cellinfo
/
ansible.nftables
2
0
Fork 0
Code Issues Pull Requests Releases Activity

Remove everything related to in_udp_accept 

See conversation in PR #13 (summary : cause it was empty by
 default and the role currently doesn't manage it well)
This commit is contained in:
Jeremy Gardais 2021-03-04 10:36:17 +01:00
parent 4576ec6ed4
commit 9eff3cd1d0
Signed by: jegardai
GPG Key ID: E759BAA22501AF32
3 changed files with 2 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@ -2,6 +2,8 @@
### Fix ### Fix
* Ansible-lint: Fix line longer than 160 chars. * Ansible-lint: Fix line longer than 160 chars.
* Remove everything related to in_udp_accept (see conversation in PR #13).
Cause it was empty by default and the role currently doesn't manage it well.
## v1.7.0 ## v1.7.0

8
README.md
View File

@ -112,8 +112,6 @@ nft_input_default_rules:
- ip daddr @blackhole counter drop - ip daddr @blackhole counter drop
015 localhost: 015 localhost:
- iif lo accept - iif lo accept
200 input udp accepted:
- udp dport @in_udp_accept ct state new accept
210 input tcp accepted: 210 input tcp accepted:
- tcp dport @in_tcp_accept ct state new accept - tcp dport @in_tcp_accept ct state new accept
nft_input_rules: {} nft_input_rules: {}
@ -147,9 +145,6 @@ nft_define_default:
input tcp accepted: input tcp accepted:
name: in_tcp_accept name: in_tcp_accept
value: '{ ssh }' value: '{ ssh }'
input udp accepted:
name: in_udp_accept
value: 'none'
output tcp accepted: output tcp accepted:
name: out_tcp_accept name: out_tcp_accept
value: '{ http, https, hkp }' value: '{ http, https, hkp }'
@ -168,8 +163,6 @@ nft_set_default:
in_tcp_accept: in_tcp_accept:
- type inet_service; flags interval; - type inet_service; flags interval;
- elements = $in_tcp_accept - elements = $in_tcp_accept
in_udp_accept:
- type inet_service; flags interval;
out_tcp_accept: out_tcp_accept:
- type inet_service; flags interval; - type inet_service; flags interval;
- elements = $out_tcp_accept - elements = $out_tcp_accept
@ -234,7 +227,6 @@ table inet filter {
jump global jump global
ip daddr @blackhole counter packets 0 bytes 0 drop ip daddr @blackhole counter packets 0 bytes 0 drop
iif "lo" accept iif "lo" accept
udp dport @in_udp_accept ct state new accept
tcp dport @in_tcp_accept ct state new accept tcp dport @in_tcp_accept ct state new accept
} }

7
defaults/main.yml
View File

@ -147,9 +147,6 @@ nft_define_default:
input tcp accepted: input tcp accepted:
name: in_tcp_accept name: in_tcp_accept
value: '{ ssh }' value: '{ ssh }'
input udp accepted:
name: in_udp_accept
value: 'none'
output tcp accepted: output tcp accepted:
name: out_tcp_accept name: out_tcp_accept
value: '{ http, https, hkp }' value: '{ http, https, hkp }'
@ -211,8 +208,6 @@ nft_set_default:
in_tcp_accept: in_tcp_accept:
- type inet_service; flags interval; - type inet_service; flags interval;
- elements = $in_tcp_accept - elements = $in_tcp_accept
in_udp_accept:
- type inet_service; flags interval;
out_tcp_accept: out_tcp_accept:
- type inet_service; flags interval; - type inet_service; flags interval;
- elements = $out_tcp_accept - elements = $out_tcp_accept
@ -274,8 +269,6 @@ nft_input_default_rules:
- iif lo accept - iif lo accept
050 icmp: 050 icmp:
- meta l4proto {icmp,icmpv6} accept - meta l4proto {icmp,icmpv6} accept
200 input udp accepted:
- udp dport @in_udp_accept ct state new accept
210 input tcp accepted: 210 input tcp accepted:
- tcp dport @in_tcp_accept ct state new accept - tcp dport @in_tcp_accept ct state new accept
# ]]] # ]]]