ansible/role_nftables
1
0
Fork 0
Code Pull Requests Releases Activity

Compare commits

base: ansible:3eaceb4b6df062b37107126f5b11d3f35797036c
Branches Tags
ansible:master
..
compare: ansible:35d31eb752691b776218ec562e1a4201bb909fa4
Branches Tags
ansible:master

No commits in common. "3eaceb4b6df062b37107126f5b11d3f35797036c" and "35d31eb752691b776218ec562e1a4201bb909fa4" have entirely different histories.
3eaceb4b6d ... 35d31eb752

6 changed files with 68 additions and 71 deletions
Show Stats Expand all files Collapse all files

14
tasks/configuration.yml
View File

@ -33,8 +33,10 @@
group: root group: root
mode: u=rw,g=,o= mode: u=rw,g=,o=
src: "{{ role_path }}/templates/rules.conf.j2" src: "{{ role_path }}/templates/rules.conf.j2"
dest: "/srv/nftables/rules.conf" dest: "/srv/nftables/rules_{{ item.filename }}.conf"
when: nftables_rules | length > 0 loop: "{{ nftables_rules }}"
loop_control:
label: "{{ item.filename }}"
become: true become: true
notify: Redémarrer nftables.service notify: Redémarrer nftables.service
@ -43,8 +45,10 @@
owner: root owner: root
group: root group: root
mode: u=rw,g=,o= mode: u=rw,g=,o=
src: tables.conf.j2 src: "{{ role_path }}/templates/tables.conf.j2"
dest: /srv/nftables/tables.conf dest: "/srv/nftables/tables_{{ item.filename }}.conf"
when: nftables_tables | length > 0 loop: "{{ nftables_tables }}"
loop_control:
label: "{{ item.filename }}"
become: true become: true
notify: Redémarrer nftables.service notify: Redémarrer nftables.service

5
tasks/installation.yml
View File

@ -12,9 +12,6 @@
owner: root owner: root
group: root group: root
mode: u=rwx,g=rx,o=rx mode: u=rwx,g=rx,o=rx
state: "{{ item }}" state: directory
path: /srv/nftables path: /srv/nftables
become: true become: true
loop:
- absent
- directory

4
templates/nftables.conf.j2
View File

@ -16,8 +16,8 @@ table inet filter {
# accept neighbour discovery otherwise IPv6 connectivity breaks. # accept neighbour discovery otherwise IPv6 connectivity breaks.
ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert} accept ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert} accept
# include specific rules # include specifics rules
include "/srv/nftables/rules.conf" include "/srv/nftables/rules_*.conf"
# count and drop any other traffic # count and drop any other traffic
counter drop counter drop

5
templates/rules.conf.j2
View File

@ -1,6 +1,5 @@
# {{ ansible_managed }} # {{ ansible_managed }}
{% for item in nftables_rules %}
# {{ item.comment }} {% for rule in item.rules %}
{{ item.rules | join('\n') }} {{ rule }}
{% endfor %} {% endfor %}

55
templates/table.conf.j2
View File

@ -1,55 +0,0 @@
{% if
item.ipv4_rules.prerouting | length > 0
or
item.ipv4_rules.postrouting | length > 0
%}
table ip {{ item.name }} {
{% if item.ipv4_rules.prerouting | length > 0 %}
chain prerouting {
type nat hook prerouting priority 0;
{% for rule in item.ipv4_rules.prerouting %}
{{ rule }}
{% endfor %}
}
{% endif %}
{% if item.ipv4_rules.postrouting | length > 0 %}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
{% for rule in item.ipv4_rules.postrouting %}
{{ rule }}
{% endfor %}
}
{% endif %}
}
{% endif %}
{% if
item.ipv6_rules.prerouting | length > 0
or
item.ipv6_rules.postrouting | length > 0
%}
table ip6 {{ item.name }} {
{% if item.ipv6_rules.prerouting | length > 0 %}
chain prerouting {
type nat hook prerouting priority 0;
{% for rule in item.ipv6_rules.prerouting %}
{{ rule }}
{% endfor %}
}
{% endif %}
{% if item.ipv6_rules.postrouting | length > 0 %}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
{% for rule in item.ipv6_rules.postrouting %}
{{ rule }}
{% endfor %}
}
{% endif %}
}
{% endif %}

56
templates/tables.conf.j2
View File

@ -1,5 +1,57 @@
# {{ ansible_managed }} # {{ ansible_managed }}
{% for item in nftables_tables %}
{% include "table.conf.j2" %} {% if
item.ipv4_rules.prerouting | length > 0
or
item.ipv4_rules.postrouting | length > 0
%}
table ip {{ item.filename }} {
{% if item.ipv4_rules.prerouting | length > 0 %}
chain prerouting {
type nat hook prerouting priority 0;
{% for rule in item.ipv4_rules.prerouting %}
{{ rule }}
{% endfor %} {% endfor %}
}
{% endif %}
{% if item.ipv4_rules.postrouting | length > 0 %}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
{% for rule in item.ipv4_rules.postrouting %}
{{ rule }}
{% endfor %}
}
{% endif %}
}
{% endif %}
{% if
item.ipv6_rules.prerouting | length > 0
or
item.ipv6_rules.postrouting | length > 0
%}
table ip6 {{ item.filename }} {
{% if item.ipv6_rules.prerouting | length > 0 %}
chain prerouting {
type nat hook prerouting priority 0;
{% for rule in item.ipv6_rules.prerouting %}
{{ rule }}
{% endfor %}
}
{% endif %}
{% if item.ipv6_rules.postrouting | length > 0 %}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
{% for rule in item.ipv6_rules.postrouting %}
{{ rule }}
{% endfor %}
}
{% endif %}
}
{% endif %}