From 650c72469da3730b3f2446104854d3fb32b8cdf3 Mon Sep 17 00:00:00 2001 From: "pulsar89.5" Date: Thu, 28 Dec 2023 17:39:20 +0100 Subject: [PATCH] feat: Merge rules and tables in one file --- tasks/configuration.yml | 5 +---- tasks/installation.yml | 5 ++++- templates/nftables.conf.j2 | 4 ++-- templates/rules.conf.j2 | 5 +++-- 4 files changed, 10 insertions(+), 9 deletions(-) diff --git a/tasks/configuration.yml b/tasks/configuration.yml index 026396f..8efbf6c 100644 --- a/tasks/configuration.yml +++ b/tasks/configuration.yml @@ -33,10 +33,7 @@ group: root mode: u=rw,g=,o= src: "{{ role_path }}/templates/rules.conf.j2" - dest: "/srv/nftables/rules_{{ item.filename }}.conf" - loop: "{{ nftables_rules }}" - loop_control: - label: "{{ item.filename }}" + dest: "/srv/nftables/rules.conf" become: true notify: Redémarrer nftables.service diff --git a/tasks/installation.yml b/tasks/installation.yml index 6c30564..3f2bfa9 100644 --- a/tasks/installation.yml +++ b/tasks/installation.yml @@ -12,6 +12,9 @@ owner: root group: root mode: u=rwx,g=rx,o=rx - state: directory + state: "{{ item }}" path: /srv/nftables become: true + loop: + - absent + - directory diff --git a/templates/nftables.conf.j2 b/templates/nftables.conf.j2 index 8df2dd3..4fc00e5 100644 --- a/templates/nftables.conf.j2 +++ b/templates/nftables.conf.j2 @@ -16,8 +16,8 @@ table inet filter { # accept neighbour discovery otherwise IPv6 connectivity breaks. ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert} accept - # include specifics rules - include "/srv/nftables/rules_*.conf" + # include specific rules + include "/srv/nftables/rules.conf" # count and drop any other traffic counter drop diff --git a/templates/rules.conf.j2 b/templates/rules.conf.j2 index 81e015c..4ccf589 100644 --- a/templates/rules.conf.j2 +++ b/templates/rules.conf.j2 @@ -1,5 +1,6 @@ # {{ ansible_managed }} +{% for item in nftables_rules %} -{% for rule in item.rules %} -{{ rule }} +# {{ item.comment }} +{{ item.rules | join('\n') }} {% endfor %}