diff options
| author | Matthieu Pignolet <m@mpgn.dev> | 2025-03-17 14:18:03 +0400 |
|---|---|---|
| committer | Matthieu Pignolet <m@mpgn.dev> | 2025-03-17 14:18:03 +0400 |
| commit | 5098223d5c81fac49ded8e555ba629281b06d425 (patch) | |
| tree | 451988b8a7287735ac98704c5f2b1783fd837666 /templates/etc/nftables.conf.j2 | |
| parent | 63efaaf0ba315a9af837d9e9016d331a1327e5e5 (diff) | |
initial commit: migrate all `MatthieuCoder/pantheon-ansible` files to the oss repo
Diffstat (limited to 'templates/etc/nftables.conf.j2')
| -rw-r--r-- | templates/etc/nftables.conf.j2 | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/templates/etc/nftables.conf.j2 b/templates/etc/nftables.conf.j2 new file mode 100644 index 0000000..ae5a516 --- /dev/null +++ b/templates/etc/nftables.conf.j2 @@ -0,0 +1,64 @@ +#jinja2: lstrip_blocks: "True", trim_blocks: "True" +#!{{ nft__bin_location }} -f +{{ ansible_managed | comment }} +{% set globalmerged = nft_global_default_rules.copy() %} +{% set _ = globalmerged.update(nft_global_rules) %} +{% set _ = globalmerged.update(nft_global_group_rules) %} +{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules is defined%} + {% set _ = globalmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules) %} +{% endif %} +{% set _ = globalmerged.update(nft_global_host_rules) %} + +# clean +table {{ nft_flush_table_target }} +flush table {{ nft_flush_table_target }} + +include "{{ nft_define_conf_path }}" + +table inet filter { + chain global { +{% for group, rules in globalmerged|dictsort %} + # {{ group }} + {% if not rules %} + # (none) + {% endif %} + {% for rule in rules %} + {{ rule }} + {% endfor %} +{% endfor %} + } + include "{{ nft_conntrack_conf_path }}" + include "{{ nft_set_conf_path }}" + include "{{ nft_input_conf_path }}" + include "{{ nft_output_conf_path }}" +{% if nft__forward_table_manage %} + include "{{ nft_forward_conf_path }}" +{% endif %} +{% if nft__mangle_table_manage %} + include "{{ nft_mangle_conf_path }}" +{% endif %} +{% if nft_custom_includes | default() %} + {% if nft_custom_includes is string %} + include "{{ nft_custom_includes }}" + {% elif nft_custom_includes is iterable and (nft_custom_includes is not string and nft_custom_includes is not mapping) %} + {% for include in nft_custom_includes %} + include "{{ include }}" + {% endfor %} + {% endif %} +{% endif %} +} + +{% if nft__nat_table_manage %} +# Additionnal table for Network Address Translation (NAT) +table ip nat { + include "{{ nft_conntrack_conf_path }}" + include "{{ nft_set_conf_path }}" + include "{{ nft__nat_prerouting_conf_path }}" + include "{{ nft__nat_postrouting_conf_path }}" +} +{% endif %} + +{% if nft__custom_content|d() %} +# Custom content from ipr-cnrs.nftables +{{ nft__custom_content }} +{% endif %} |