diff --git a/README.md b/README.md index d350f85..21e00cf 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,8 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] ( * **nft_main_conf_content** : Template used to generate the previous main configuration file [default : `etc/nftables.conf.j2`]. * **nft_input_conf_path** : Input configuration file include in main configuration file [default : `/etc/nftables.d/inet-input.nft`]. * **nft_input_conf_content** : Template used to generate the previous input configuration file [default : `etc/nftables.d/inet-input.nft.j2`]. +* **nft_output_conf_content** : Template used to generate the previous output configuration file [default : `etc/nftables.d/inet-output.nft.j2`]. +* **nft_output_conf_path** : Output configuration file include in main configuration file [default : `/etc/nftables.d/inet-output.nft`]. * **nft_define_conf_path** : Vars definition file include in main configuration file [default : `/etc/nftables.d/defines.nft`]. * **nft_define_conf_content** : Template used to generate the previous vars definition file [default : `etc/nftables.d/defines.nft.j2`]. * **nft_sets_conf_path** : Sets and maps definition file include in main configuration file [default : `/etc/nftables.d/inet-sets.nft`]. @@ -34,6 +36,9 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] ( * **nft_input_default_rules** : Set default rules for `input` chain. * **nft_input_group_rules** : You can add `input` rules or override those defined by **nft_input_default_rules** for a group. * **nft_input_host_rules:** : Hosts can also add or override `input` rules. +* **nft_output_default_rules** : Set default rules for `output` chain. +* **nft_output_group_rules** : You can add `output` rules or override those defined by **nft_output_default_rules** for a group. +* **nft_output_host_rules:** : Hosts can also add or override `output` rules. * **nft_define_default** : Set default vars available in all rules. * **nft_define_group** : You can add vars or override those defined by **nft_define_default** for groups. * **nft_define_host** : You can add or override existant vars. @@ -76,6 +81,14 @@ nft_input_default_rules: nft_input_group_rules: {} nft_input_host_rules: {} +nft_output_default_rules: + 000 policy: + - type filter hook output priority 0; policy accept; + 005 global: + - jump global +nft_output_group_rules: {} +nft_output_host_rules: {} + # define nft vars nft_define_default: broadcast and multicast: @@ -110,10 +123,7 @@ table inet firewall { } include "/etc/nftables.d/inet-sets.nft" include "/etc/nftables.d/inet-input.nft" - chain output { - type filter hook output priority 0; - jump global - } + include "/etc/nftables.d/inet-output.nft" } ``` @@ -178,7 +188,7 @@ nft_input_group_rules: This role will : * Install `nftables` on the system. * Generate a default configuration file which include all following files and loaded by systemd unit. -* Generate input rules file include called by the main configuration file. +* Generate input and output rules files include called by the main configuration file. * Generate vars in a file and sets and maps in another file. * Restart `nftables` service. diff --git a/defaults/main.yml b/defaults/main.yml index 1affc1c..d524077 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -10,6 +10,8 @@ nft_main_conf_path: '/etc/nftables.conf' nft_main_conf_content: 'etc/nftables.conf.j2' nft_input_conf_path: '/etc/nftables.d/inet-input.nft' nft_input_conf_content: 'etc/nftables.d/inet-input.nft.j2' +nft_output_conf_path: '/etc/nftables.d/inet-output.nft' +nft_output_conf_content: 'etc/nftables.d/inet-output.nft.j2' nft_define_conf_path: '/etc/nftables.d/defines.nft' nft_define_conf_content: 'etc/nftables.d/defines.nft.j2' nft_set_conf_path: '/etc/nftables.d/inet-sets.nft' @@ -35,6 +37,14 @@ nft_input_default_rules: nft_input_group_rules: {} nft_input_host_rules: {} +nft_output_default_rules: + 000 policy: + - type filter hook output priority 0; policy accept; + 005 global: + - jump global +nft_output_group_rules: {} +nft_output_host_rules: {} + # define nft vars nft_define_default: broadcast and multicast: diff --git a/tasks/main.yml b/tasks/main.yml index 86c6a90..29f0c8d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -40,6 +40,16 @@ backup: yes notify: restart nftables service +- name: generate output rules file + template: + src: "{{ nft_output_conf_content }}" + dest: "{{ nft_output_conf_path }}" + owner: root + group: root + mode: 0755 + backup: yes + notify: restart nftables service + - name: generate vars definition file template: src: "{{ nft_define_conf_content }}" diff --git a/templates/etc/nftables.conf.j2 b/templates/etc/nftables.conf.j2 index b8bb683..625579d 100755 --- a/templates/etc/nftables.conf.j2 +++ b/templates/etc/nftables.conf.j2 @@ -23,8 +23,5 @@ table inet firewall { } include "{{ nft_set_conf_path }}" include "{{ nft_input_conf_path }}" - chain output { - type filter hook output priority 0; - jump global - } + include "{{ nft_output_conf_path }}" } diff --git a/templates/etc/nftables.d/inet-output.nft.j2 b/templates/etc/nftables.d/inet-output.nft.j2 new file mode 100644 index 0000000..378721f --- /dev/null +++ b/templates/etc/nftables.d/inet-output.nft.j2 @@ -0,0 +1,16 @@ +# {{ ansible_managed }} +{% set outputmerged = nft_output_default_rules.copy() %} +{% set _ = outputmerged.update(nft_output_group_rules) %} +{% set _ = outputmerged.update(nft_output_host_rules) %} + +chain output { +{% for group, rules in outputmerged|dictsort %} + # {{ group }} +{% if not rules %} + # (none) +{% endif %} +{% for rule in rules %} + {{ rule }} +{% endfor %} +{% endfor %} +}