nftables: Initial version of role

roles/nftables/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+firewall_in:
+  - {proto: tcp, port: 22}

roles/nftables/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: reload nftables
+  ansible.builtin.service:
+    name: nftables
+    state: restarted

roles/nftables/tasks/main.yml

@@ -0,0 +1,25 @@
+---
+- name: remove firewalld
+  ansible.builtin.package:
+    name: firewalld
+    state: removed
+
+- name: install packages
+  ansible.builtin.package:
+    name: nftables
+    state: installed
+
+- name: create config
+  ansible.builtin.template:
+    src: nftables.conf.j2
+    dest: /etc/sysconfig/nftables.conf
+    mode: 0600
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: reload nftables
+
+- name: enable service
+  ansible.builtin.service:
+    name: nftables
+    state: started
+    enabled: true

roles/nftables/templates/nftables.conf.j2

@@ -0,0 +1,58 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table ip filter {
+    chain INPUT {
+        type filter hook input priority 0; policy accept
+        ct state vmap { established : accept, related : accept }
+        ip protocol icmp accept
+        iifname lo accept
+{% for rule in firewall_in %}
+{%   if rule.from is defined %}
+{%     for from in rule.from %}
+{%       if not from | ipv4 and not from | ipv6 %}
+{%         set from = lookup('dig', from) %}
+{%       endif %}
+{%       if from | ipv4 %}
+        ip saddr {{ from }} {{ rule.proto }} dport {{ rule.port }} accept
+{%       endif %}
+{%     endfor %}
+{%   else %}
+        ip {{ rule.proto }} dport {{ rule.port }} accept
+{%   endif %}
+{% endfor %}
+        reject with icmp type host-prohibited
+    }
+    chain FORWARD {
+        type filter hook forward priority 0; policy drop
+        reject with icmp type host-prohibited
+    }
+}
+
+table ip6 filter {
+    chain INPUT {
+        type filter hook input priority 0; policy accept
+        ct state vmap { established : accept, related : accept }
+        ip6 nexthdr icmpv6 accept
+{% for rule in firewall_in %}
+{%   if rule.from is defined %}
+{%     for from in rule.from %}
+{%       if not from | ipv4 and not from | ipv6 %}
+{%         set from = lookup('dig', from) %}
+{%       endif %}
+{%       if from | ipv6 %}
+        ip saddr {{ from }} {{ rule.proto }} dport {{ rule.port }} accept
+{%       endif %}
+{%     endfor %}
+{%   else %}
+        ip {{ rule.proto }} dport {{ rule.port }} accept
+{%   endif %}
+{% endfor %}
+        reject with icmpv6 type admin-prohibited
+    }
+    chain FORWARD {
+        type filter hook forward priority 0; policy drop
+        reject with icmpv6 type admin-prohibited
+    }
+}