Add possibility to have nftables vars.

2017-08-08 12:11:58 +02:00 · 2017-08-08 12:11:58 +02:00 · f1d2f6582f
parent 4fdf3232c3
commit f1d2f6582f
5 changed files with 42 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -14,7 +14,7 @@

 A role to manage Nftables rules and packages.

-Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (3 levels of rules definition and template), thanks !
+Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (3 levels of rules definition and template), thanks ! I hope i haven't complexify his philosophy… ^^

 ## Role Variables

@ -30,6 +30,9 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (
 * **nft_input_default_rules** : Set default rules for `input` chain.
 * **nft_input_group_rules** : You can add `input` rules or override those defined by **nft_input_default_rules** for a group.
 * **nft_input_host_rules:** : Hosts can also add or override `input` rules.
+* **nft_define_default** : Set default vars available in all rules.
+* **nft_define_group** : You can add vars or override those defined by **nft_define_default** for groups.
+* **nft_define_host** : You can add or override existant vars.
 * **nft_service_manage** : If `nftables` service should be managed with this role [default : `true`].
 * **nft_service_name** : `nftables` service name [default : `nftables`].

--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -10,6 +10,8 @@ nft_main_conf_path: '/etc/nftables.conf'
 nft_main_conf_content: 'etc/nftables.conf.j2'
 nft_input_conf_path: '/etc/nftables.d/inet-filter.nft'
 nft_input_conf_content: 'etc/nftables.d/inet-filter.nft.j2'
+nft_define_conf_path: '/etc/nftables.d/defines.nft'
+nft_define_conf_content: 'etc/nftables.d/defines.nft.j2'

 # rules
 nft_global_default_rules:
@ -26,6 +28,15 @@ nft_input_default_rules:
 nft_input_group_rules: {}
 nft_input_host_rules: {}

+# define nft vars
+nft_define_default:
+  broadcast and multicast:
+    desc: 'broadcast and multicast'
+    name: badcast_addr
+    value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
+nft_define_group: {}
+nft_define_host: {}
+
 # service
 nft_service_manage: true
 nft_service_name: 'nftables'
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -39,4 +39,14 @@
    mode: 0755
    backup: yes
  notify: restart nftables service
+
+- name: generate vars definition file
+  template:
+    src: "{{ nft_define_conf_content }}"
+    dest: "{{ nft_define_conf_path }}"
+    owner: root
+    group: root
+    mode: 0755
+    backup: yes
+  notify: restart nftables service
 # }}}
--- a/templates/etc/nftables.conf.j2
+++ b/templates/etc/nftables.conf.j2
@ -1,6 +1,5 @@
 #!/usr/sbin/nft -f
 # {{ ansible_managed }}
-
 {% set globalmerged = nft_global_default_rules.copy() %}
 {% set _ = globalmerged.update(nft_global_group_rules) %}
 {% set _ = globalmerged.update(nft_global_host_rules) %}
@ -8,6 +7,8 @@
 # clean
 flush ruleset

+include "/etc/nftables.d/defines.nft"
+
 table inet firewall {
 	chain global {
 {% for group, rules in globalmerged|dictsort  %}
--- a/templates/etc/nftables.d/defines.nft.j2
+++ b/templates/etc/nftables.d/defines.nft.j2
@ -0,0 +1,15 @@
+# {{ ansible_managed }}
+{% set definemerged = nft_define_default.copy() %}
+{% set _ = definemerged.update(nft_define_group) %}
+{% set _ = definemerged.update(nft_define_host) %}
+
+
+{% for definition in definemerged.values() %}
+{% if definition.desc is defined %}
+# {{ definition.desc }}
+{% else %}
+# {{ definition.name }}
+{% endif %}
+define {{ definition.name }} = {{ definition.value }}
+
+{% endfor %}