From 1aacbc2688fd77a2100971eadd5d0004c681175d Mon Sep 17 00:00:00 2001
From: "pulsar89.5" <pulsar@ykn.fr>
Date: Mon, 3 Oct 2022 18:15:12 +0200
Subject: [PATCH 1/2] =?UTF-8?q?[INFO]=20Cr=C3=A9ation=20du=20r=C3=B4le?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md                  | 48 ++++++++++++++++++++++++++++++--
 defaults/main.yml          |  5 ++++
 handlers/main.yml          | 10 +++++++
 meta/main.yml              |  2 +-
 tasks/configuration.yml    | 52 ++++++++++++++++++++++++++++++++++
 tasks/installation.yml     | 17 ++++++++++++
 tasks/main.yml             |  8 ++++++
 templates/nftables.conf.j2 | 28 +++++++++++++++++++
 templates/rules.conf.j2    |  5 ++++
 templates/tables.conf.j2   | 57 ++++++++++++++++++++++++++++++++++++++
 10 files changed, 229 insertions(+), 3 deletions(-)
 create mode 100644 defaults/main.yml
 create mode 100644 handlers/main.yml
 create mode 100644 tasks/configuration.yml
 create mode 100644 tasks/installation.yml
 create mode 100644 tasks/main.yml
 create mode 100644 templates/nftables.conf.j2
 create mode 100644 templates/rules.conf.j2
 create mode 100644 templates/tables.conf.j2

diff --git a/README.md b/README.md
index 3edfbf7..e66723f 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,47 @@
-# role_modele
+# role_nftables
 
-Modèle
\ No newline at end of file
+Ce rôle permet d'installer et configurer nftables.
+
+## Variables
+
+### nftables_rules
+
+Liste contenant un nom de fichier et une liste de règles. Les règles doivent être au format nftables.
+
+*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
+
+### nftables_tables
+
+Liste contenant un nom de fichier et la configuration de la table. La table doit être au format nftables.
+
+*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
+
+## Exemple d'utilisation
+
+### inventory.yml
+
+```yaml
+---
+
+all:
+  hosts:
+   host1.ykn.local:
+	 host2.ykn.local:
+  children:
+    dnsservers:
+      hosts:
+        dnsmasq1.ykn.local:
+        dnsmasq2.ykn.local:
+```
+
+### host_vars/host1.ykn.local.yml
+
+```yaml
+---
+
+nftables_rules:
+  - filename: ansible
+    rules:
+      - ip saddr 192.168.50.12 tcp dport 22 accept
+      - ip6 saddr fd00:ff50::d012 tcp dport 22 accept
+```
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..bedd20a
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+# defaults file for nftables
+
+nftables_rules: []
+nftables_tables: []
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..b4120a6
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+# handlers file for nftables
+
+- name: Redémarrer nftables.service
+  ansible.builtin.systemd:
+    state: restarted
+    enabled: true
+    masked: false
+    name: nftables.service
+  become: true
diff --git a/meta/main.yml b/meta/main.yml
index c58bebf..23a4d0c 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,7 +1,7 @@
 galaxy_info:
   namespace: ykn
   author: pulsar89.5
-  description: Rôle modèle
+  description: Rôle de déploiement de nftables (pare-feu)
 
