cellinfo
/
ansible.nftables
2
0
Fork 0
Code Issues Pull Requests Releases Activity

Set's name can't exceed 15 characters !

This commit is contained in:
Jeremy Gardais 2018-01-05 15:01:30 +01:00
parent 38e1d0dabc
commit ead7a337a0
3 changed files with 41 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGELOG.md
View File

@ -1,4 +1,9 @@
## v1.2.2
### Fix
* Set's name can't exceed 15 characters!
## v1.2.1 ## v1.2.1
### Features ### Features

42
README.md
View File

@ -85,9 +85,9 @@ nft_input_default_rules:
015 localhost: 015 localhost:
- iif lo accept - iif lo accept
200 input udp accepted: 200 input udp accepted:
- udp dport @input_udp_accept ct state new accept - udp dport @in_udp_accept ct state new accept
210 input tcp accepted: 210 input tcp accepted:
- tcp dport @input_tcp_accept ct state new accept - tcp dport @in_tcp_accept ct state new accept
nft_input_group_rules: {} nft_input_group_rules: {}
nft_input_host_rules: {} nft_input_host_rules: {}
@ -101,9 +101,9 @@ nft_output_default_rules:
050 icmp: 050 icmp:
- ip protocol icmp accept - ip protocol icmp accept
200 output udp accepted: 200 output udp accepted:
- udp dport @output_udp_accept ct state new accept - udp dport @out_udp_accept ct state new accept
210 output tcp accepted: 210 output tcp accepted:
- tcp dport @output_tcp_accept ct state new accept - tcp dport @out_tcp_accept ct state new accept
nft_output_group_rules: {} nft_output_group_rules: {}
nft_output_host_rules: {} nft_output_host_rules: {}
@ -114,16 +114,16 @@ nft_define_default:
name: badcast_addr name: badcast_addr
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }' value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
input tcp accepted: input tcp accepted:
name: input_tcp_accept name: in_tcp_accept
value: '{ ssh }' value: '{ ssh }'
input udp accepted: input udp accepted:
name: input_udp_accept name: in_udp_accept
value: 'none' value: 'none'
output tcp accepted: output tcp accepted:
name: output_tcp_accept name: out_tcp_accept
value: '{ http, https, hkp }' value: '{ http, https, hkp }'
output udp accepted: output udp accepted:
name: output_udp_accept name: out_udp_accept
value: '{ bootps, domain, ntp }' value: '{ bootps, domain, ntp }'
nft_define_group: {} nft_define_group: {}
nft_define_host: {} nft_define_host: {}
@ -133,17 +133,17 @@ nft_set_default:
blackhole: blackhole:
- type ipv4_addr; - type ipv4_addr;
- elements = $badcast_addr - elements = $badcast_addr
input_tcp_accept: in_tcp_accept:
- type inet_service; flags interval; - type inet_service; flags interval;
- elements = $input_tcp_accept - elements = $in_tcp_accept
input_udp_accept: in_udp_accept:
- type inet_service; flags interval; - type inet_service; flags interval;
output_tcp_accept: out_tcp_accept:
- type inet_service; flags interval; - type inet_service; flags interval;
- elements = $output_tcp_accept - elements = $out_tcp_accept
output_udp_accept: out_udp_accept:
- type inet_service; flags interval; - type inet_service; flags interval;
- elements = $output_udp_accept - elements = $out_udp_accept
nft_set_group: {} nft_set_group: {}
nft_set_host: {} nft_set_host: {}
``` ```
@ -179,13 +179,13 @@ table inet firewall {
elements = { 255.255.255.255, 224.0.0.1, 224.0.0.251} elements = { 255.255.255.255, 224.0.0.1, 224.0.0.251}
} }
set output_tcp_accept { set out_tcp_accept {
type inet_service type inet_service
flags interval flags interval
elements = { http, https, hkp} elements = { http, https, hkp}
} }
set output_udp_accept { set out_udp_accept {
type inet_service type inet_service
flags interval flags interval
elements = { domain, bootps, ntp} elements = { domain, bootps, ntp}
@ -201,8 +201,8 @@ table inet firewall {
jump global jump global
ip daddr @blackhole counter packets 0 bytes 0 drop ip daddr @blackhole counter packets 0 bytes 0 drop
iif "lo" accept iif "lo" accept
udp dport @input_udp_accept ct state new accept udp dport @in_udp_accept ct state new accept
tcp dport @input_tcp_accept ct state new accept tcp dport @in_tcp_accept ct state new accept
} }
chain output { chain output {
@ -210,8 +210,8 @@ table inet firewall {
jump global jump global
oif "lo" accept oif "lo" accept
ip protocol icmp accept ip protocol icmp accept
udp dport @output_udp_accept ct state new accept udp dport @out_udp_accept ct state new accept
tcp dport @output_tcp_accept ct state new accept tcp dport @out_tcp_accept ct state new accept
} }
} }
``` ```

