cellinfo
/
ansible.nftables
4
0
Fork 0
Code Issues Pull Requests Releases Activity

Use 'ip' family as default for the firewall table.

This commit is contained in:
Jeremy Gardais 2017-08-09 11:18:49 +02:00
parent 7a36fddf38
commit 6b6a3a1794
6 changed files with 18 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
README.md
View File

@ -22,14 +22,14 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (
* **nft_pkg_state**: State of new `nftables` package(s) [default: `installed`].
* **nft_main_conf_path**: Main configuration file loaded by systemd unit [default: `/etc/nftables.conf`].
* **nft_main_conf_content**: Template used to generate the previous main configuration file [default: `etc/nftables.conf.j2`].
* **nft_input_conf_path**: Input configuration file include in main configuration file [default: `/etc/nftables.d/inet-input.nft`].
* **nft_input_conf_content**: Template used to generate the previous input configuration file [default: `etc/nftables.d/inet-input.nft.j2`].
* **nft_output_conf_content**: Template used to generate the previous output configuration file [default: `etc/nftables.d/inet-output.nft.j2`].
* **nft_output_conf_path**: Output configuration file include in main configuration file [default: `/etc/nftables.d/inet-output.nft`].
* **nft_input_conf_path**: Input configuration file include in main configuration file [default: `/etc/nftables.d/filter-input.nft`].
* **nft_input_conf_content**: Template used to generate the previous input configuration file [default: `etc/nftables.d/filter-input.nft.j2`].
* **nft_output_conf_content**: Template used to generate the previous output configuration file [default: `etc/nftables.d/filter-output.nft.j2`].
* **nft_output_conf_path**: Output configuration file include in main configuration file [default: `/etc/nftables.d/filter-output.nft`].
* **nft_define_conf_path**: Vars definition file include in main configuration file [default: `/etc/nftables.d/defines.nft`].
* **nft_define_conf_content**: Template used to generate the previous vars definition file [default: `etc/nftables.d/defines.nft.j2`].
* **nft_sets_conf_path**: Sets and maps definition file include in main configuration file [default: `/etc/nftables.d/inet-sets.nft`].
* **nft_sets_conf_content**: Template used to generate the previous sets and maps definition file [default: `etc/nftables.d/inet-sets.nft.j2`].
* **nft_sets_conf_path**: Sets and maps definition file include in main configuration file [default: `/etc/nftables.d/sets.nft`].
* **nft_sets_conf_content**: Template used to generate the previous sets and maps definition file [default: `etc/nftables.d/sets.nft.j2`].
* **nft_global_default_rules**: Set default rules for `global` chain. Other chains will jump to `global` before apply their specific rules.
* **nft_global_group_rules**: You can add `global` rules or override those defined by **nft_global_default_rules** for a group.
* **nft_global_host_rules:**: Hosts can also add or override `global` rules.
@ -125,22 +125,22 @@ flush ruleset
include "/etc/nftables.d/defines.nft"
table inet firewall {
table ip firewall {
chain global {
# 000 state management
ct state established,related accept
ct state invalid drop
}
include "/etc/nftables.d/inet-sets.nft"
include "/etc/nftables.d/inet-input.nft"
include "/etc/nftables.d/inet-output.nft"
include "/etc/nftables.d/sets.nft"
include "/etc/nftables.d/filter-input.nft"
include "/etc/nftables.d/filter-output.nft"
}
```
And you get the same result by displaying the ruleset on the host: `$ nft list ruleset`:
```
table inet firewall {
table ip firewall {
set blackhole {
type ipv4_addr
elements = { 255.255.255.255, 224.0.0.1, 224.0.0.251 }

12
defaults/main.yml
View File

@ -8,14 +8,14 @@ nft_pkg_state: 'installed'
# conf
nft_main_conf_path: '/etc/nftables.conf'
nft_main_conf_content: 'etc/nftables.conf.j2'
nft_input_conf_path: '/etc/nftables.d/inet-input.nft'
nft_input_conf_content: 'etc/nftables.d/inet-input.nft.j2'
nft_output_conf_path: '/etc/nftables.d/inet-output.nft'
nft_output_conf_content: 'etc/nftables.d/inet-output.nft.j2'
nft_input_conf_path: '/etc/nftables.d/filter-input.nft'
nft_input_conf_content: 'etc/nftables.d/filter-input.nft.j2'
nft_output_conf_path: '/etc/nftables.d/filter-output.nft'
nft_output_conf_content: 'etc/nftables.d/filter-output.nft.j2'
nft_define_conf_path: '/etc/nftables.d/defines.nft'
nft_define_conf_content: 'etc/nftables.d/defines.nft.j2'
nft_set_conf_path: '/etc/nftables.d/inet-sets.nft'
nft_set_conf_content: 'etc/nftables.d/inet-sets.nft.j2'
nft_set_conf_path: '/etc/nftables.d/sets.nft'
nft_set_conf_content: 'etc/nftables.d/sets.nft.j2'
# rules
nft_global_default_rules:

2
templates/etc/nftables.conf.j2
View File

@ -9,7 +9,7 @@ flush ruleset
include "/etc/nftables.d/defines.nft"
table inet firewall {
table ip firewall {
chain global {
{% for group, rules in globalmerged|dictsort %}
# {{ group }}

0
templates/etc/nftables.d/inet-input.nft.j2 → templates/etc/nftables.d/filter-input.nft.j2
View File

0
templates/etc/nftables.d/inet-output.nft.j2 → templates/etc/nftables.d/filter-output.nft.j2
View File

0
templates/etc/nftables.d/inet-sets.nft.j2 → templates/etc/nftables.d/sets.nft.j2
View File