Jeremy Gardais
98d2bf82db
|
||
|---|---|---|
| defaults | ||
| handlers | ||
| meta | ||
| tasks | ||
| templates/etc | ||
| tests | ||
| vars | ||
| .travis.yml | ||
| README.md | ||
README.md
Nftables
Overview
A role to manage Nftables rules and packages.
Role Variables
- nft_pkg_manage : If
nftablespackage(s) should be managed with this role [default :true]. - nft_pkg_state : State of new
nftablespackage(s) [default :installed]. - nft_main_conf_path : Main configuration file loaded by systemd unit [default :
/etc/nftables.conf]. - nft_main_conf_content : Template used to generate the previous main configuration file [default :
etc/nftables.conf.j2]. - nft_global_default_rules : Set default rules for
globalchain. Other chains will jump toglobalbefore apply their specific rules. - nft_global_group_rules : You can add
globalrules or override those defined by nft_global_default_rules for a group. - nft_global_host_rules: : Hosts can also add or override
globalrules. - nft_service_manage : If
nftablesservice should be managed with this role [default :true]. - nft_service_name :
nftablesservice name [default :nftables].
OS Specific Variables
Please see default value by Operating System file in [vars][vars directory] directory.
- nft_pkg_list : The list of package(s) to provide
nftables.
Rules Dictionaries
Each type of rules dictionaries will be merged and rules will be applied in the alphabetical order of the keys (the reason to use 000 to 999 as prefix). So :
- nft_*_default_rules : Define default rules for all nodes. You can define it in
group_vars/all. - nft_*_group_rules : Can add rules and override those defined by nft_*_default_rules. You can define it in
group_vars/webservers. - nft_*_host_rules : Can add rules and override those define by nft_*_default_rules and nft_*_group_rules. You can define it in
host_vars/www.local.domain.
defaults/main.yml:
# rules
nft_global_default_rules:
000 state management:
- ct state established,related accept
- ct state invalid drop
nft_global_group_rules: {}
nft_global_host_rules: {}
Those default will generate the following configuration :
#!/usr/sbin/nft -f
# Ansible managed
# clean
flush ruleset
table inet firewall {
chain global {
# 000 state management
ct state established,related accept
ct state invalid drop
}
chain input {
type filter hook input priority 0;
jump global
}
chain output {
type filter hook output priority 0;
jump global
}
}
And you get the same result by displaying the ruleset on the host : $ nft list ruleset :
table inet firewall {
chain global {
ct state established,related accept
ct state invalid drop
}
chain input {
type filter hook input priority 0; policy accept;
jump global
}
chain output {
type filter hook output priority 0; policy accept;
jump global
}
}
Example Playbook
- Manage Nftables with defaults vars :
- hosts: serverXYZ
roles:
- role: ipr-cnrs.nftables
Configuration
This role will :
- Install
nftableson the system. - Generate a default configuration file loaded by systemd unit.
- Restart
nftablesservice.
Development
This source code comes from our Gogs instance and the Github repo exist just to be able to send the role to Ansible Galaxy…
But feel free to send issue/PR here :)
Thanks to this hook, Github automatically got updates from our Gogs instance :)
License
Author Information
Jérémy Gardais
- Source : on IPR's Gogs
- IPR (Institut de Physique de Rennes)