30
defaults/main.yml
View File

@ -39,9 +39,9 @@ nft_input_default_rules:
015 localhost: 015 localhost:
- iif lo accept - iif lo accept
200 input udp accepted: 200 input udp accepted:
- udp dport @input_udp_accept ct state new accept - udp dport @in_udp_accept ct state new accept
210 input tcp accepted: 210 input tcp accepted:
- tcp dport @input_tcp_accept ct state new accept - tcp dport @in_tcp_accept ct state new accept
nft_input_group_rules: {} nft_input_group_rules: {}
nft_input_host_rules: {} nft_input_host_rules: {}
@ -56,9 +56,9 @@ nft_output_default_rules:
- ip protocol icmp accept - ip protocol icmp accept
- ip6 nexthdr icmpv6 counter accept - ip6 nexthdr icmpv6 counter accept
200 output udp accepted: 200 output udp accepted:
- udp dport @output_udp_accept ct state new accept - udp dport @out_udp_accept ct state new accept
210 output tcp accepted: 210 output tcp accepted:
- tcp dport @output_tcp_accept ct state new accept - tcp dport @out_tcp_accept ct state new accept
nft_output_group_rules: {} nft_output_group_rules: {}
nft_output_host_rules: {} nft_output_host_rules: {}
@ -69,16 +69,16 @@ nft_define_default:
name: badcast_addr name: badcast_addr
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }' value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
input tcp accepted: input tcp accepted:
name: input_tcp_accept name: in_tcp_accept
value: '{ ssh }' value: '{ ssh }'
input udp accepted: input udp accepted:
name: input_udp_accept name: in_udp_accept
value: 'none' value: 'none'
output tcp accepted: output tcp accepted:
name: output_tcp_accept name: out_tcp_accept
value: '{ http, https, hkp }' value: '{ http, https, hkp }'
output udp accepted: output udp accepted:
name: output_udp_accept name: out_udp_accept
value: '{ bootps, domain, ntp }' value: '{ bootps, domain, ntp }'
nft_define_group: {} nft_define_group: {}
nft_define_host: {} nft_define_host: {}
@ -88,17 +88,17 @@ nft_set_default:
blackhole: blackhole:
- type ipv4_addr; - type ipv4_addr;
- elements = $badcast_addr - elements = $badcast_addr
input_tcp_accept: in_tcp_accept:
- type inet_service; flags interval; - type inet_service; flags interval;
- elements = $input_tcp_accept - elements = $in_tcp_accept
input_udp_accept: in_udp_accept:
- type inet_service; flags interval; - type inet_service; flags interval;
output_tcp_accept: out_tcp_accept:
- type inet_service; flags interval; - type inet_service; flags interval;
- elements = $output_tcp_accept - elements = $out_tcp_accept
output_udp_accept: out_udp_accept:
- type inet_service; flags interval; - type inet_service; flags interval;
- elements = $output_udp_accept - elements = $out_udp_accept
nft_set_group: {} nft_set_group: {}
nft_set_host: {} nft_set_host: {}