table rules [[[
 # ---------------------------
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -130,6 +130,18 @@
  notify: ['Reload nftables service']
  when: nft_enabled|bool

+- name: Filter table - generate forward rules file
+  template:
+    src: "{{ nft_forward_conf_content }}"
+    dest: "{{ nft_forward_conf_path }}"
+    owner: root
+    group: root
+    mode: 0755
+    backup: yes
+  notify: ['Reload nftables service']
+  when: (nft_enabled|bool and
+         nft__forward_table_manage|bool)
+
 # Nat table content [[[1
 - name: Nat table - generate prerouting rules file
  template:
--- a/templates/etc/nftables.conf.j2
+++ b/templates/etc/nftables.conf.j2
@ -29,6 +29,18 @@ table inet filter {
 	include "{{ nft_set_conf_path }}"
 	include "{{ nft_input_conf_path }}"
 	include "{{ nft_output_conf_path }}"
+{% if nft__forward_table_manage %}
+	include "{{ nft_forward_conf_path }}"
+{% endif %}
+{% if nft_custom_includes | default() %}
+  {% if nft_custom_includes is string %}
+	include "{{ nft_custom_includes }}"
+  {% elif nft_custom_includes is iterable and (nft_custom_includes is not string and nft_custom_includes is not mapping) %}
+    {% for include in nft_custom_includes %}
+	include "{{ include }}"
+    {% endfor %}
+  {% endif %}
+{% endif %}
 }

 {% if nft__nat_table_manage %}
--- a/templates/etc/nftables.d/filter-forward.nft.j2
+++ b/templates/etc/nftables.d/filter-forward.nft.j2
@ -0,0 +1,21 @@
+#jinja2: lstrip_blocks: "True", trim_blocks: "True"
+# {{ ansible_managed }}
+{% set forwardmerged = nft_forward_default_rules.copy() %}
+{% set _ = forwardmerged.update(nft_forward_rules) %}
+{% set _ = forwardmerged.update(nft_forward_group_rules) %}
+{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_forward_group_rules is defined %}
+  {% set _ = forwardmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_forward_group_rules) %}
+{% endif %}
+{% set _ = forwardmerged.update(nft_forward_host_rules) %}
+
+chain forward {
+{% for group, rules in forwardmerged|dictsort  %}
+    # {{ group }}
+  {% if not rules %}
+    # (none)
+  {% endif %}
+  {% for rule in rules %}
+    {{ rule }}
+  {% endfor %}
+{% endfor %}
+}