GithubHelp home page GithubHelp logo

frzk / ansible-role-nftables Goto Github PK

View Code? Open in Web Editor NEW
30.0 3.0 8.0 37 KB

Ansible role to manage nftables.

License: Apache License 2.0

Jinja 100.00%
ansible ansible-role nftables security networking

ansible-role-nftables's Introduction

Ansible Role: nftables

Build Status

This Ansible role allows you to install nftables and manage its configuration.

For more information about nftables, please check the official project page.

Role variables

Variables and properties in bold are mandatory. Others are optional.

Variable name Description Default value
nftables_flush_ruleset Wether we should flush the current ruleset or not. yes
nftables_config_file Path to the configuration file. /etc/nftables.conf
nftables_tables A list of table. []

table properties

Property name Description Default value
name Name of the table.
family Address family of the table. If specified, must be either ip, ip6, inet, arp, bridge or netdev. ip
ย sets A list of set.
maps A list of map.
verdict_maps A list of verdict_map.
chains A list of chain.

Documentation

set properties

Property name Description
name Name of the set.
type Type of the elements contained in the set. Must be either ipv4_addr, ipv6_addr, ether_addr, inet_service, inet_proto, icmp_type, icmpv6_type or mark.
size Number of elements the set can contain.
policy The set selection policy. If specified, must be either performance or memory.
timeout How long the elements stay in the set.
flags A list of flags. If specified, must contain at least one of the following : constant, interval, timeout.
gc_interval Garbage collection interval.
elements A list of elements contained in the set. Elements must conform to the set type.

Documentation

map properties

Property name Description
name Name of the map.
keys_type Type of the keys. Must be either ipv4_addr, ipv6_addr, ether_addr, inet_service, inet_proto, icmp_type, icmpv6_type or mark.
values_type Type of the values. Must be either ipv4_addr, ipv6_addr, ether_addr, inet_service, inet_proto, mark, counter or quota.
elements A list of elements contained in the map. Elements must conform to the map keys_type and values_type.

Documentation

map element properties

Property name Description
key Key value.
value Value associated with the key.

verdict_map properties

A verdict_map is just a special case of map where the values_type is always verdict. As such, there is no values_type property. Also, elements contained in a verdict_map have a verdict property instead of the value property.

Property name Description
name Name of the map.
keys_type Type of the keys. Must be either ipv4_addr, ipv6_addr, ether_addr, inet_service, inet_proto, icmp_type, icmpv6_type or mark.
elements A list of elements contained in the verdict map.

verdict_map element properties

Property name Description
key Key value.
verdict Verdict associated with the key.

chain properties

Property name Description
name Name of the chain.
base Base rule for the chain.
rules List of rules contained in the chain.

Documentation

base properties

Property name Description
type The type of the chain. Must be either filter, nat or route.
hook Hook where the chain is attached. Available values depend on type.
priority Integer determining the order of the chains attached to the same hook.
policy Default policy for the chain. If specified, must be either accept or drop.

Documentation

rule properties

Documentation

Property name Description
position Integer determining the order of the rules in the chain.
statement Rule statement.
comment A comment describing the rule.

Example

Here is a small example of what your file should look like.

IMPORTANT: DO NOT use this as your firewall !

---
nftables_flush_ruleset: yes
nftables_config_path: /etc/nftables.rules
nftables_tables:
  - name: firewall
    family: inet

    sets:
      - name: "set1"
        type: 
        size: 10
        policy: "performance"
        timeout: "1d"
        flags:
          - "timeout"
          - "interval"
        gc_interval: "12h" 
        elements:
          - 192.0.2.1
          - 192.0.2.2

    maps:
      - name: "map1"
        keys_type: "inet_service"
        values_type: "ipv4_addr"
        elements:
          - key: ssh
            value: "192.0.2.10"
      - name: "map2"
        keys_type: "inet_service"
        values_type: "ipv4_addr"
        elements:
          - key: ftp
            value: "192.0.2.25"

    verdict_maps:
      - name: "vmap1"
        keys_type: "inet_service"
        elements:
          - key: "192.0.2.10"
            value: "accept"

    chains:
      - name: "My input filter"
        base:
          type: "filter"
          hook: "input"
          priority: 0
          policy: "drop"
        rules:
          - position: 2
            statement: "ct state invalid log prefix 'Invalid_IN: ' drop"
            comment: "Log and drop invalid packets."
          - position: 1
            statement: "iif lo accept"
          - position: 3
            statement: "ct state {established,related} accept"

      - name: "My output filter"
        base:
          type: "filter"
          hook: "output"
          priority: -10
          policy: "accept"
        rules:
          - position: 1
            statement: "ip daddr 192.0.2.100 counter"
...

Testing

Testing involves the following steps:

  1. Check the role syntax
  2. Do a first run
  3. Do a second run and check for idempotence.

On the following OS:

  • Debian 9
  • CentOS 7
  • Ubuntu 18.04

Contributing

Code reviews, patches, comments, bug reports and feature requests are welcome. Please read the Contributing Guide for further details.

ansible-role-nftables's People

Contributors

blead avatar frzk avatar trygvis avatar wornet-mwo avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

blead trygvis fgci-org milkycode13-ansible wornet-mwo alblatypov tdeshields

ansible-role-nftables's Issues

Flush ruleset

I am using Debian GNU/Linux 9 (stretch) image on GCP and restarting the service does not automatically flush the ruleset.

Would it be possible to revert f2047a3?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.