---
# .. vim: foldmarker=[[[,]]]:foldmethod=marker
#
# ipr-cnrs.nftables default variables [[[
# =======================================

# Packages and installation [[[
# -----------------------------

# .. envvar:: nft_enabled [[[
#
# Enable or disable support for Nftables on a given host. Disabling this
# option does not remove existing installation and configuration.
#
nft_enabled: true

                                                                   # ]]]

# packages
nft_pkg_state: 'present'
nft_old_pkg_list: 'iptables'
nft_old_pkg_state: 'absent'
nft_old_pkg_manage: true

# files
nft_conf_dir_path: '/etc/nftables.d'
nft_main_conf_path: '/etc/nftables.conf'
nft_main_conf_content: 'etc/nftables.conf.j2'
nft_input_conf_path: '{{ nft_conf_dir_path }}/filter-input.nft'
nft_input_conf_content: 'etc/nftables.d/filter-input.nft.j2'
nft_output_conf_path: '{{ nft_conf_dir_path }}/filter-output.nft'
nft_output_conf_content: 'etc/nftables.d/filter-output.nft.j2'
nft_define_conf_path: '{{ nft_conf_dir_path }}/defines.nft'
nft_define_conf_content: 'etc/nftables.d/defines.nft.j2'
nft_set_conf_path: '{{ nft_conf_dir_path }}/sets.nft'
nft_set_conf_content: 'etc/nftables.d/sets.nft.j2'

                                                                   # ]]]
# rules
nft_global_default_rules:
  005 state management:
    - ct state established,related accept
    - ct state invalid drop
nft_global_rules: {}
nft_global_group_rules: {}
nft_global_host_rules: {}

nft_input_default_rules:
  000 policy:
    - type filter hook input priority 0; policy drop;
  005 global:
    - jump global
  010 drop unwanted:
    - ip daddr @blackhole counter drop
  015 localhost:
    - iif lo accept
  200 input udp accepted:
    - udp dport @in_udp_accept ct state new accept
  210 input tcp accepted:
    - tcp dport @in_tcp_accept ct state new accept
nft_input_rules: {}
nft_input_group_rules: {}
nft_input_host_rules: {}

nft_output_default_rules:
  000 policy:
    - type filter hook output priority 0; policy drop;
  005 global:
    - jump global
  015 localhost:
    - oif lo accept
  050 icmp:
    - ip protocol icmp accept
    - ip6 nexthdr icmpv6 counter accept
  200 output udp accepted:
    - udp dport @out_udp_accept ct state new accept
  210 output tcp accepted:
    - tcp dport @out_tcp_accept ct state new accept
nft_output_rules: {}
nft_output_group_rules: {}
nft_output_host_rules: {}

# define nft vars
nft_define_default:
  broadcast and multicast:
    desc: 'broadcast and multicast'
    name: badcast_addr
    value: '{ 255.255.255.255, 224.0.0.1, 224.0.0.251 }'
  input tcp accepted:
    name: in_tcp_accept
    value: '{ ssh }'
  input udp accepted:
    name: in_udp_accept
    value: 'none'
  output tcp accepted:
    name: out_tcp_accept
    value: '{ http, https, hkp }'
  output udp accepted:
    name: out_udp_accept
    value: '{ bootps, domain, ntp }'
nft_define: {}
nft_define_group: {}
nft_define_host: {}

# sets and maps
nft_set_default:
  blackhole:
    - type ipv4_addr;
    - elements = $badcast_addr
  in_tcp_accept:
    - type inet_service; flags interval;
    - elements = $in_tcp_accept
  in_udp_accept:
    - type inet_service; flags interval;
  out_tcp_accept:
    - type inet_service; flags interval;
    - elements = $out_tcp_accept
  out_udp_accept:
    - type inet_service; flags interval;
    - elements = $out_udp_accept
nft_set: {}
nft_set_group: {}
nft_set_host: {}

# service
nft_service_manage: true
nft_service_name: 'nftables'
nft_service_enabled: true
nft_service_unit_path: '/lib/systemd/system/nftables.service'
nft_service_unit_content: 'lib/systemd/system/nftables.service.j2'