From 3be5c951809067006959f9ed94b903255f674fd8 Mon Sep 17 00:00:00 2001 From: Philipp Rintz Date: Wed, 3 Mar 2021 10:40:24 +0100 Subject: [PATCH 1/3] Add nft_custom_includes option for optional includes in the main filter table. --- defaults/main.yml | 5 +++++ templates/etc/nftables.conf.j2 | 9 +++++++++ 2 files changed, 14 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 2107724..d9ef57a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -102,6 +102,11 @@ nft_global_host_rules: {} # Custom content (tables, include,…) to add in Nftables configuration. nft__custom_content: '' # ]]] +# .. envvar:: nft_custom_includes [[[ +# +# Custom includes to add into the main Nftables filter configuration. +nft_custom_includes: '' + # ]]] # .. envvar:: nft_conf_dir_path [[[ # # Path to the sub directory for Nftables configuration files. diff --git a/templates/etc/nftables.conf.j2 b/templates/etc/nftables.conf.j2 index b7a46c5..a7be5c6 100755 --- a/templates/etc/nftables.conf.j2 +++ b/templates/etc/nftables.conf.j2 @@ -29,6 +29,15 @@ table inet filter { include "{{ nft_set_conf_path }}" include "{{ nft_input_conf_path }}" include "{{ nft_output_conf_path }}" +{% if nft_custom_includes | default() %} + {% if nft_custom_includes is string %} + include "{{ nft_custom_includes }}" + {% elif nft_custom_includes is iterable and (nft_custom_includes is not string and nft_custom_includes is not mapping) %} + {% for include in nft_custom_includes %} + include "{{ include }}" + {% endfor %} + {% endif %} +{% endif %} } {% if nft__nat_table_manage %} From e0658c06610586e018426b18d88da0dd91c713be Mon Sep 17 00:00:00 2001 From: Philipp Rintz Date: Wed, 3 Mar 2021 10:47:02 +0100 Subject: [PATCH 2/3] Added the option to manage the forwarding firewall table. --- defaults/main.yml | 51 +++++++++++++++++++ tasks/main.yml | 12 +++++ templates/etc/nftables.conf.j2 | 3 ++ .../etc/nftables.d/filter-forward.nft.j2 | 21 ++++++++ 4 files changed, 87 insertions(+) create mode 100644 templates/etc/nftables.d/filter-forward.nft.j2 diff --git a/defaults/main.yml b/defaults/main.yml index d9ef57a..3fa5ed1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -367,6 +367,57 @@ nft_output_conf_path: '{{ nft_conf_dir_path }}/filter-output.nft' # Ansible inventory directory. nft_output_conf_content: 'etc/nftables.d/filter-output.nft.j2' # ]]] +# .. envvar:: nft__forward_table_manage [[[ +# +# If the forward table should be managed ? Possible options are : +# +# ``False`` +# Default. The forward table is not managed and rules will not be added. +# +# ``True`` +# Add the forwarding rules that follow. +nft__forward_table_manage: false + # ]]] +# .. envvar:: nft_forward_default_rules [[[ +# +# List of forward rules to configure for all hosts inherited from this role. +nft_forward_default_rules: + 000 policy: + - type filter hook forward priority 0; policy drop; + 005 global: + - jump global + # ]]] +# .. envvar:: nft_forward_rules [[[ +# +# List of forward rules to configure for all hosts in the Ansible inventory. +nft_forward_rules: {} + # ]]] +# .. envvar:: nft_forward_group_rules [[[ +# +# List of forward rules to configure for hosts in specific Ansible inventory group. +nft_forward_group_rules: {} + # ]]] +# .. envvar:: nft_forward_host_rules [[[ +# +# List of forward rules to configure for specific hosts in the Ansible inventory. +nft_forward_host_rules: {} + # ]]] +# .. envvar:: nft_forward_conf_path [[[ +# +# Path to the forward rules file for the filter table to include in the main +# configuration file in order to use the previous defined lists. +# +# Should include the '{{ nft_conf_dir_path }}' var or be an absolut path. +nft_forward_conf_path: '{{ nft_conf_dir_path }}/filter-forward.nft' + # ]]] +# .. envvar:: nft_forward_conf_content [[[ +# +# Template used to provide the previous forward rules file. +# +# Must be a relative path from default/ directory of this role or from your +# Ansible inventory directory. +nft_forward_conf_content: 'etc/nftables.d/filter-forward.nft.j2' + # ]]] # ]]] # ip nat table rules [[[ # --------------------------- diff --git a/tasks/main.yml b/tasks/main.yml index 67bcaa8..5da165c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -127,6 +127,18 @@ notify: ['Reload nftables service'] when: nft_enabled|bool +- name: Filter table - generate forward rules file + template: + src: "{{ nft_forward_conf_content }}" + dest: "{{ nft_forward_conf_path }}" + owner: root + group: root + mode: 0755 + backup: yes + notify: ['Reload