Ensure to create the the directory to store the differents configuration files (/etc/nftables.d).

This commit is contained in:
Jeremy Gardais 2017-08-18 09:18:43 +02:00
parent c70b1bdc91
commit e439f6ae5f
4 changed files with 26 additions and 13 deletions

View File

@ -1,4 +1,9 @@
## v1.2
### Fixes
* Ensure to create the the directory to store the differents configuration files (/etc/nftables.d).
## v1.1 ## v1.1
### Features ### Features

View File

@ -20,15 +20,16 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (
* **nft_pkg_manage**: If `nftables` package(s) should be managed with this role [default: `true`]. * **nft_pkg_manage**: If `nftables` package(s) should be managed with this role [default: `true`].
* **nft_pkg_state**: State of new `nftables` package(s) [default: `installed`]. * **nft_pkg_state**: State of new `nftables` package(s) [default: `installed`].
* **nft_conf_dir_path**: Directory to store the differents Nftables configuration files [default: `/etc/nftables.d`].
* **nft_main_conf_path**: Main configuration file loaded by systemd unit [default: `/etc/nftables.conf`]. * **nft_main_conf_path**: Main configuration file loaded by systemd unit [default: `/etc/nftables.conf`].
* **nft_main_conf_content**: Template used to generate the previous main configuration file [default: `etc/nftables.conf.j2`]. * **nft_main_conf_content**: Template used to generate the previous main configuration file [default: `etc/nftables.conf.j2`].
* **nft_input_conf_path**: Input configuration file include in main configuration file [default: `/etc/nftables.d/filter-input.nft`]. * **nft_input_conf_path**: Input configuration file include in main configuration file [default: `{{ nft_conf_dir_path }}filter-input.nft`].
* **nft_input_conf_content**: Template used to generate the previous input configuration file [default: `etc/nftables.d/filter-input.nft.j2`]. * **nft_input_conf_content**: Template used to generate the previous input configuration file [default: `etc/nftables.d/filter-input.nft.j2`].
* **nft_output_conf_path**: Output configuration file include in main configuration file [default: `{{ nft_conf_dir_path }}filter-output.nft`].
* **nft_output_conf_content**: Template used to generate the previous output configuration file [default: `etc/nftables.d/filter-output.nft.j2`]. * **nft_output_conf_content**: Template used to generate the previous output configuration file [default: `etc/nftables.d/filter-output.nft.j2`].
* **nft_output_conf_path**: Output configuration file include in main configuration file [default: `/etc/nftables.d/filter-output.nft`]. * **nft_define_conf_path**: Vars definition file include in main configuration file [default: `{{ nft_conf_dir_path }}defines.nft`].
* **nft_define_conf_path**: Vars definition file include in main configuration file [default: `/etc/nftables.d/defines.nft`].
* **nft_define_conf_content**: Template used to generate the previous vars definition file [default: `etc/nftables.d/defines.nft.j2`]. * **nft_define_conf_content**: Template used to generate the previous vars definition file [default: `etc/nftables.d/defines.nft.j2`].
* **nft_sets_conf_path**: Sets and maps definition file include in main configuration file [default: `/etc/nftables.d/sets.nft`]. * **nft_sets_conf_path**: Sets and maps definition file include in main configuration file [default: `{{ nft_conf_dir_path }}sets.nft`].
* **nft_sets_conf_content**: Template used to generate the previous sets and maps definition file [default: `etc/nftables.d/sets.nft.j2`]. * **nft_sets_conf_content**: Template used to generate the previous sets and maps definition file [default: `etc/nftables.d/sets.nft.j2`].
* **nft_global_default_rules**: Set default rules for `global` chain. Other chains will jump to `global` before apply their specific rules. * **nft_global_default_rules**: Set default rules for `global` chain. Other chains will jump to `global` before apply their specific rules.
* **nft_global_group_rules**: You can add `global` rules or override those defined by **nft_global_default_rules** for a group. * **nft_global_group_rules**: You can add `global` rules or override those defined by **nft_global_default_rules** for a group.

