Ensure to create the the directory to store the differents configuration files (/etc/nftables.d).
This commit is contained in:
parent
c70b1bdc91
commit
e439f6ae5f
|
@ -1,4 +1,9 @@
|
||||||
|
|
||||||
|
## v1.2
|
||||||
|
|
||||||
|
### Fixes
|
||||||
|
* Ensure to create the the directory to store the differents configuration files (/etc/nftables.d).
|
||||||
|
|
||||||
## v1.1
|
## v1.1
|
||||||
|
|
||||||
### Features
|
### Features
|
||||||
|
|
|
@ -20,15 +20,16 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (
|
||||||
|
|
||||||
* **nft_pkg_manage** : If `nftables` package(s) should be managed with this role [default : `true`].
|
* **nft_pkg_manage** : If `nftables` package(s) should be managed with this role [default : `true`].
|
||||||
* **nft_pkg_state** : State of new `nftables` package(s) [default : `installed`].
|
* **nft_pkg_state** : State of new `nftables` package(s) [default : `installed`].
|
||||||
|
* **nft_conf_dir_path** : Directory to store the differents Nftables configuration files [default : `/etc/nftables.d`].
|
||||||
* **nft_main_conf_path** : Main configuration file loaded by systemd unit [default : `/etc/nftables.conf`].
|
* **nft_main_conf_path** : Main configuration file loaded by systemd unit [default : `/etc/nftables.conf`].
|
||||||
* **nft_main_conf_content** : Template used to generate the previous main configuration file [default : `etc/nftables.conf.j2`].
|
* **nft_main_conf_content** : Template used to generate the previous main configuration file [default : `etc/nftables.conf.j2`].
|
||||||
* **nft_input_conf_path** : Input configuration file include in main configuration file [default : `/etc/nftables.d/filter-input.nft`].
|
* **nft_input_conf_path** : Input configuration file include in main configuration file [default : `{{ nft_conf_dir_path }}filter-input.nft`].
|
||||||
* **nft_input_conf_content** : Template used to generate the previous input configuration file [default : `etc/nftables.d/filter-input.nft.j2`].
|
* **nft_input_conf_content** : Template used to generate the previous input configuration file [default : `etc/nftables.d/filter-input.nft.j2`].
|
||||||
|
* **nft_output_conf_path** : Output configuration file include in main configuration file [default : `{{ nft_conf_dir_path }}filter-output.nft`].
|
||||||
* **nft_output_conf_content** : Template used to generate the previous output configuration file [default : `etc/nftables.d/filter-output.nft.j2`].
|
* **nft_output_conf_content** : Template used to generate the previous output configuration file [default : `etc/nftables.d/filter-output.nft.j2`].
|
||||||
* **nft_output_conf_path** : Output configuration file include in main configuration file [default : `/etc/nftables.d/filter-output.nft`].
|
* **nft_define_conf_path** : Vars definition file include in main configuration file [default : `{{ nft_conf_dir_path }}defines.nft`].
|
||||||
* **nft_define_conf_path** : Vars definition file include in main configuration file [default : `/etc/nftables.d/defines.nft`].
|
|
||||||
* **nft_define_conf_content** : Template used to generate the previous vars definition file [default : `etc/nftables.d/defines.nft.j2`].
|
* **nft_define_conf_content** : Template used to generate the previous vars definition file [default : `etc/nftables.d/defines.nft.j2`].
|
||||||
* **nft_sets_conf_path** : Sets and maps definition file include in main configuration file [default : `/etc/nftables.d/sets.nft`].
|
* **nft_sets_conf_path** : Sets and maps definition file include in main configuration file [default : `{{ nft_conf_dir_path }}sets.nft`].
|
||||||
* **nft_sets_conf_content** : Template used to generate the previous sets and maps definition file [default : `etc/nftables.d/sets.nft.j2`].
|
* **nft_sets_conf_content** : Template used to generate the previous sets and maps definition file [default : `etc/nftables.d/sets.nft.j2`].
|
||||||
* **nft_global_default_rules** : Set default rules for `global` chain. Other chains will jump to `global` before apply their specific rules.
|
* **nft_global_default_rules** : Set default rules for `global` chain. Other chains will jump to `global` before apply their specific rules.
|
||||||
* **nft_global_group_rules** : You can add `global` rules or override those defined by **nft_global_default_rules** for a group.
|
* **nft_global_group_rules** : You can add `global` rules or override those defined by **nft_global_default_rules** for a group.
