cellinfo
/
ansible.nftables
2
0
Fork 0
Code Issues Pull Requests Releases Activity

Add possibility to have nftables vars.

This commit is contained in:
Jeremy Gardais 2017-08-08 12:11:58 +02:00
parent 4fdf3232c3
commit f1d2f6582f
5 changed files with 42 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@ -14,7 +14,7 @@
A role to manage Nftables rules and packages. A role to manage Nftables rules and packages.
Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (3 levels of rules definition and template), thanks! Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (3 levels of rules definition and template), thanks! I hope i haven't complexify his philosophy… ^^
## Role Variables ## Role Variables
@ -30,6 +30,9 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (
* **nft_input_default_rules**: Set default rules for `input` chain. * **nft_input_default_rules**: Set default rules for `input` chain.
* **nft_input_group_rules**: You can add `input` rules or override those defined by **nft_input_default_rules** for a group. * **nft_input_group_rules**: You can add `input` rules or override those defined by **nft_input_default_rules** for a group.
* **nft_input_host_rules:**: Hosts can also add or override `input` rules. * **nft_input_host_rules:**: Hosts can also add or override `input` rules.
* **nft_define_default**: Set default vars available in all rules.
* **nft_define_group**: You can add vars or override those defined by **nft_define_default** for groups.
* **nft_define_host**: You can add or override existant vars.
* **nft_service_manage**: If `nftables` service should be managed with this role [default: `true`]. * **nft_service_manage**: If `nftables` service should be managed with this role [default: `true`].
* **nft_service_name**: `nftables` service name [default: `nftables`]. * **nft_service_name**: `nftables` service name [default: `nftables`].

11
defaults/main.yml
View File

@ -10,6 +10,8 @@ nft_main_conf_path: '/etc/nftables.conf'
nft_main_conf_content: 'etc/nftables.conf.j2' nft_main_conf_content: 'etc/nftables.conf.j2'
nft_input_conf_path: '/etc/nftables.d/inet-filter.nft' nft_input_conf_path: '/etc/nftables.d/inet-filter.nft'
nft_input_conf_content: 'etc/nftables.d/inet-filter.nft.j2' nft_input_conf_content: 'etc/nftables.d/inet-filter.nft.j2'
nft_define_conf_path: '/etc/nftables.d/defines.nft'
nft_define_conf_content: 'etc/nftables.d/defines.nft.j2'
# rules # rules
nft_global_default_rules: nft_global_default_rules:
@ -26,6 +28,15 @@ nft_input_default_rules:
nft_input_group_rules: {} nft_input_group_rules: {}
nft_input_host_rules: {} nft_input_host_rules: {}
# define nft vars
nft_define_default:
broadcast and multicast:
desc: 'broadcast and multicast'
name: badcast_addr
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
nft_define_group: {}
nft_define_host: {}
# service # service
nft_service_manage: true nft_service_manage: true
nft_service_name: 'nftables' nft_service_name: 'nftables'

10
tasks/main.yml
View File

@ -39,4 +39,14 @@
mode: 0755 mode: 0755
backup: yes backup: yes
notify: restart nftables service notify: restart nftables service
- name: generate vars definition file
template:
src: "{{ nft_define_conf_content }}"
dest: "{{ nft_define_conf_path }}"
owner: root
group: root
mode: 0755
backup: yes
notify: restart nftables service
# }}} # }}}

3
templates/etc/nftables.conf.j2
View File

@ -1,6 +1,5 @@
#!/usr/sbin/nft -f #!/usr/sbin/nft -f
# {{ ansible_managed }} # {{ ansible_managed }}
{% set globalmerged = nft_global_default_rules.copy() %} {% set globalmerged = nft_global_default_rules.copy() %}
{% set _ = globalmerged.update(nft_global_group_rules) %} {% set _ = globalmerged.update(nft_global_group_rules) %}
{% set _ = globalmerged.update(nft_global_host_rules) %} {% set _ = globalmerged.update(nft_global_host_rules) %}
@ -8,6 +7,8 @@
# clean # clean
flush ruleset flush ruleset
include "/etc/nftables.d/defines.nft"
table inet firewall { table inet firewall {
chain global { chain global {
{% for group, rules in globalmerged|dictsort %} {% for group, rules in globalmerged|dictsort %}

15
templates/etc/nftables.d/defines.nft.j2 Normal file
View File

@ -0,0 +1,15 @@
# {{ ansible_managed }}
{% set definemerged = nft_define_default.copy() %}
{% set _ = definemerged.update(nft_define_group) %}
{% set _ = definemerged.update(nft_define_host) %}
{% for definition in definemerged.values() %}
{% if definition.desc is defined %}
# {{ definition.desc }}
{% else %}
# {{ definition.name }}
{% endif %}
define {{ definition.name }} = {{ definition.value }}
{% endfor %}