cellinfo
/
ansible.nftables
4
0
Fork 0
Code Issues Pull Requests Releases Activity

Added the option to manage the forwarding firewall table.

This commit is contained in:
Philipp Rintz 2021-03-03 10:47:02 +01:00
parent 3be5c95180
commit e0658c0661
No known key found for this signature in database
GPG Key ID: BE0205E9A286FF24
4 changed files with 87 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
defaults/main.yml
View File

@ -367,6 +367,57 @@ nft_output_conf_path: '{{ nft_conf_dir_path }}/filter-output.nft'
# Ansible inventory directory.
nft_output_conf_content: 'etc/nftables.d/filter-output.nft.j2'
# ]]]
# .. envvar:: nft__forward_table_manage [[[
#
# If the forward table should be managed? Possible options are:
#
# ``False``
# Default. The forward table is not managed and rules will not be added.
#
# ``True``
# Add the forwarding rules that follow.
nft__forward_table_manage: false
# ]]]
# .. envvar:: nft_forward_default_rules [[[
#
# List of forward rules to configure for all hosts inherited from this role.
nft_forward_default_rules:
000 policy:
- type filter hook forward priority 0; policy drop;
005 global:
- jump global
# ]]]
# .. envvar:: nft_forward_rules [[[
#
# List of forward rules to configure for all hosts in the Ansible inventory.
nft_forward_rules: {}
# ]]]
# .. envvar:: nft_forward_group_rules [[[
#
# List of forward rules to configure for hosts in specific Ansible inventory group.
nft_forward_group_rules: {}
# ]]]
# .. envvar:: nft_forward_host_rules [[[
#
# List of forward rules to configure for specific hosts in the Ansible inventory.
nft_forward_host_rules: {}
# ]]]
# .. envvar:: nft_forward_conf_path [[[
#
# Path to the forward rules file for the filter table to include in the main
# configuration file in order to use the previous defined lists.
#
# Should include the '{{ nft_conf_dir_path }}' var or be an absolut path.
nft_forward_conf_path: '{{ nft_conf_dir_path }}/filter-forward.nft'
# ]]]
# .. envvar:: nft_forward_conf_content [[[
#
# Template used to provide the previous forward rules file.
#
# Must be a relative path from default/ directory of this role or from your
# Ansible inventory directory.
nft_forward_conf_content: 'etc/nftables.d/filter-forward.nft.j2'
# ]]]
# ]]]
# ip nat table rules [[[
# ---------------------------

12
tasks/main.yml
View File

@ -127,6 +127,18 @@
notify: ['Reload nftables service']
when: nft_enabled|bool
- name: Filter table - generate forward rules file
template:
src: "{{ nft_forward_conf_content }}"
dest: "{{ nft_forward_conf_path }}"
owner: root
group: root
mode: 0755
backup: yes
notify: ['Reload nftables service']
when: (nft_enabled|bool and
nft__forward_table_manage|bool)
# Nat table content [[[1
- name: Nat table - generate prerouting rules file
template:

3
templates/etc/nftables.conf.j2
View File

@ -29,6 +29,9 @@ table inet filter {
include "{{ nft_set_conf_path }}"
include "{{ nft_input_conf_path }}"
include "{{ nft_output_conf_path }}"
{% if nft__forward_table_manage %}
include "{{ nft_forward_conf_path }}"
{% endif %}
{% if nft_custom_includes | default() %}
{% if nft_custom_includes is string %}
include "{{ nft_custom_includes }}"

21
templates/etc/nftables.d/filter-forward.nft.j2 Normal file
View File

@ -0,0 +1,21 @@
#jinja2: lstrip_blocks: "True", trim_blocks: "True"
# {{ ansible_managed }}
{% set forwardmerged = nft_forward_default_rules.copy() %}
{% set _ = forwardmerged.update(nft_forward_rules) %}
{% set _ = forwardmerged.update(nft_forward_group_rules) %}
{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_forward_group_rules is defined %}
{% set _ = forwardmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_forward_group_rules) %}
{% endif %}
{% set _ = forwardmerged.update(nft_forward_host_rules) %}
chain forward {
{% for group, rules in forwardmerged|dictsort %}
# {{ group }}
{% if not rules %}
# (none)
{% endif %}
{% for rule in rules %}
{{ rule }}
{% endfor %}
{% endfor %}
}