From 97044bc28f6950e408f1c60d1a5efccff40a0925 Mon Sep 17 00:00:00 2001
From: Vladimir Timofeenko <id@vtimofeenko.com>
Date: Fri, 6 Aug 2021 16:20:49 -0700
Subject: [PATCH 1/2] Added default variables for Gentoo

Gentoo package name for nftables is 'net-firewall/nftables'
---
 vars/gentoo.yml | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 vars/gentoo.yml

diff --git a/vars/gentoo.yml b/vars/gentoo.yml
new file mode 100644
index 0000000..61eec16
--- /dev/null
+++ b/vars/gentoo.yml
@@ -0,0 +1,4 @@
+---
+# vars file for Gentoo
+nft_pkg_list:
+  - net-firewall/nftables

From a442b8f63757e21078dd50abfd790334e53fdd0c Mon Sep 17 00:00:00 2001
From: Vladimir Timofeenko <id@vtimofeenko.com>
Date: Fri, 6 Aug 2021 16:23:36 -0700
Subject: [PATCH 2/2] Added ability to specify nft bin location

Gentoo installs nft binary into /sbin/nft in accordance with the
filesystem spec:

https://devmanual.gentoo.org/general-concepts/filesystem/

This commit adds the ability to specify the location of nft binary
through variable nft__bin_location.

By default it is set to "/usr/sbin/nft".
---
 CHANGELOG.md                                     |  2 ++
 README.md                                        |  1 +
 defaults/main.yml                                | 10 ++++++++++
 templates/etc/nftables.conf.j2                   |  2 +-
 templates/lib/systemd/system/nftables.service.j2 | 12 ++++++------
 vars/gentoo.yml                                  |  1 +
 6 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 396d28d..81e0003 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,8 @@
 * New rules (disable by default) can be define in *forward* chain (thanks to
   @p-rintz − PR #14).
 * Possibility to toggle file's backup (thanks to @p-rintz − PR #15).
+* Gentoo-specific variables
+* Ability to specify nft binary path through **nft__bin_location**
 
 ### Removed
 * Remove everything related to **in_udp_accept** (see conversation in PR #13).
diff --git a/README.md b/README.md
index 5d01124..677987c 100644
--- a/README.md
+++ b/README.md
@@ -89,6 +89,7 @@ complexify his philosophy… (I'm pretty sure, i now did complexify it :D) ^^
 Please see default value by Operating System file in [vars][vars directory] directory.
 
 * **nft_pkg_list** : The list of package(s) to provide `nftables`.
+* **nft__bin_location** : Path to `nftables` executable. [default : `/usr/sbin/nft`]
 
 ### Rules Dictionaries
 
diff --git a/defaults/main.yml b/defaults/main.yml
index 02f7512..75904ee 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -599,3 +599,13 @@ nft_backup_conf: True
                                                                    # ]]]
                                                                    # ]]]
                                                                    # ]]]
+# OS specific variables defaults [[[
+# ----------------------------------
+
+# .. envvar:: nft__bin_location [[[
+#
+# Specify Nftables executable location.
+#
+nft__bin_location: '/usr/sbin/nft'
+                                                                   # ]]]
+                                                                   # ]]]
diff --git a/templates/etc/nftables.conf.j2 b/templates/etc/nftables.conf.j2
index c68075d..c385709 100755
--- a/templates/etc/nftables.conf.j2
+++ b/templates/etc/nftables.conf.j2
@@ -1,5 +1,5 @@
 #jinja2: lstrip_blocks: "True", trim_blocks: "True"
-#!/usr/sbin/nft -f
+#!{{ nft__bin_location }} -f
 # {{ ansible_managed }}
 {% set globalmerged = nft_global_default_rules.copy() %}
 {% set _ = globalmerged.update(nft_global_rules) %}
diff --git a/templates/lib/systemd/system/nftables.service.j2 b/templates/lib/systemd/system/nftables.service.j2
index 3bc973d..87c51f5 100644
--- a/templates/lib/systemd/system/nftables.service.j2
+++ b/templates/lib/systemd/system/nftables.service.j2
@@ -13,13 +13,13 @@ ProtectSystem=full
 ProtectHome=true
 {% endif %}
 {% if nft__fail2ban_service %}
-ExecStart=/usr/sbin/nft -f {{ nft_main_conf_path }} ; /bin/systemctl restart fail2ban.service
-ExecReload=/usr/sbin/nft -f {{ nft_main_conf_path }} ; /bin/systemctl restart fail2ban.service
-ExecStop=/bin/systemctl stop fail2ban.service ; /usr/sbin/nft flush ruleset
+ExecStart={{ nft__bin_location }} -f {{ nft_main_conf_path }} ; /bin/systemctl restart fail2ban.service
+ExecReload={{ nft__bin_location }} -f {{ nft_main_conf_path }} ; /bin/systemctl restart fail2ban.service
+ExecStop=/bin/systemctl stop fail2ban.service ; {{ nft__bin_location }} flush ruleset
 {% else %}
-ExecStart=/usr/sbin/nft -f {{ nft_main_conf_path }}
-ExecReload=/usr/sbin/nft -f {{ nft_main_conf_path }}
-ExecStop=/usr/sbin/nft flush ruleset
+ExecStart={{ nft__bin_location }} -f {{ nft_main_conf_path }}
+ExecReload={{ nft__bin_location }} -f {{ nft_main_conf_path }}
+ExecStop={{ nft__bin_location }} flush ruleset
 {% endif %}
 
 [Install]
diff --git a/vars/gentoo.yml b/vars/gentoo.yml
index 61eec16..72f42e3 100644
--- a/vars/gentoo.yml
+++ b/vars/gentoo.yml
@@ -2,3 +2,4 @@
 # vars file for Gentoo
 nft_pkg_list:
   - net-firewall/nftables
+nft__bin_location: "/sbin/nft"