   license: GPL-3.0-or-later
 
diff --git a/tasks/configuration.yml b/tasks/configuration.yml
new file mode 100644
index 0000000..cb49f72
--- /dev/null
+++ b/tasks/configuration.yml
@@ -0,0 +1,52 @@
+---
+# tasks file for nftables
+
+- name: Déployer la configuration générale
+  ansible.builtin.template:
+    owner: root
+    group: root
+    mode: u=rw,g=,o=
+    src: nftables.conf.j2
+    dest: /etc/nftables.conf
+  become: true
+  notify: Redémarrer nftables.service
+
+#- name: Construire la liste des règles
+#  ansible.builtin.set_fact:
+#    nftables_rules: "{{ nftables_rules + rule }}"
+#  loop: "{{ lookup('ansible.builtin.varnames', '^nftables_rules.+', wantlist=True) }}"
+#  vars:
+#    rule: "{{ lookup('ansible.builtin.vars', item, default='') }}"
+#
+#- name: Construire la liste des tables
+#  ansible.builtin.set_fact:
+#    nftables_tables: "{{ nftables_tables + table }}"
+#  loop: "{{ lookup('ansible.builtin.varnames', '^nftables_tables.+', wantlist=True) }}"
+#  vars:
+#    table: "{{ lookup('ansible.builtin.vars', item, default='') }}"
+
+- name: Déployer les règles
+  ansible.builtin.template:
+    owner: root
+    group: root
+    mode: u=rw,g=,o=
+    src: "{{ role_path }}/templates/rules.conf.j2"
+    dest: "/srv/nftables/rules_{{ item.filename }}.conf"
+  loop: "{{ nftables_rules }}"
+  loop_control:
+    label: "{{ item.filename }}"
+  become: true
+  notify: Redémarrer nftables.service
+
+- name: Déployer les tables
+  ansible.builtin.template:
+    owner: root
+    group: root
+    mode: u=rw,g=,o=
+    src: "{{ role_path }}/templates/tables.conf.j2"
+    dest: "/srv/nftables/tables_{{ item.filename }}.conf"
+  loop: "{{ nftables_tables }}"
+  loop_control:
+    label: "{{ item.filename }}"
+  become: true
+  notify: Redémarrer nftables.service
diff --git a/tasks/installation.yml b/tasks/installation.yml
new file mode 100644
index 0000000..6c30564
--- /dev/null
+++ b/tasks/installation.yml
@@ -0,0 +1,17 @@
+---
+# tasks file for nftables
+
+- name: Installer le paquet
+  become: true
+  ansible.builtin.package:
+    state: present
+    name: nftables
+
+- name: Créer le dossier contenant la configuration
+  ansible.builtin.file:
+    owner: root
+    group: root
+    mode: u=rwx,g=rx,o=rx
+    state: directory
+    path: /srv/nftables
+  become: true
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..a157ecc
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+# tasks file for nftables
+
+- name: Importer les tâches d'installation
+  ansible.builtin.import_tasks: installation.yml
+
+- name: Importer les tâches de configuration
+  ansible.builtin.import_tasks: configuration.yml
diff --git a/templates/nftables.conf.j2 b/templates/nftables.conf.j2
new file mode 100644
index 0000000..8df2dd3
--- /dev/null
+++ b/templates/nftables.conf.j2
@@ -0,0 +1,28 @@
+#!/usr/sbin/nft -f
+# {{ ansible_managed }}
+
+flush ruleset
+
+table inet filter {
+  chain input {
+    type filter hook input priority 0;
+
+    # accept any localhost traffic
+    iif lo accept
+
+    # accept traffic originated from us
+    ct state established,related accept
+
+    # accept neighbour discovery otherwise IPv6 connectivity breaks.
+    ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert} accept
+
+    # include specifics rules
+    include "/srv/nftables/rules_*.conf"
+
+    # count and drop any other traffic
+    counter drop
+  }
+}
+
+# include more tables
+include "/srv/nftables/tables_*.conf"
diff --git a/templates/rules.conf.j2 b/templates/rules.conf.j2
new file mode 100644
index 0000000..81e015c
--- /dev/null
+++ b/templates/rules.conf.j2
@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+{% for rule in item.rules %}
+{{ rule }}
+{% endfor %}
diff --git a/templates/tables.conf.j2 b/templates/tables.conf.j2
new file mode 100644
index 0000000..cf8f928
--- /dev/null
+++ b/templates/tables.conf.j2
@@ -0,0 +1,57 @@
+# {{ ansible_managed }}
+
+{% if 
+    item.ipv4_rules.prerouting | length > 0
+    or
+    item.ipv4_rules.postrouting | length > 0
+%}
+table ip {{ item.filename }} {
+{% if item.ipv4_rules.prerouting | length > 0 %}
+  chain prerouting {
+    type nat hook prerouting priority 0;
+
+{% for rule in item.ipv4_rules.prerouting %}
+    {{ rule }}
+{% endfor %}
+  }
+{% endif %}
+
+{% if item.ipv4_rules.postrouting | length > 0 %}
+  chain postrouting {
+    type nat hook postrouting priority 100; policy accept;
+
+{% for rule in item.ipv4_rules.postrouting %}
+    {{ rule }}
+{% endfor %}
+  }
+{% endif %}
+}
+{% endif %}
+
+{% if 
+    item.ipv6_rules.prerouting | length > 0
+    or
+    item.ipv6_rules.postrouting | length > 0
+%}
+table ip6 {{ item.filename }} {
+{% if item.ipv6_rules.prerouting | length > 0 %}
+  chain prerouting {
+    type nat hook prerouting priority 0;
+
+{% for rule in item.ipv6_rules.prerouting %}
+    {{ rule }}
+{% endfor %}
+  }
+{% endif %}
+
+{% if item.ipv6_rules.postrouting | length > 0 %}
+  chain postrouting {
+    type nat hook postrouting priority 100; policy accept;
+
+{% for rule in item.ipv6_rules.postrouting %}
+    {{ rule }}
+{% endfor %}
+  }
+{% endif %}
+}
+{% endif %}
-- 
2.39.2


