From 9eff3cd1d0eea71651ae299db1bd7924f71ab99c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?=
 <jeremy.gardais@univ-rennes1.fr>
Date: Thu, 4 Mar 2021 10:36:17 +0100
Subject: [PATCH] Remove everything related to in_udp_accept
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

See conversation in PR #13 (summary : cause it was empty by
 default and the role currently doesn't manage it well)
---
 CHANGELOG.md      | 2 ++
 README.md         | 8 --------
 defaults/main.yml | 7 -------
 3 files changed, 2 insertions(+), 15 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 20fad07..cea79a0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,8 @@
 
 ### Fix
 * Ansible-lint: Fix line longer than 160 chars.
+* Remove everything related to in_udp_accept (see conversation in PR #13).
+  Cause it was empty by default and the role currently doesn't manage it well.
 
 ## v1.7.0
 
diff --git a/README.md b/README.md
index 57aff86..45c7d3d 100644
--- a/README.md
+++ b/README.md
@@ -112,8 +112,6 @@ nft_input_default_rules:
     - ip daddr @blackhole counter drop
   015 localhost:
     - iif lo accept
-  200 input udp accepted:
-    - udp dport @in_udp_accept ct state new accept
   210 input tcp accepted:
     - tcp dport @in_tcp_accept ct state new accept
 nft_input_rules: {}
@@ -147,9 +145,6 @@ nft_define_default:
   input tcp accepted:
     name: in_tcp_accept
     value: '{ ssh }'
-  input udp accepted:
-    name: in_udp_accept
-    value: 'none'
   output tcp accepted:
     name: out_tcp_accept
     value: '{ http, https, hkp }'
@@ -168,8 +163,6 @@ nft_set_default:
   in_tcp_accept:
     - type inet_service; flags interval;
     - elements = $in_tcp_accept
-  in_udp_accept:
-    - type inet_service; flags interval;
   out_tcp_accept:
     - type inet_service; flags interval;
     - elements = $out_tcp_accept
@@ -234,7 +227,6 @@ table inet filter {
 		jump global
 		ip daddr @blackhole counter packets 0 bytes 0 drop
 		iif "lo" accept
-		udp dport @in_udp_accept ct state new accept
 		tcp dport @in_tcp_accept ct state new accept
 	}
 
diff --git a/defaults/main.yml b/defaults/main.yml
index 2107724..abae4d7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -147,9 +147,6 @@ nft_define_default:
   input tcp accepted:
     name: in_tcp_accept
     value: '{ ssh }'
-  input udp accepted:
-    name: in_udp_accept
-    value: 'none'
   output tcp accepted:
     name: out_tcp_accept
     value: '{ http, https, hkp }'
@@ -211,8 +208,6 @@ nft_set_default:
   in_tcp_accept:
     - type inet_service; flags interval;
     - elements = $in_tcp_accept
-  in_udp_accept:
-    - type inet_service; flags interval;
   out_tcp_accept:
     - type inet_service; flags interval;
     - elements = $out_tcp_accept
@@ -274,8 +269,6 @@ nft_input_default_rules:
     - iif lo accept
   050 icmp:
     - meta l4proto {icmp,icmpv6} accept
-  200 input udp accepted:
-    - udp dport @in_udp_accept ct state new accept
   210 input tcp accepted:
     - tcp dport @in_tcp_accept ct state new accept
                                                                    # ]]]