66 lines
1.2 KiB
Markdown
66 lines
1.2 KiB
Markdown
# role_nftables
|
|
|
|
Allow to install, enable and manage nftables.
|
|
|
|
## Variables
|
|
|
|
### nftables_conf_template
|
|
|
|
Template deployed as nftables configuration.
|
|
|
|
*<span style="text-decoration: underline">Default value:</span> false*
|
|
|
|
### nftables_conf_path
|
|
|
|
Configuration fullpath of nftables.
|
|
|
|
*<span style="text-decoration: underline">Default value:</span> false*
|
|
|
|
### nftables_rules_*
|
|
|
|
List of dicts containing rules to deploy with comment and associated rules.
|
|
|
|
*<span style="text-decoration: underline">Default value:</span> none*
|
|
|
|
## Usages
|
|
|
|
### inventory.yml
|
|
|
|
```yaml
|
|
---
|
|
|
|
all:
|
|
hosts:
|
|
host1.ykn.local:
|
|
host2.ykn.local:
|
|
children:
|
|
dnsservers:
|
|
hosts:
|
|
host1.ykn.local:
|
|
host2.ykn.local:
|
|
```
|
|
|
|
### group_vars/dnsservers.yml
|
|
|
|
```yaml
|
|
---
|
|
|
|
nftables_rules_dnsservers:
|
|
- comment: Allow LAN to dns
|
|
rules:
|
|
- "ip saddr 192.168.93.0/24 meta l4proto {tcp, udp} th dport 53 accept"
|
|
- "ip6 saddr abcd:ef9:8765:895::/64 meta l4proto {tcp, udp} th dport 53 accept"
|
|
- "ip6 saddr fe80::/64 meta l4proto {tcp, udp} th dport 53 accept"
|
|
```
|
|
|
|
### host_vars/host1.ykn.local.yml
|
|
|
|
```yaml
|
|
---
|
|
|
|
nftables_rules_host:
|
|
- comment: Allow ANY to https
|
|
rules:
|
|
- "tcp dport 443 accept"
|
|
```
|