From fe59cc48e9d539c67a4bbcdbb99c3bf851b11da3 Mon Sep 17 00:00:00 2001
From: "pulsar89.5" <pulsar@ykn.fr>
Date: Tue, 23 May 2023 12:03:11 +0200
Subject: [PATCH 2/2] =?UTF-8?q?[EVO]=20G=C3=A9n=C3=A9rer=20dynamiquement?=
 =?UTF-8?q?=20la=20liste=20des=20r=C3=A8gles=20et=20tables?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md               |  4 ++--
 tasks/configuration.yml | 28 +++++++++++++++-------------
 2 files changed, 17 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index e66723f..ff2ad45 100644
--- a/README.md
+++ b/README.md
@@ -4,13 +4,13 @@ Ce rôle permet d'installer et configurer nftables.
 
 ## Variables
 
-### nftables_rules
+### nftables_rules_*
 
 Liste contenant un nom de fichier et une liste de règles. Les règles doivent être au format nftables.
 
 *<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
 
-### nftables_tables
+### nftables_tables_*
 
 Liste contenant un nom de fichier et la configuration de la table. La table doit être au format nftables.
 
diff --git a/tasks/configuration.yml b/tasks/configuration.yml
index cb49f72..026396f 100644
--- a/tasks/configuration.yml
+++ b/tasks/configuration.yml
@@ -11,19 +11,21 @@
   become: true
   notify: Redémarrer nftables.service
 
-#- name: Construire la liste des règles
-#  ansible.builtin.set_fact:
-#    nftables_rules: "{{ nftables_rules + rule }}"
-#  loop: "{{ lookup('ansible.builtin.varnames', '^nftables_rules.+', wantlist=True) }}"
-#  vars:
-#    rule: "{{ lookup('ansible.builtin.vars', item, default='') }}"
-#
-#- name: Construire la liste des tables
-#  ansible.builtin.set_fact:
-#    nftables_tables: "{{ nftables_tables + table }}"
-#  loop: "{{ lookup('ansible.builtin.varnames', '^nftables_tables.+', wantlist=True) }}"
-#  vars:
-#    table: "{{ lookup('ansible.builtin.vars', item, default='') }}"
+- name: Construire la liste des règles
+  ansible.builtin.set_fact:
+    nftables_rules: "{{ nftables_rules + specific }}"
+  when: specific | length > 0
+  loop: "{{ lookup('ansible.builtin.varnames', '^nftables_rules_.+', wantlist=True) }}"
+  vars:
+    specific: "{{ lookup('ansible.builtin.vars', item, default='') }}"
+
+- name: Construire la liste des tables
+  ansible.builtin.set_fact:
+    nftables_tables: "{{ nftables_tables + specific }}"
+  when: specific | length > 0
+  loop: "{{ lookup('ansible.builtin.varnames', '^nftables_tables_.+', wantlist=True) }}"
+  vars:
+    specific: "{{ lookup('ansible.builtin.vars', item, default='') }}"
 
 - name: Déployer les règles
   ansible.builtin.template:
-- 
2.39.2