feat: Merge rules and tables in one file #2
@ -33,10 +33,8 @@
|
||||
group: root
|
||||
mode: u=rw,g=,o=
|
||||
src: "{{ role_path }}/templates/rules.conf.j2"
|
||||
dest: "/srv/nftables/rules_{{ item.filename }}.conf"
|
||||
loop: "{{ nftables_rules }}"
|
||||
loop_control:
|
||||
label: "{{ item.filename }}"
|
||||
dest: "/srv/nftables/rules.conf"
|
||||
when: nftables_rules | length > 0
|
||||
become: true
|
||||
notify: Redémarrer nftables.service
|
||||
|
||||
@ -45,10 +43,8 @@
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=rw,g=,o=
|
||||
src: "{{ role_path }}/templates/tables.conf.j2"
|
||||
dest: "/srv/nftables/tables_{{ item.filename }}.conf"
|
||||
loop: "{{ nftables_tables }}"
|
||||
loop_control:
|
||||
label: "{{ item.filename }}"
|
||||
src: tables.conf.j2
|
||||
dest: /srv/nftables/tables.conf
|
||||
when: nftables_tables | length > 0
|
||||
become: true
|
||||
notify: Redémarrer nftables.service
|
||||
|
@ -12,6 +12,9 @@
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=rwx,g=rx,o=rx
|
||||
state: directory
|
||||
state: "{{ item }}"
|
||||
path: /srv/nftables
|
||||
become: true
|
||||
loop:
|
||||
- absent
|
||||
- directory
|
||||
|
@ -16,8 +16,8 @@ table inet filter {
|
||||
# accept neighbour discovery otherwise IPv6 connectivity breaks.
|
||||
ip6 nexthdr icmpv6 icmpv6 type {nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert} accept
|
||||
|
||||
# include specifics rules
|
||||
include "/srv/nftables/rules_*.conf"
|
||||
# include specific rules
|
||||
include "/srv/nftables/rules.conf"
|
||||
|
||||
# count and drop any other traffic
|
||||
counter drop
|
||||
|
@ -1,5 +1,6 @@
|
||||
# {{ ansible_managed }}
|
||||
{% for item in nftables_rules %}
|
||||
|
||||
{% for rule in item.rules %}
|
||||
{{ rule }}
|
||||
# {{ item.comment }}
|
||||
{{ item.rules | join('\n') }}
|
||||
{% endfor %}
|
||||
|
55
templates/table.conf.j2
Normal file
55
templates/table.conf.j2
Normal file
@ -0,0 +1,55 @@
|
||||
{% if
|
||||
item.ipv4_rules.prerouting | length > 0
|
||||
or
|
||||
item.ipv4_rules.postrouting | length > 0
|
||||
%}
|
||||
table ip {{ item.name }} {
|
||||
{% if item.ipv4_rules.prerouting | length > 0 %}
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority 0;
|
||||
|
||||
{% for rule in item.ipv4_rules.prerouting %}
|
||||
{{ rule }}
|
||||
{% endfor %}
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if item.ipv4_rules.postrouting | length > 0 %}
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority 100; policy accept;
|
||||
|
||||
{% for rule in item.ipv4_rules.postrouting %}
|
||||
{{ rule }}
|
||||
{% endfor %}
|
||||
}
|
||||
{% endif %}
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if
|
||||
item.ipv6_rules.prerouting | length > 0
|
||||
or
|
||||
item.ipv6_rules.postrouting | length > 0
|
||||
%}
|
||||
table ip6 {{ item.name }} {
|
||||
{% if item.ipv6_rules.prerouting | length > 0 %}
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority 0;
|
||||
|
||||
{% for rule in item.ipv6_rules.prerouting %}
|
||||
{{ rule }}
|
||||
{% endfor %}
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if item.ipv6_rules.postrouting | length > 0 %}
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority 100; policy accept;
|
||||
|
||||
{% for rule in item.ipv6_rules.postrouting %}
|
||||
{{ rule }}
|
||||
{% endfor %}
|
||||
}
|
||||
{% endif %}
|
||||
}
|
||||
{% endif %}
|
@ -1,57 +1,5 @@
|
||||
# {{ ansible_managed }}
|
||||
{% for item in nftables_tables %}
|
||||
|
||||
{% if
|
||||
item.ipv4_rules.prerouting | length > 0
|
||||
or
|
||||
item.ipv4_rules.postrouting | length > 0
|
||||
%}
|
||||
table ip {{ item.filename }} {
|
||||
{% if item.ipv4_rules.prerouting | length > 0 %}
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority 0;
|
||||
|
||||
{% for rule in item.ipv4_rules.prerouting %}
|
||||
{{ rule }}
|
||||
{% include "table.conf.j2" %}
|
||||
{% endfor %}
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if item.ipv4_rules.postrouting | length > 0 %}
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority 100; policy accept;
|
||||
|
||||
{% for rule in item.ipv4_rules.postrouting %}
|
||||
{{ rule }}
|
||||
{% endfor %}
|
||||
}
|
||||
{% endif %}
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if
|
||||
item.ipv6_rules.prerouting | length > 0
|
||||
or
|
||||
item.ipv6_rules.postrouting | length > 0
|
||||
%}
|
||||
table ip6 {{ item.filename }} {
|
||||
{% if item.ipv6_rules.prerouting | length > 0 %}
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority 0;
|
||||
|
||||
{% for rule in item.ipv6_rules.prerouting %}
|
||||
{{ rule }}
|
||||
{% endfor %}
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
{% if item.ipv6_rules.postrouting | length > 0 %}
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority 100; policy accept;
|
||||
|
||||
{% for rule in item.ipv6_rules.postrouting %}
|
||||
{{ rule }}
|
||||
{% endfor %}
|
||||
}
|
||||
{% endif %}
|
||||
}
|
||||
{% endif %}
|
||||
|
Loading…
Reference in New Issue
Block a user