foo.sh/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ansible/roles/nftables/templates/nftables.conf.j2

68 lines
2 KiB
Django/Jinja
Raw Blame History

#!/usr/sbin/nft -f
flush ruleset
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept
ct state vmap { established : accept, related : accept }
ip protocol icmp accept
iifname lo accept
{% if firewall_raw is defined %}
{% for rule in firewall_raw %}
{{ rule }}
{% endfor %}
{% endif %}
{% for rule in firewall_in %}
{% if rule.from is defined %}
{% for from in rule.from %}
{% if not from | ansible.utils.ipv4 and not from | ansible.utils.ipv6 %}
{% set from = lookup('dig', from) %}
{% endif %}
{% if from | ansible.utils.ipv4 %}
ip saddr {{ from }} {{ rule.proto }} dport {{ rule.port }} accept
{% endif %}
{% endfor %}
{% else %}
{{ rule.proto }} dport {{ rule.port }} accept
{% endif %}
{% endfor %}
reject with icmp type host-prohibited
}
chain FORWARD {
type filter hook forward priority 0; policy drop
reject with icmp type host-prohibited
}
}
table ip6 filter {
chain INPUT {
type filter hook input priority 0; policy accept
ct state vmap { established : accept, related : accept }
ip6 nexthdr icmpv6 accept
{% if firewall_raw6 is defined %}
{% for rule in firewall_raw6 %}
{{ rule }}
{% endfor %}
{% endif %}
{% for rule in firewall_in %}
{% if rule.from is defined %}
{% for from in rule.from %}
{% if not from | ansible.utils.ipv4 and not from | ansible.utils.ipv6 %}
{% set from = lookup('dig', from) %}
{% endif %}
{% if from | ansible.utils.ipv6 %}
ip6 saddr {{ from }} {{ rule.proto }} dport {{ rule.port }} accept
{% endif %}
{% endfor %}
{% else %}
{{ rule.proto }} dport {{ rule.port }} accept
{% endif %}
{% endfor %}
reject with icmpv6 type admin-prohibited
}
chain FORWARD {
type filter hook forward priority 0; policy drop
reject with icmpv6 type admin-prohibited
}
}
Reference in a new issue View git blame Copy permalink