diff --git a/README.md b/README.md index a6e9552..0c266f0 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ A role to manage Nftables rules and packages. -Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (3 levels of rules definition and template), thanks ! +Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (3 levels of rules definition and template), thanks ! I hope i haven't complexify his philosophy… ^^ ## Role Variables @@ -30,6 +30,9 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] ( * **nft_input_default_rules** : Set default rules for `input` chain. * **nft_input_group_rules** : You can add `input` rules or override those defined by **nft_input_default_rules** for a group. * **nft_input_host_rules:** : Hosts can also add or override `input` rules. +* **nft_define_default** : Set default vars available in all rules. +* **nft_define_group** : You can add vars or override those defined by **nft_define_default** for groups. +* **nft_define_host** : You can add or override existant vars. * **nft_service_manage** : If `nftables` service should be managed with this role [default : `true`]. * **nft_service_name** : `nftables` service name [default : `nftables`]. diff --git a/defaults/main.yml b/defaults/main.yml index 714be50..d6fb377 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -10,6 +10,8 @@ nft_main_conf_path: '/etc/nftables.conf' nft_main_conf_content: 'etc/nftables.conf.j2' nft_input_conf_path: '/etc/nftables.d/inet-filter.nft' nft_input_conf_content: 'etc/nftables.d/inet-filter.nft.j2' +nft_define_conf_path: '/etc/nftables.d/defines.nft' +nft_define_conf_content: 'etc/nftables.d/defines.nft.j2' # rules nft_global_default_rules: @@ -26,6 +28,15 @@ nft_input_default_rules: nft_input_group_rules: {} nft_input_host_rules: {} +# define nft vars +nft_define_default: + broadcast and multicast: + desc: 'broadcast and multicast' + name: badcast_addr + value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }' +nft_define_group: {} +nft_define_host: {} + # service nft_service_manage: true nft_service_name: 'nftables' diff --git a/tasks/main.yml b/tasks/main.yml index 92e19f7..3148881 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -39,4 +39,14 @@ mode: 0755 backup: yes notify: restart nftables service + +- name: generate vars definition file + template: + src: "{{ nft_define_conf_content }}" + dest: "{{ nft_define_conf_path }}" + owner: root + group: root + mode: 0755 + backup: yes + notify: restart nftables service # }}} diff --git a/templates/etc/nftables.conf.j2 b/templates/etc/nftables.conf.j2 index 9f28db8..92735c7 100755 --- a/templates/etc/nftables.conf.j2 +++ b/templates/etc/nftables.conf.j2 @@ -1,6 +1,5 @@ #!/usr/sbin/nft -f # {{ ansible_managed }} - {% set globalmerged = nft_global_default_rules.copy() %} {% set _ = globalmerged.update(nft_global_group_rules) %} {% set _ = globalmerged.update(nft_global_host_rules) %} @@ -8,6 +7,8 @@ # clean flush ruleset +include "/etc/nftables.d/defines.nft" + table inet firewall { chain global { {% for group, rules in globalmerged|dictsort %} diff --git a/templates/etc/nftables.d/defines.nft.j2 b/templates/etc/nftables.d/defines.nft.j2 new file mode 100644 index 0000000..33900de --- /dev/null +++ b/templates/etc/nftables.d/defines.nft.j2 @@ -0,0 +1,15 @@ +# {{ ansible_managed }} +{% set definemerged = nft_define_default.copy() %} +{% set _ = definemerged.update(nft_define_group) %} +{% set _ = definemerged.update(nft_define_host) %} + + +{% for definition in definemerged.values() %} +{% if definition.desc is defined %} +# {{ definition.desc }} +{% else %} +# {{ definition.name }} +{% endif %} +define {{ definition.name }} = {{ definition.value }} + +{% endfor %}