From 6b6a3a1794da3139155265f0898afca20ffcac18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?= Date: Wed, 9 Aug 2017 11:18:49 +0200 Subject: [PATCH] Use 'ip' family as default for the firewall table. --- README.md | 22 +++++++++---------- defaults/main.yml | 12 +++++----- templates/etc/nftables.conf.j2 | 2 +- ...{inet-input.nft.j2 => filter-input.nft.j2} | 0 ...net-output.nft.j2 => filter-output.nft.j2} | 0 .../{inet-sets.nft.j2 => sets.nft.j2} | 0 6 files changed, 18 insertions(+), 18 deletions(-) rename templates/etc/nftables.d/{inet-input.nft.j2 => filter-input.nft.j2} (100%) rename templates/etc/nftables.d/{inet-output.nft.j2 => filter-output.nft.j2} (100%) rename templates/etc/nftables.d/{inet-sets.nft.j2 => sets.nft.j2} (100%) diff --git a/README.md b/README.md index 4af29b6..95505dd 100644 --- a/README.md +++ b/README.md @@ -22,14 +22,14 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] ( * **nft_pkg_state** : State of new `nftables` package(s) [default : `installed`]. * **nft_main_conf_path** : Main configuration file loaded by systemd unit [default : `/etc/nftables.conf`]. * **nft_main_conf_content** : Template used to generate the previous main configuration file [default : `etc/nftables.conf.j2`]. -* **nft_input_conf_path** : Input configuration file include in main configuration file [default : `/etc/nftables.d/inet-input.nft`]. -* **nft_input_conf_content** : Template used to generate the previous input configuration file [default : `etc/nftables.d/inet-input.nft.j2`]. -* **nft_output_conf_content** : Template used to generate the previous output configuration file [default : `etc/nftables.d/inet-output.nft.j2`]. -* **nft_output_conf_path** : Output configuration file include in main configuration file [default : `/etc/nftables.d/inet-output.nft`]. +* **nft_input_conf_path** : Input configuration file include in main configuration file [default : `/etc/nftables.d/filter-input.nft`]. +* **nft_input_conf_content** : Template used to generate the previous input configuration file [default : `etc/nftables.d/filter-input.nft.j2`]. +* **nft_output_conf_content** : Template used to generate the previous output configuration file [default : `etc/nftables.d/filter-output.nft.j2`]. +* **nft_output_conf_path** : Output configuration file include in main configuration file [default : `/etc/nftables.d/filter-output.nft`]. * **nft_define_conf_path** : Vars definition file include in main configuration file [default : `/etc/nftables.d/defines.nft`]. * **nft_define_conf_content** : Template used to generate the previous vars definition file [default : `etc/nftables.d/defines.nft.j2`]. -* **nft_sets_conf_path** : Sets and maps definition file include in main configuration file [default : `/etc/nftables.d/inet-sets.nft`]. -* **nft_sets_conf_content** : Template used to generate the previous sets and maps definition file [default : `etc/nftables.d/inet-sets.nft.j2`]. +* **nft_sets_conf_path** : Sets and maps definition file include in main configuration file [default : `/etc/nftables.d/sets.nft`]. +* **nft_sets_conf_content** : Template used to generate the previous sets and maps definition file [default : `etc/nftables.d/sets.nft.j2`]. * **nft_global_default_rules** : Set default rules for `global` chain. Other chains will jump to `global` before apply their specific rules. * **nft_global_group_rules** : You can add `global` rules or override those defined by **nft_global_default_rules** for a group. * **nft_global_host_rules:** : Hosts can also add or override `global` rules. @@ -125,22 +125,22 @@ flush ruleset include "/etc/nftables.d/defines.nft" -table inet firewall { +table ip firewall { chain global { # 000 state management ct state established,related accept ct state invalid drop } - include "/etc/nftables.d/inet-sets.nft" - include "/etc/nftables.d/inet-input.nft" - include "/etc/nftables.d/inet-output.nft" + include "/etc/nftables.d/sets.nft" + include "/etc/nftables.d/filter-input.nft" + include "/etc/nftables.d/filter-output.nft" } ``` And you get the same result by displaying the ruleset on the host : `$ nft list ruleset` : ``` -table inet firewall { +table ip firewall { set blackhole { type ipv4_addr elements = { 255.255.255.255, 224.0.0.1, 224.0.0.251 } diff --git a/defaults/main.yml b/defaults/main.yml index bf301de..008ebec 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -8,14 +8,14 @@ nft_pkg_state: 'installed' # conf nft_main_conf_path: '/etc/nftables.conf' nft_main_conf_content: 'etc/nftables.conf.j2' -nft_input_conf_path: '/etc/nftables.d/inet-input.nft' -nft_input_conf_content: 'etc/nftables.d/inet-input.nft.j2' -nft_output_conf_path: '/etc/nftables.d/inet-output.nft' -nft_output_conf_content: 'etc/nftables.d/inet-output.nft.j2' +nft_input_conf_path: '/etc/nftables.d/filter-input.nft' +nft_input_conf_content: 'etc/nftables.d/filter-input.nft.j2' +nft_output_conf_path: '/etc/nftables.d/filter-output.nft' +nft_output_conf_content: 'etc/nftables.d/filter-output.nft.j2' nft_define_conf_path: '/etc/nftables.d/defines.nft' nft_define_conf_content: 'etc/nftables.d/defines.nft.j2' -nft_set_conf_path: '/etc/nftables.d/inet-sets.nft' -nft_set_conf_content: 'etc/nftables.d/inet-sets.nft.j2' +nft_set_conf_path: '/etc/nftables.d/sets.nft' +nft_set_conf_content: 'etc/nftables.d/sets.nft.j2' # rules nft_global_default_rules: diff --git a/templates/etc/nftables.conf.j2 b/templates/etc/nftables.conf.j2 index 625579d..64fc939 100755 --- a/templates/etc/nftables.conf.j2 +++ b/templates/etc/nftables.conf.j2 @@ -9,7 +9,7 @@ flush ruleset include "/etc/nftables.d/defines.nft" -table inet firewall { +table ip firewall { chain global { {% for group, rules in globalmerged|dictsort %} # {{ group }} diff --git a/templates/etc/nftables.d/inet-input.nft.j2 b/templates/etc/nftables.d/filter-input.nft.j2 similarity index 100% rename from templates/etc/nftables.d/inet-input.nft.j2 rename to templates/etc/nftables.d/filter-input.nft.j2 diff --git a/templates/etc/nftables.d/inet-output.nft.j2 b/templates/etc/nftables.d/filter-output.nft.j2 similarity index 100% rename from templates/etc/nftables.d/inet-output.nft.j2 rename to templates/etc/nftables.d/filter-output.nft.j2 diff --git a/templates/etc/nftables.d/inet-sets.nft.j2 b/templates/etc/nftables.d/sets.nft.j2 similarity index 100% rename from templates/etc/nftables.d/inet-sets.nft.j2 rename to templates/etc/nftables.d/sets.nft.j2