Add possibility to have nftables vars.
This commit is contained in:
parent
4fdf3232c3
commit
f1d2f6582f
|
@ -14,7 +14,7 @@
|
|||
|
||||
A role to manage Nftables rules and packages.
|
||||
|
||||
Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (3 levels of rules definition and template), thanks !
|
||||
Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (3 levels of rules definition and template), thanks ! I hope i haven't complexify his philosophy… ^^
|
||||
|
||||
## Role Variables
|
||||
|
||||
|
@ -30,6 +30,9 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (
|
|||
* **nft_input_default_rules** : Set default rules for `input` chain.
|
||||
* **nft_input_group_rules** : You can add `input` rules or override those defined by **nft_input_default_rules** for a group.
|
||||
* **nft_input_host_rules:** : Hosts can also add or override `input` rules.
|
||||
* **nft_define_default** : Set default vars available in all rules.
|
||||
* **nft_define_group** : You can add vars or override those defined by **nft_define_default** for groups.
|
||||
* **nft_define_host** : You can add or override existant vars.
|
||||
* **nft_service_manage** : If `nftables` service should be managed with this role [default : `true`].
|
||||
* **nft_service_name** : `nftables` service name [default : `nftables`].
|
||||
|
||||
|
|
|
@ -10,6 +10,8 @@ nft_main_conf_path: '/etc/nftables.conf'
|
|||
nft_main_conf_content: 'etc/nftables.conf.j2'
|
||||
nft_input_conf_path: '/etc/nftables.d/inet-filter.nft'
|
||||
nft_input_conf_content: 'etc/nftables.d/inet-filter.nft.j2'
|
||||
nft_define_conf_path: '/etc/nftables.d/defines.nft'
|
||||
nft_define_conf_content: 'etc/nftables.d/defines.nft.j2'
|
||||
|
||||
# rules
|
||||
nft_global_default_rules:
|
||||
|
@ -26,6 +28,15 @@ nft_input_default_rules:
|
|||
nft_input_group_rules: {}
|
||||
nft_input_host_rules: {}
|
||||
|
||||
# define nft vars
|
||||
nft_define_default:
|
||||
broadcast and multicast:
|
||||
desc: 'broadcast and multicast'
|
||||
name: badcast_addr
|
||||
value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
|
||||
nft_define_group: {}
|
||||
nft_define_host: {}
|
||||
|
||||
# service
|
||||
nft_service_manage: true
|
||||
nft_service_name: 'nftables'
|
||||
|
|
|
@ -39,4 +39,14 @@
|
|||
mode: 0755
|
||||
backup: yes
|
||||
notify: restart nftables service
|
||||
|
||||
- name: generate vars definition file
|
||||
template:
|
||||
src: "{{ nft_define_conf_content }}"
|
||||
dest: "{{ nft_define_conf_path }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
backup: yes
|
||||
notify: restart nftables service
|
||||
# }}}
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
#!/usr/sbin/nft -f
|
||||
# {{ ansible_managed }}
|
||||
|
||||
{% set globalmerged = nft_global_default_rules.copy() %}
|
||||
{% set _ = globalmerged.update(nft_global_group_rules) %}
|
||||
{% set _ = globalmerged.update(nft_global_host_rules) %}
|
||||
|
@ -8,6 +7,8 @@
|
|||
# clean
|
||||
flush ruleset
|
||||
|
||||
include "/etc/nftables.d/defines.nft"
|
||||
|
||||
table inet firewall {
|
||||
chain global {
|
||||
{% for group, rules in globalmerged|dictsort %}
|
||||
|
|
|
@ -0,0 +1,15 @@
|
|||
# {{ ansible_managed }}
|
||||
{% set definemerged = nft_define_default.copy() %}
|
||||
{% set _ = definemerged.update(nft_define_group) %}
|
||||
{% set _ = definemerged.update(nft_define_host) %}
|
||||
|
||||
|
||||
{% for definition in definemerged.values() %}
|
||||
{% if definition.desc is defined %}
|
||||
# {{ definition.desc }}
|
||||
{% else %}
|
||||
# {{ definition.name }}
|
||||
{% endif %}
|
||||
define {{ definition.name }} = {{ definition.value }}
|
||||
|
||||
{% endfor %}
|
Loading…
Reference in New Issue