summaryrefslogtreecommitdiff
path: root/templates/etc/nftables.conf.j2
diff options
context:
space:
mode:
Diffstat (limited to 'templates/etc/nftables.conf.j2')
-rw-r--r--templates/etc/nftables.conf.j264
1 files changed, 64 insertions, 0 deletions
diff --git a/templates/etc/nftables.conf.j2 b/templates/etc/nftables.conf.j2
new file mode 100644
index 0000000..ae5a516
--- /dev/null
+++ b/templates/etc/nftables.conf.j2
@@ -0,0 +1,64 @@
+#jinja2: lstrip_blocks: "True", trim_blocks: "True"
+#!{{ nft__bin_location }} -f
+{{ ansible_managed | comment }}
+{% set globalmerged = nft_global_default_rules.copy() %}
+{% set _ = globalmerged.update(nft_global_rules) %}
+{% set _ = globalmerged.update(nft_global_group_rules) %}
+{% if nft_merged_groups and hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules is defined%}
+ {% set _ = globalmerged.update(hostvars[inventory_hostname]['nft_combined_rules'].nft_global_group_rules) %}
+{% endif %}
+{% set _ = globalmerged.update(nft_global_host_rules) %}
+
+# clean
+table {{ nft_flush_table_target }}
+flush table {{ nft_flush_table_target }}
+
+include "{{ nft_define_conf_path }}"
+
+table inet filter {
+ chain global {
+{% for group, rules in globalmerged|dictsort %}
+ # {{ group }}
+ {% if not rules %}
+ # (none)
+ {% endif %}
+ {% for rule in rules %}
+ {{ rule }}
+ {% endfor %}
+{% endfor %}
+ }
+ include "{{ nft_conntrack_conf_path }}"
+ include "{{ nft_set_conf_path }}"
+ include "{{ nft_input_conf_path }}"
+ include "{{ nft_output_conf_path }}"
+{% if nft__forward_table_manage %}
+ include "{{ nft_forward_conf_path }}"
+{% endif %}
+{% if nft__mangle_table_manage %}
+ include "{{ nft_mangle_conf_path }}"
+{% endif %}
+{% if nft_custom_includes | default() %}
+ {% if nft_custom_includes is string %}
+ include "{{ nft_custom_includes }}"
+ {% elif nft_custom_includes is iterable and (nft_custom_includes is not string and nft_custom_includes is not mapping) %}
+ {% for include in nft_custom_includes %}
+ include "{{ include }}"
+ {% endfor %}
+ {% endif %}
+{% endif %}
+}
+
+{% if nft__nat_table_manage %}
+# Additionnal table for Network Address Translation (NAT)
+table ip nat {
+ include "{{ nft_conntrack_conf_path }}"
+ include "{{ nft_set_conf_path }}"
+ include "{{ nft__nat_prerouting_conf_path }}"
+ include "{{ nft__nat_postrouting_conf_path }}"
+}
+{% endif %}
+
+{% if nft__custom_content|d() %}
+# Custom content from ipr-cnrs.nftables
+{{ nft__custom_content }}
+{% endif %}