cellinfo
/
ansible.nftables
2
0
Fork 0
Code Issues Pull Requests Releases Activity

Improve vars description/comments in default/main

This commit is contained in:
Jeremy Gardais 2019-04-15 15:28:27 +02:00
parent 83675dfe48
commit b0da91bb73
Signed by: jegardai
GPG Key ID: E759BAA22501AF32
2 changed files with 203 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -2,6 +2,7 @@
### Enhancements ### Enhancements
* Add a variable to disable "Protect" instructions in systemd unit. * Add a variable to disable "Protect" instructions in systemd unit.
* Improve vars description/comments in default/main.yml.
## v1.4.1 ## v1.4.1

240
defaults/main.yml
View File

@ -36,51 +36,47 @@ nft_set_conf_path: '{{ nft_conf_dir_path }}/sets.nft'
nft_set_conf_content: 'etc/nftables.d/sets.nft.j2' nft_set_conf_content: 'etc/nftables.d/sets.nft.j2'
# ]]] # ]]]
# rules # Nftables global rules [[[
# -------------------------
# .. envvar:: nft_global_default_rules [[[
#
# List of global rules (applied on all tables) to configure for all hosts
# inherited from this role.
nft_global_default_rules: nft_global_default_rules:
005 state management: 005 state management:
- ct state established,related accept - ct state established,related accept
- ct state invalid drop - ct state invalid drop
# ]]]
# .. envvar:: nft_global_rules [[[
#
# List of global rules (applied on all tables) to configure for all hosts
# in the Ansible inventory.
nft_global_rules: {} nft_global_rules: {}
# ]]]
# .. envvar:: nft_global_group_rules [[[
#
# List of global rules (applied on all tables) to configure for hosts in
# specific Ansible inventory group.
nft_global_group_rules: {} nft_global_group_rules: {}
# ]]]
# .. envvar:: nft_global_host_rules [[[
#
# List of global rules (applied on all tables) to configure for specific hosts
# in the Ansible inventory.
nft_global_host_rules: {} nft_global_host_rules: {}
# ]]]
# ]]]
# Nftables vars definition [[[
# ----------------------------
nft_input_default_rules: # These lists allow to define some vars that can be used in nftables rules.
000 policy: # See the official Nftables wiki page for more informations and examples:
- type filter hook input priority 0; policy drop; # https://wiki.nftables.org/wiki-nftables/index.php/Scripting#Defining_variables
005 global:
- jump global
010 drop unwanted:
- ip daddr @blackhole counter drop
015 localhost:
- iif lo accept
200 input udp accepted:
- udp dport @in_udp_accept ct state new accept
210 input tcp accepted:
- tcp dport @in_tcp_accept ct state new accept
nft_input_rules: {}
nft_input_group_rules: {}
nft_input_host_rules: {}
nft_output_default_rules: # .. envvar:: nft_define_default [[[
000 policy: #
- type filter hook output priority 0; policy drop; # List of vars definition to configure for all hosts inherited from this role.
005 global:
- jump global
015 localhost:
- oif lo accept
050 icmp:
- ip protocol icmp accept
- ip6 nexthdr icmpv6 counter accept
200 output udp accepted:
- udp dport @out_udp_accept ct state new accept
210 output tcp accepted:
- tcp dport @out_tcp_accept ct state new accept
nft_output_rules: {}
nft_output_group_rules: {}
nft_output_host_rules: {}
# define nft vars
nft_define_default: nft_define_default:
broadcast and multicast: broadcast and multicast:
desc: 'broadcast and multicast' desc: 'broadcast and multicast'
@ -98,11 +94,35 @@ nft_define_default:
output udp accepted: output udp accepted:
name: out_udp_accept name: out_udp_accept
value: '{ bootps, domain, ntp }' value: '{ bootps, domain, ntp }'
# ]]]
# .. envvar:: nft_define [[[
#
# List of vars definition to configure for all hosts in the Ansible inventory.
nft_define: {} nft_define: {}
# ]]]
# .. envvar:: nft_define_group [[[
#
# List of vars definition to configure for hosts in specific
# Ansible inventory group.
nft_define_group: {} nft_define_group: {}
# ]]]
# .. envvar:: nft_define_host [[[
#
# List of vars definition to configure for specific hosts
# in the Ansible inventory.
nft_define_host: {} nft_define_host: {}
# ]]]
# ]]]
# Nftables sets definition [[[
# ----------------------------
# sets and maps # These "set" lists allow to define sets that can be used in Nftables rules.
# See the official Nftables wiki page for more informations and examples:
# https://wiki.nftables.org/wiki-nftables/index.php/Sets
# .. envvar:: nft_define_default [[[
#
# List of sets to configure for all hosts inherited from this role.
nft_set_default: nft_set_default:
blackhole: blackhole:
- type ipv4_addr; - type ipv4_addr;
