cellinfo
/
ansible.nftables
2
0
Fork 0
Code Issues Pull Requests Releases Activity

Generate Nat table rules files

This commit is contained in:
Jeremy Gardais 2019-04-16 15:48:30 +02:00
parent b77d492da2
commit 63b3bb2c13
Signed by: jegardai
GPG Key ID: E759BAA22501AF32
4 changed files with 158 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
defaults/main.yml
View File

@ -337,6 +337,105 @@ nft_output_conf_path: '{{ nft_conf_dir_path }}/filter-output.nft'
nft_output_conf_content: 'etc/nftables.d/filter-output.nft.j2' nft_output_conf_content: 'etc/nftables.d/filter-output.nft.j2'
# ]]] # ]]]
# ]]] # ]]]
# ip nat table rules [[[
# ---------------------------
#
# All these rules will be set up in an ip table in order to perform some
# Network Address Translation (NAT).
# .. envvar:: nft__nat_table_manage [[[
#
# If the nat table should be managed? Possible options are:
#
# ``False``
# Default. The nat table is not managed and rules will not be added.
#
# ``True``
# Add the pre and postrouting rules that follow.
nft__nat_table_manage: False
# ]]]
# .. envvar:: nft__nat_default_prerouting_rules [[[
#
# List of prerouting rules to configure for all hosts inherited from this role.
nft__nat_default_prerouting_rules:
000 policy:
- type nat hook prerouting priority 0;
# ]]]
# .. envvar:: nft__nat_prerouting_rules [[[
#
# List of prerouting rules to configure for all hosts in the Ansible inventory.
nft__nat_prerouting_rules: {}
# ]]]
# .. envvar:: nft__nat_group_prerouting_rules [[[
#
# List of prerouting rules to configure for hosts in specific
# Ansible inventory group.
nft__nat_group_prerouting_rules: {}
# ]]]
# .. envvar:: nft__nat_host_prerouting_rules [[[
#
# List of prerouting rules to configure for specific hosts
# in the Ansible inventory.
nft__nat_host_prerouting_rules: {}
# ]]]
# .. envvar:: nft__nat_prerouting_conf_path [[[
#
# Path to the prerouting rules file for the nat table to include in the main
# configuration file in order to use the previous defined lists.
#
# Should include the '{{ nft_conf_dir_path }}' var or be an absolut path.
nft__nat_prerouting_conf_path: '{{ nft_conf_dir_path }}/nat-prerouting.nft'
# ]]]
# .. envvar:: nft__nat_prerouting_conf_content [[[
#
# Template used to provide the previous prerouting rules file.
#
# Must be a relative path from default/ directory of this role or from your
# Ansible inventory directory.
nft__nat_prerouting_conf_content: 'etc/nftables.d/nat-prerouting.nft.j2'
# ]]]
# .. envvar:: nft__nat_default_postrouting_rules [[[
#
# List of postrouting rules to configure for all hosts inherited from this role.
nft__nat_default_postrouting_rules:
000 policy:
- type nat hook postrouting priority 100;
# ]]]
# .. envvar:: nft__nat_postrouting_rules [[[
#
# List of postrouting rules to configure for all hosts in the Ansible inventory.
nft__nat_postrouting_rules: {}
# ]]]
# .. envvar:: nft__nat_group_postrouting_rules [[[
#
# List of postrouting rules to configure for hosts in specific
# Ansible inventory group.
nft__nat_group_postrouting_rules: {}
# ]]]
# .. envvar:: nft__nat_host_postrouting_rules [[[
#
# List of postrouting rules to configure for specific hosts
# in the Ansible inventory.
nft__nat_host_postrouting_rules: {}
# ]]]
# .. envvar:: nft__nat_postrouting_conf_path [[[
#
# Path to the postrouting rules file for the nat table to include in the main
# configuration file in order to use the previous defined lists.
#
# Should include the '{{ nft_conf_dir_path }}' var or be an absolut path.
nft__nat_postrouting_conf_path: '{{ nft_conf_dir_path }}/nat-postrouting.nft'
# ]]]
# .. envvar:: nft__nat_postrouting_conf_content [[[
#
# Template used to provide the previous postrouting rules file.
#
# Must be a relative path from default/ directory of this role or from your
# Ansible inventory directory.
nft__nat_postrouting_conf_content: 'etc/nftables.d/nat-postrouting.nft.j2'
# ]]]
# ]]]
# Service management [[[ # Service management [[[
# ---------------------- # ----------------------

25
tasks/main.yml
View File

@ -96,6 +96,31 @@
notify: ['Restart nftables service'] notify: ['Restart nftables service']
when: nft_enabled|bool when: nft_enabled|bool
# Nat table content [[[1
- name: Nat table - generate prerouting rules file
template:
src: "{{ nft__nat_prerouting_conf_content }}"
dest: "{{ nft__nat_prerouting_conf_path }}"
owner: root
group: root
mode: 0755
backup: yes
notify: ['Restart nftables service']
when: (nft_enabled|bool and
nft__nat_table_manage|bool)
- name: Nat table - generate postrouting rules file
template:
src: "{{ nft__nat_postrouting_conf_content }}"
dest: "{{ nft__nat_postrouting_conf_path }}"
owner: root
group: root
mode: 0755
backup: yes
notify: ['Restart nftables service']
when: (nft_enabled|bool and
nft__nat_table_manage|bool)
# Manage service [[[1 # Manage service [[[1
- name: Install Debian systemd service unit - name: Install Debian systemd service unit
template: template:

17
templates/etc/nftables.d/nat-postrouting.nft.j2 Normal file
View File

@ -0,0 +1,17 @@
# {{ ansible_managed }}
{% set postroutingmerged = nft__nat_default_postrouting_rules.copy() %}
{% set _ = postroutingmerged.update(nft__nat_postrouting_rules) %}
{% set _ = postroutingmerged.update(nft__nat_group_postrouting_rules) %}
{% set _ = postroutingmerged.update(nft__nat_host_postrouting_rules) %}
chain postrouting {
{% for group, rules in postroutingmerged|dictsort %}
# {{ group }}
{% if not rules %}
# (none)
{% endif %}
{% for rule in rules %}
{{ rule }}
{% endfor %}
{% endfor %}
}

17
templates/etc/nftables.d/nat-prerouting.nft.j2 Normal file
View File

@ -0,0 +1,17 @@
# {{ ansible_managed }}
{% set preroutingmerged = nft__nat_default_prerouting_rules.copy() %}
{% set _ = preroutingmerged.update(nft__nat_prerouting_rules) %}
{% set _ = preroutingmerged.update(nft__nat_group_prerouting_rules) %}
{% set _ = preroutingmerged.update(nft__nat_host_prerouting_rules) %}
chain prerouting {
{% for group, rules in preroutingmerged|dictsort %}
# {{ group }}
{% if not rules %}
# (none)
{% endif %}
{% for rule in rules %}
{{ rule }}
{% endfor %}
{% endfor %}
}