View File

@ -6,15 +6,16 @@ nft_pkg_manage: true
nft_pkg_state: 'installed' nft_pkg_state: 'installed'
# files # files
nft_conf_dir_path: '/etc/nftables.d'
nft_main_conf_path: '/etc/nftables.conf' nft_main_conf_path: '/etc/nftables.conf'
nft_main_conf_content: 'etc/nftables.conf.j2' nft_main_conf_content: 'etc/nftables.conf.j2'
nft_input_conf_path: '/etc/nftables.d/filter-input.nft' nft_input_conf_path: '{{ nft_conf_dir_path }}/filter-input.nft'
nft_input_conf_content: 'etc/nftables.d/filter-input.nft.j2' nft_input_conf_content: 'etc/nftables.d/filter-input.nft.j2'
nft_output_conf_path: '/etc/nftables.d/filter-output.nft' nft_output_conf_path: '{{ nft_conf_dir_path }}/filter-output.nft'
nft_output_conf_content: 'etc/nftables.d/filter-output.nft.j2' nft_output_conf_content: 'etc/nftables.d/filter-output.nft.j2'
nft_define_conf_path: '/etc/nftables.d/defines.nft' nft_define_conf_path: '{{ nft_conf_dir_path }}/defines.nft'
nft_define_conf_content: 'etc/nftables.d/defines.nft.j2' nft_define_conf_content: 'etc/nftables.d/defines.nft.j2'
nft_set_conf_path: '/etc/nftables.d/sets.nft' nft_set_conf_path: '{{ nft_conf_dir_path }}/sets.nft'
nft_set_conf_content: 'etc/nftables.d/sets.nft.j2' nft_set_conf_content: 'etc/nftables.d/sets.nft.j2'
# rules # rules

View File

@ -20,7 +20,13 @@
# }}} # }}}
# conf {{{ # conf {{{
- name: generate main conf file - name: CONFIG create nftables.d dir
file:
path: "{{ nft_conf_dir_path }}"
state: directory
mode: 0755
- name: CONFIG generate main conf file
template: template:
src: "{{ nft_main_conf_content }}" src: "{{ nft_main_conf_content }}"
dest: "{{ nft_main_conf_path }}" dest: "{{ nft_main_conf_path }}"
@ -30,7 +36,7 @@
backup: yes backup: yes
notify: restart nftables service notify: restart nftables service
- name: generate input rules file - name: CONFIG generate input rules file
template: template:
src: "{{ nft_input_conf_content }}" src: "{{ nft_input_conf_content }}"
dest: "{{ nft_input_conf_path }}" dest: "{{ nft_input_conf_path }}"
@ -40,7 +46,7 @@
backup: yes backup: yes
notify: restart nftables service notify: restart nftables service
- name: generate output rules file - name: CONFIG generate output rules file
template: template:
src: "{{ nft_output_conf_content }}" src: "{{ nft_output_conf_content }}"
dest: "{{ nft_output_conf_path }}" dest: "{{ nft_output_conf_path }}"
@ -50,7 +56,7 @@
backup: yes backup: yes
notify: restart nftables service notify: restart nftables service
- name: generate vars definition file - name: CONFIG generate vars definition file
template: template:
src: "{{ nft_define_conf_content }}" src: "{{ nft_define_conf_content }}"
dest: "{{ nft_define_conf_path }}" dest: "{{ nft_define_conf_path }}"
@ -60,7 +66,7 @@
backup: yes backup: yes
notify: restart nftables service notify: restart nftables service
- name: generate sets and maps file - name: CONFIG generate sets and maps file
template: template:
src: "{{ nft_set_conf_content }}" src: "{{ nft_set_conf_content }}"
dest: "{{ nft_set_conf_path }}" dest: "{{ nft_set_conf_path }}"