|
||||||
|
|
|
@ -6,15 +6,16 @@ nft_pkg_manage: true
|
||||||
nft_pkg_state: 'installed'
|
nft_pkg_state: 'installed'
|
||||||
|
|
||||||
# files
|
# files
|
||||||
|
nft_conf_dir_path: '/etc/nftables.d'
|
||||||
nft_main_conf_path: '/etc/nftables.conf'
|
nft_main_conf_path: '/etc/nftables.conf'
|
||||||
nft_main_conf_content: 'etc/nftables.conf.j2'
|
nft_main_conf_content: 'etc/nftables.conf.j2'
|
||||||
nft_input_conf_path: '/etc/nftables.d/filter-input.nft'
|
nft_input_conf_path: '{{ nft_conf_dir_path }}/filter-input.nft'
|
||||||
nft_input_conf_content: 'etc/nftables.d/filter-input.nft.j2'
|
nft_input_conf_content: 'etc/nftables.d/filter-input.nft.j2'
|
||||||
nft_output_conf_path: '/etc/nftables.d/filter-output.nft'
|
nft_output_conf_path: '{{ nft_conf_dir_path }}/filter-output.nft'
|
||||||
nft_output_conf_content: 'etc/nftables.d/filter-output.nft.j2'
|
nft_output_conf_content: 'etc/nftables.d/filter-output.nft.j2'
|
||||||
nft_define_conf_path: '/etc/nftables.d/defines.nft'
|
nft_define_conf_path: '{{ nft_conf_dir_path }}/defines.nft'
|
||||||
nft_define_conf_content: 'etc/nftables.d/defines.nft.j2'
|
nft_define_conf_content: 'etc/nftables.d/defines.nft.j2'
|
||||||
nft_set_conf_path: '/etc/nftables.d/sets.nft'
|
nft_set_conf_path: '{{ nft_conf_dir_path }}/sets.nft'
|
||||||
nft_set_conf_content: 'etc/nftables.d/sets.nft.j2'
|
nft_set_conf_content: 'etc/nftables.d/sets.nft.j2'
|
||||||
|
|
||||||
# rules
|
# rules
|
||||||
|
|
|
@ -20,7 +20,13 @@
|
||||||
# }}}
|
# }}}
|
||||||
|
|
||||||
# conf {{{
|
# conf {{{
|
||||||
- name: generate main conf file
|
- name: CONFIG create nftables.d dir
|
||||||
|
file:
|
||||||
|
path: "{{ nft_conf_dir_path }}"
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: CONFIG generate main conf file
|
||||||
template:
|
template:
|
||||||
src: "{{ nft_main_conf_content }}"
|
src: "{{ nft_main_conf_content }}"
|
||||||
dest: "{{ nft_main_conf_path }}"
|
dest: "{{ nft_main_conf_path }}"
|
||||||
|
@ -30,7 +36,7 @@
|
||||||
backup: yes
|
backup: yes
|
||||||
notify: restart nftables service
|
notify: restart nftables service
|
||||||
|
|
||||||
- name: generate input rules file
|
- name: CONFIG generate input rules file
|
||||||
template:
|
template:
|
||||||
src: "{{ nft_input_conf_content }}"
|
src: "{{ nft_input_conf_content }}"
|
||||||
dest: "{{ nft_input_conf_path }}"
|
dest: "{{ nft_input_conf_path }}"
|
||||||
|
@ -40,7 +46,7 @@
|
||||||
backup: yes
|
backup: yes
|
||||||
notify: restart nftables service
|
notify: restart nftables service
|
||||||
|
|
||||||
- name: generate output rules file
|
- name: CONFIG generate output rules file
|
||||||
template:
|
template:
|
||||||
src: "{{ nft_output_conf_content }}"
|
src: "{{ nft_output_conf_content }}"
|
||||||
dest: "{{ nft_output_conf_path }}"
|
dest: "{{ nft_output_conf_path }}"
|
||||||
|
@ -50,7 +56,7 @@
|
||||||
backup: yes
|
backup: yes
|
||||||
notify: restart nftables service
|
notify: restart nftables service
|
||||||
|
|
||||||
- name: generate vars definition file
|
- name: CONFIG generate vars definition file
|
||||||
template:
|
template:
|
||||||
src: "{{ nft_define_conf_content }}"
|
src: "{{ nft_define_conf_content }}"
|
||||||
dest: "{{ nft_define_conf_path }}"
|
dest: "{{ nft_define_conf_path }}"
|
||||||
|
@ -60,7 +66,7 @@
|
||||||
backup: yes
|
backup: yes
|
||||||
notify: restart nftables service
|
notify: restart nftables service
|
||||||
|
|
||||||
- name: generate sets and maps file
|
- name: CONFIG generate sets and maps file
|
||||||
template:
|
template:
|
||||||
src: "{{ nft_set_conf_content }}"
|
src: "{{ nft_set_conf_content }}"
|
||||||
dest: "{{ nft_set_conf_path }}"
|
dest: "{{ nft_set_conf_path }}"
|
||||||
|
|
Loading…
Reference in New Issue