@ -118,15 +138,159 @@ nft_set_default:
out_udp_accept: out_udp_accept:
- type inet_service; flags interval; - type inet_service; flags interval;
- elements = $out_udp_accept - elements = $out_udp_accept
# ]]]
# .. envvar:: nft_set [[[
#
# List of sets to configure for all hosts in the Ansible inventory.
nft_set: {} nft_set: {}
# ]]]
# .. envvar:: nft_set_group [[[
#
# List of sets to configure for hosts in specific Ansible inventory group.
nft_set_group: {} nft_set_group: {}
# ]]]
# .. envvar:: nft_set_host [[[
#
# List of sets to configure for specific hosts in the Ansible inventory.
nft_set_host: {} nft_set_host: {}
# ]]]
# service # ]]]
# inet filter table rules [[[
# ---------------------------
# All these rules will be set up in an inet table in order to filter the
# input and output traffic.
# .. envvar:: nft_input_default_rules [[[
#
# List of input rules to configure for all hosts inherited from this role.
nft_input_default_rules:
000 policy:
- type filter hook input priority 0; policy drop;
005 global:
- jump global
010 drop unwanted:
- ip daddr @blackhole counter drop
015 localhost:
- iif lo accept
200 input udp accepted:
- udp dport @in_udp_accept ct state new accept
210 input tcp accepted:
- tcp dport @in_tcp_accept ct state new accept
# ]]]
# .. envvar:: nft_input_rules [[[
#
# List of input rules to configure for all hosts in the Ansible inventory.
nft_input_rules: {}
# ]]]
# .. envvar:: nft_input_group_rules [[[
#
# List of input rules to configure for hosts in specific Ansible inventory group.
nft_input_group_rules: {}
# ]]]
# .. envvar:: nft_input_host_rules [[[
#
# List of input rules to configure for specific hosts in the Ansible inventory.
nft_input_host_rules: {}
# ]]]
# .. envvar:: nft_output_default_rules [[[
#
# List of output rules to configure for all hosts inherited from this role.
nft_output_default_rules:
000 policy:
- type filter hook output priority 0; policy drop;
005 global:
- jump global
015 localhost:
- oif lo accept
050 icmp:
- ip protocol icmp accept
- ip6 nexthdr icmpv6 counter accept
200 output udp accepted:
- udp dport @out_udp_accept ct state new accept
210 output tcp accepted:
- tcp dport @out_tcp_accept ct state new accept
# ]]]
# .. envvar:: nft_output_rules [[[
#
# List of output rules to configure for all hosts in the Ansible inventory.
nft_output_rules: {}
# ]]]
# .. envvar:: nft_output_group_rules [[[
#
# List of output rules to configure for hosts in specific Ansible inventory group.
nft_output_group_rules: {}
# ]]]
# .. envvar:: nft_output_host_rules [[[
#
# List of output rules to configure for specific hosts in the Ansible inventory.
nft_output_host_rules: {}
# ]]]
# ]]]
# Service management [[[
# ----------------------
# .. envvar:: nft_service_manage [[[
#
# If the nftables service should be managed? Possible options are:
#
# ``True``
# Default. The service is started.
#
# ``False``
# The service will not be touched.
nft_service_manage: true nft_service_manage: true
# ]]]
# .. envvar:: nft_service_name [[[
#
# The service name to manage.
nft_service_name: 'nftables' nft_service_name: 'nftables'
# ]]]
# .. envvar:: nft_service_enabled [[[
#
# If the nftables service should be enabled at startup? Possible options are:
#
# ``True``
# Default. The service is enabled.
#
# ``False``
# The service is disabled from startup.
nft_service_enabled: true nft_service_enabled: true
# ]]]
# .. envvar:: nft_service_unit_path [[[
#
# Path to store nftables service.
nft_service_unit_path: '/lib/systemd/system/nftables.service' nft_service_unit_path: '/lib/systemd/system/nftables.service'
# ]]]
# .. envvar:: nft_service_unit_content [[[
#
# Template used to provide systemd unit for nftables service.
nft_service_unit_content: 'lib/systemd/system/nftables.service.j2' nft_service_unit_content: 'lib/systemd/system/nftables.service.j2'
# ]]]
# .. envvar:: nft__service_protect [[[
#
# If the systemd unit should have the Protect directives? Possible options:
#
# ``True``
# Default. Directives will be set (ProtectSystem, ProtectHome,…).
#
# ``False``
# The directives will be ignored.
nft__service_protect: true nft__service_protect: true
# ]]]
# .. envvar:: nft__fail2ban_service [[[
#
# If the nftables systemd unit should also restart Fail2ban service. Possible
# options are:
#
# ``False``
# Default. Nftables service will not affect Fail2ban service.
#
# ``True``
# Any Nftables service (re)start will also restart Fail2ban service.
nft__fail2ban_service: False nft__fail2ban_service: False
# ]]]
# ]]]
# ]]]