nftables service'] + when: (nft_enabled|bool and + nft__forward_table_manage|bool) + # Nat table content [[[1 - name: Nat table - generate prerouting rules file template: diff --git a/templates/etc/nftables.conf.j2 b/templates/etc/nftables.conf.j2 index a7be5c6..c68075d 100755 --- a/templates/etc/nftables.conf.j2 +++ b/templates/etc/nftables.conf.j2 @@ -29,6 +29,9 @@ table inet filter { include "{{ nft_set_conf_path }}" include "{{ nft_input_conf_path }}" include "{{ nft_output_conf_path }}" +{% if nft__forward_table_manage %} + include "{{ nft_forward_conf_path }}" +{% endif %} {% if nft_custom_includes | default() %} {% if nft_custom_includes is string %} include "{{ nft_custom_includes }}" diff --git a/templates/etc/nftables.d/filter-forward.nft.j2 b/templates/etc/nftables.d/filter-forward.nft.j2 new file mode 100644 index 0000000..dc9edac --- /dev/null +++ b/templates/etc/nftables.d/filter-forward.nft.j2 @@ -0,0 +1,21 @@ +#jinja2: lstrip_blocks: "True", trim_blocks: "True" +# {{ ansible_managed }} +{% set forwardmerged = nft_forward_default_rules.copy() %} +{% set _ = forwardmerged.update(nft_forward_rules) %} +{% set _ = forwardmerged.update(nft_forward_group_rules) %} +{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_forward_group_rules is defined %} + {% set _ = forwardmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_forward_group_rules) %} +{% endif %} +{% set _ = forwardmerged.update(nft_forward_host_rules) %} + +chain forward { +{% for group, rules in forwardmerged|dictsort %} + # {{ group }} + {% if not rules %} + # (none) + {% endif %} + {% for rule in rules %} + {{ rule }} + {% endfor %} +{% endfor %} +} From 51d768539f99cc44b795ac765b116025950bf5bb Mon Sep 17 00:00:00 2001 From: Philipp Rintz Date: Wed, 3 Mar 2021 13:54:07 +0100 Subject: [PATCH 3/3] Add forward chain variables to README.md --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index 57aff86..c848c72 100644 --- a/README.md +++ b/README.md @@ -31,6 +31,8 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] ( * **nft_input_conf_content** : Template used to generate the previous input configuration file [default : `etc/nftables.d/filter-input.nft.j2`]. * **nft_output_conf_path** : Output configuration file include in main configuration file [default : `{{ nft_conf_dir_path }}/filter-output.nft`]. * **nft_output_conf_content** : Template used to generate the previous output configuration file [default : `etc/nftables.d/filter-output.nft.j2`]. +* **nft_forward_conf_path** : forward configuration file include in main configuration file [default : `{{ nft_conf_dir_path }}/filter-forward.nft`]. +* **nft_forward_conf_content** : Template used to generate the previous forward configuration file [default : `etc/nftables.d/filter-forward.nft.j2`]. * **nft_define_conf_path** : Vars definition file include in main configuration file [default : `{{ nft_conf_dir_path }}/defines.nft`]. * **nft_define_conf_content** : Template used to generate the previous vars definition file [default : `etc/nftables.d/defines.nft.j2`]. * **nft_sets_conf_path** : Sets and maps definition file include in main configuration file [default : `{{ nft_conf_dir_path }}/sets.nft`]. @@ -48,6 +50,11 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] ( * **nft_output_rules** : You can add `output` rules or override those defined by **nft_output_default_rules** for all hosts. * **nft_output_group_rules** : You can add `output` rules or override those defined by **nft_output_default_rules** and **nft_output_rules** for a group. * **nft_output_host_rules** : Hosts can also add or override all previous `output` rules. +* **nft_forward_default_rules** : Set default rules for `forward` chain. +* **nft_forward_rules** : You can add `forward` rules or override those defined by **nft_forward_default_rules** for all hosts. +* **nft_forward_group_rules** : You can add `forward` rules or override those defined by **nft_forward_default_rules** and **nft_forward_rules** for a group. +* **nft_forward_host_rules** : Hosts can also add or override all previous `forward` rules. +* **nft__forward_table_manage** : If the forward table should be managed [default : `False`]. * **nft__nat_table_manage** : If the nat table should be managed [default : `False`]. * **nft__nat_default_prerouting_rules** : Set default rules for `prerouting` chain of **nat** table. * **nft__nat_prerouting_rules** : Set rules for `prerouting` chain of **nat** table for all hosts in the Ansible inventory.