From bf9080fcb3daafb7ed1636ac8b58fb9390c1af6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?=
 <jeremy.gardais@univ-rennes1.fr>
Date: Wed, 16 May 2018 14:38:33 +0200
Subject: [PATCH] Set a variable to enable/disable Nftables

---
 CHANGELOG.md      |  4 ++++
 README.md         |  2 +-
 defaults/main.yml | 19 +++++++++++++++++--
 tasks/main.yml    | 20 +++++++++++++++-----
 4 files changed, 37 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3486d53..2adb30f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## v1.X
+
+### Enhancements
+* Set a variable to enable/disable the support of Nftables.
 
 ## v1.3.1
 
diff --git a/README.md b/README.md
index 51670f5..8aa41e5 100644
--- a/README.md
+++ b/README.md
@@ -19,7 +19,7 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (
 
 ## Role Variables
 
-* **nft_pkg_manage** : If `nftables` package(s) should be managed with this role [default : `true`].
+* **nft_enabled** : Enable or disable support for Nftables [default : `true`].
 * **nft_pkg_state** : State of new `nftables` package(s) [default : `installed`].
 * **nft_old_pkg_list** : The list of useless packages to remove (such as Iptables,…) [default : `iptables`].
 * **nft_old_pkg_state** : State of old package(s) [default : `absent`].
diff --git a/defaults/main.yml b/defaults/main.yml
index 6f32874..02b3136 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,8 +1,22 @@
 ---
-# defaults file for nftables
+# .. vim: foldmarker=[[[,]]]:foldmethod=marker
+#
+# ipr-cnrs.nftables default variables [[[
+# =======================================
+
+# Packages and installation [[[
+# -----------------------------
+
+# .. envvar:: nft_enabled [[[
+#
+# Enable or disable support for Nftables on a given host. Disabling this
+# option does not remove existing installation and configuration.
+#
+nft_enabled: true
+
+                                                                   # ]]]
 
 # packages
-nft_pkg_manage: true
 nft_pkg_state: 'installed'
 nft_old_pkg_list: 'iptables'
 nft_old_pkg_state: 'absent'
@@ -21,6 +35,7 @@ nft_define_conf_content: 'etc/nftables.d/defines.nft.j2'
 nft_set_conf_path: '{{ nft_conf_dir_path }}/sets.nft'
 nft_set_conf_content: 'etc/nftables.d/sets.nft.j2'
 
+                                                                   # ]]]
 # rules
 nft_global_default_rules:
   005 state management:
diff --git a/tasks/main.yml b/tasks/main.yml
index 701f84c..a070eaa 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -15,7 +15,7 @@
     state: '{{ nft_pkg_state }}'
   with_items:
     - '{{ nft_pkg_list }}'
-  when: nft_pkg_manage
+  when: nft_enabled|bool
 
 - name: INSTALL Remove iptables packages
   apt:
@@ -23,7 +23,9 @@
     state: '{{ nft_old_pkg_state }}'
   with_items:
     - '{{ nft_old_pkg_list }}'
-  when: nft_old_pkg_manage
+  when: (nft_enabled|bool and
+         nft_old_pkg_manage|bool)
+
 # }}}
 
 # conf {{{
@@ -32,6 +34,7 @@
     path: "{{ nft_conf_dir_path }}"
     state: directory
     mode: 0755
+  when: nft_enabled|bool
 
 - name: CONFIG generate main conf file
   template:
@@ -42,6 +45,7 @@
     mode: 0755
     backup: yes
   notify: ['restart nftables service']
+  when: nft_enabled|bool
 
 - name: CONFIG generate input rules file
   template:
@@ -52,6 +56,7 @@
     mode: 0755
     backup: yes
   notify: ['restart nftables service']
+  when: nft_enabled|bool
 
 - name: CONFIG generate output rules file
   template:
@@ -62,6 +67,7 @@
     mode: 0755
     backup: yes
   notify: ['restart nftables service']
+  when: nft_enabled|bool
 
 - name: CONFIG generate vars definition file
   template:
@@ -72,6 +78,7 @@
     mode: 0755
     backup: yes
   notify: ['restart nftables service']
+  when: nft_enabled|bool
 
 - name: CONFIG generate sets and maps file
   template:
@@ -82,6 +89,7 @@
     mode: 0755
     backup: yes
   notify: ['restart nftables service']
+  when: nft_enabled|bool
 # }}}
 
 # service {{{
@@ -94,13 +102,14 @@
     group: 'root'
     mode: '0644'
   register: nftables__register_systemd_service
-  when: nft_service_manage
+  when: (nft_enabled|bool and
+         nft_service_manage|bool)
   notify: ['restart nftables service']
 
 - name: Reload systemd daemons
   command: systemctl daemon-reload
   notify: ['restart nftables service']
-  when: (nft_service_manage and
+  when: (nft_service_manage|bool and
          nftables__register_systemd_service|changed)
 
 - name: SERVICE manage '{{ nft_service_name }}'
@@ -108,5 +117,6 @@
     name: '{{ nft_service_name }}'
     state: started
     enabled: '{{ nft_service_enabled }}'
-  when: nft_service_manage
+  when: (nft_enabled|bool and
+         nft_service_manage|bool)
 # }}}