From 3d6d1693e3d7863857dc4c964d5e5a0805da1b5b Mon Sep 17 00:00:00 2001 From: "pulsar89.5" Date: Thu, 28 Dec 2023 17:39:20 +0100 Subject: [PATCH] feat: Merge rules and tables in one file --- tasks/configuration.yml | 14 +++++--------- tasks/installation.yml | 5 ++++- templates/nftables.conf.j2 | 4 ++-- templates/rules.conf.j2 | 5 +++-- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/tasks/configuration.yml b/tasks/configuration.yml index 026396f..8fee599 100644 --- a/tasks/configuration.yml +++ b/tasks/configuration.yml @@ -33,10 +33,8 @@ group: root mode: u=rw,g=,o= src: "{{ role_path }}/templates/rules.conf.j2" - dest: "/srv/nftables/rules_{{ item.filename }}.conf" - loop: "{{ nftables_rules }}" - loop_control: - label: "{{ item.filename }}" + dest: "/srv/nftables/rules.conf" + when: nftables_rules | length > 0 become: true notify: Redémarrer nftables.service @@ -45,10 +43,8 @@ owner: root group: root mode: u=rw,g=,o= - src: "{{ role_path }}/templates/tables.conf.j2" - dest: "/srv/nftables/tables_{{ item.filename }}.conf" - loop: "{{ nftables_tables }}" - loop_control: - label: "{{ item.filename }}" + src: tables.conf.j2 + dest: /srv/nftables/tables.conf + when: nftables_tables | length > 0 become: true notify: Redémarrer nftables.service diff --git a/tasks/installation.yml b/tasks/installation.yml index 6c30564..3f2bfa9 100644 --- a/tasks/installation.yml +++ b/tasks/installation.yml @@ -12,6 +12,9 @@ owner: root group: root mode: u=rwx,g=rx,o=rx - state: directory + state: "{{ item }}" path: /srv/nftables become: true + loop: + - absent + - directory diff --git a/templates/nftables.conf.j2 b/templates/nftables.conf.j2 index 8df2dd3..4fc00e5 100644 --- a/templates/nftables.conf.j2 +++ b/templates/nftables.conf.j2 @@ -16,8 +16,8 @@ table inet filter { # accept neighbour discovery otherwise IPv6 connectivity breaks. ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert} accept - # include specifics rules - include "/srv/nftables/rules_*.conf" + # include specific rules + include "/srv/nftables/rules.conf" # count and drop any other traffic counter drop diff --git a/templates/rules.conf.j2 b/templates/rules.conf.j2 index 81e015c..4ccf589 100644 --- a/templates/rules.conf.j2 +++ b/templates/rules.conf.j2 @@ -1,5 +1,6 @@ # {{ ansible_managed }} +{% for item in nftables_rules %} -{% for rule in item.rules %} -{{ rule }} +# {{ item.comment }} +{{ item.rules | join('\n') }} {% endfor %}