diff --git a/tasks/configuration.yml b/tasks/configuration.yml index 026396f..8fee599 100644 --- a/tasks/configuration.yml +++ b/tasks/configuration.yml @@ -33,10 +33,8 @@ group: root mode: u=rw,g=,o= src: "{{ role_path }}/templates/rules.conf.j2" - dest: "/srv/nftables/rules_{{ item.filename }}.conf" - loop: "{{ nftables_rules }}" - loop_control: - label: "{{ item.filename }}" + dest: "/srv/nftables/rules.conf" + when: nftables_rules | length > 0 become: true notify: Redémarrer nftables.service @@ -45,10 +43,8 @@ owner: root group: root mode: u=rw,g=,o= - src: "{{ role_path }}/templates/tables.conf.j2" - dest: "/srv/nftables/tables_{{ item.filename }}.conf" - loop: "{{ nftables_tables }}" - loop_control: - label: "{{ item.filename }}" + src: tables.conf.j2 + dest: /srv/nftables/tables.conf + when: nftables_tables | length > 0 become: true notify: Redémarrer nftables.service diff --git a/tasks/installation.yml b/tasks/installation.yml index 6c30564..3f2bfa9 100644 --- a/tasks/installation.yml +++ b/tasks/installation.yml @@ -12,6 +12,9 @@ owner: root group: root mode: u=rwx,g=rx,o=rx - state: directory + state: "{{ item }}" path: /srv/nftables become: true + loop: + - absent + - directory diff --git a/templates/nftables.conf.j2 b/templates/nftables.conf.j2 index 8df2dd3..4fc00e5 100644 --- a/templates/nftables.conf.j2 +++ b/templates/nftables.conf.j2 @@ -16,8 +16,8 @@ table inet filter { # accept neighbour discovery otherwise IPv6 connectivity breaks. ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert} accept - # include specifics rules - include "/srv/nftables/rules_*.conf" + # include specific rules + include "/srv/nftables/rules.conf" # count and drop any other traffic counter drop diff --git a/templates/rules.conf.j2 b/templates/rules.conf.j2 index 81e015c..4ccf589 100644 --- a/templates/rules.conf.j2 +++ b/templates/rules.conf.j2 @@ -1,5 +1,6 @@ # {{ ansible_managed }} +{% for item in nftables_rules %} -{% for rule in item.rules %} -{{ rule }} +# {{ item.comment }} +{{ item.rules | join('\n') }} {% endfor %} diff --git a/templates/table.conf.j2 b/templates/table.conf.j2 new file mode 100644 index 0000000..cf8f928 --- /dev/null +++ b/templates/table.conf.j2 @@ -0,0 +1,57 @@ +# {{ ansible_managed }} + +{% if + item.ipv4_rules.prerouting | length > 0 + or + item.ipv4_rules.postrouting | length > 0 +%} +table ip {{ item.filename }} { +{% if item.ipv4_rules.prerouting | length > 0 %} + chain prerouting { + type nat hook prerouting priority 0; + +{% for rule in item.ipv4_rules.prerouting %} + {{ rule }} +{% endfor %} + } +{% endif %} + +{% if item.ipv4_rules.postrouting | length > 0 %} + chain postrouting { + type nat hook postrouting priority 100; policy accept; + +{% for rule in item.ipv4_rules.postrouting %} + {{ rule }} +{% endfor %} + } +{% endif %} +} +{% endif %} + +{% if + item.ipv6_rules.prerouting | length > 0 + or + item.ipv6_rules.postrouting | length > 0 +%} +table ip6 {{ item.filename }} { +{% if item.ipv6_rules.prerouting | length > 0 %} + chain prerouting { + type nat hook prerouting priority 0; + +{% for rule in item.ipv6_rules.prerouting %} + {{ rule }} +{% endfor %} + } +{% endif %} + +{% if item.ipv6_rules.postrouting | length > 0 %} + chain postrouting { + type nat hook postrouting priority 100; policy accept; + +{% for rule in item.ipv6_rules.postrouting %} + {{ rule }} +{% endfor %} + } +{% endif %} +} +{% endif %} diff --git a/templates/tables.conf.j2 b/templates/tables.conf.j2 index cf8f928..b51726f 100644 --- a/templates/tables.conf.j2 +++ b/templates/tables.conf.j2 @@ -1,57 +1,5 @@ # {{ ansible_managed }} - -{% if - item.ipv4_rules.prerouting | length > 0 - or - item.ipv4_rules.postrouting | length > 0 -%} -table ip {{ item.filename }} { -{% if item.ipv4_rules.prerouting | length > 0 %} - chain prerouting { - type nat hook prerouting priority 0; - -{% for rule in item.ipv4_rules.prerouting %} - {{ rule }} +{% for item in nftables_tables %} +# {{ item.name }} +{% include "table.conf.j2" %} {% endfor %} - } -{% endif %} - -{% if item.ipv4_rules.postrouting | length > 0 %} - chain postrouting { - type nat hook postrouting priority 100; policy accept; - -{% for rule in item.ipv4_rules.postrouting %} - {{ rule }} -{% endfor %} - } -{% endif %} -} -{% endif %} - -{% if - item.ipv6_rules.prerouting | length > 0 - or - item.ipv6_rules.postrouting | length > 0 -%} -table ip6 {{ item.filename }} { -{% if item.ipv6_rules.prerouting | length > 0 %} - chain prerouting { - type nat hook prerouting priority 0; - -{% for rule in item.ipv6_rules.prerouting %} - {{ rule }} -{% endfor %} - } -{% endif %} - -{% if item.ipv6_rules.postrouting | length > 0 %} - chain postrouting { - type nat hook postrouting priority 100; policy accept; - -{% for rule in item.ipv6_rules.postrouting %} - {{ rule }} -{% endfor %} - } -{% endif %} -} -{% endif %}