Ansible Role that installs and manages nftables.
Ruleset is written in single file, directory /etc/nftables is created for manual include-files. On Debian systemd unit-file is patched to allow normal ruleset reload.
Python, Ansible >= 2.9
| Variable | Deafule value | Description |
|---|---|---|
nftables_validate_ruleset |
True |
Wether to run nft -c -f {{ nftables_ruleset_path }} |
nftables_ruleset.include_files |
[] |
List of include files path for generic level include statements |
nftables_ruleset.tables |
[] |
List of tables |
nftables_ruleset.tables[*].name |
- | Table name, mandatory |
nftables_ruleset.tables[*].family |
'ip' |
Table family: ip, arp, ip6, bridge, inet, netdev |
nftables_ruleset.tables[*].include |
[] |
List of inlude file paths |
nftables_ruleset.tables[*].chains |
[] |
List of chains in table |
nftables_ruleset.tables[*].chains[*].name |
- | Chain name, mandatory |
nftables_ruleset.tables[*].chains[*].type |
'filter' |
Chain type: 'filter', 'route', 'nat' |
nftables_ruleset.tables[*].chains[*].hook |
'input' |
Chain hook |
nftables_ruleset.tables[*].chains[*].device |
- | Device associated with chain |
nftables_ruleset.tables[*].chains[*].policy |
'accept' |
Chain policy action |
nftables_ruleset.tables[*].chains[*].priority |
0 |
Chain priority |
nftables_ruleset.tables[*].chains[*].rules |
[] |
List of rule expressions |
None.
- Debian
- Buster (10)
- Bullseye (11)
- RHEL
- 7
- 8
---
- hosts: all
become: yes
vars:
nftables_ruleset:
tables:
- name: filter
family: "ip"
chains:
- name: input
type: "filter"
hook: "input"
policy: "drop"
priority: 0
rules:
- "ct state established,related accept"
- "iifname lo accept"
- "icmp type echo-request accept"
- "tcp dport {ssh} accept"
- name: forward
type: "filter"
hook: "forward"
policy: "drop"
priority: 0
- name: output
type: "filter"
hook: "output"
policy: "accept"
priority: 0
roles:
nftablesThis role uses Molecule for testing. Molecule is run against Vagrant-managed VMs (see default scenario). By default, provider libvirt is used unless overriden by MOLECULE_VAGRANT_PROVIDER env variable.
Use MOLECULE_VAGRANT_VM_CPUS and MOLECULE_VAGRANT_VM_MEM env variables to set VM vCPUs and RAM count.
Additional dependencies for controller host:
- Vagrant preferred provider
- Python:
python-vagrantlibrary - Python:
molecule-vagrantMolecule driver
Preferred way to test role for compatibility with different versions of Ansible is to use Tox. See tox.ini for the full list of supported Ansible versions.
Run tests for all environments:
tox
List available environments:
tox -l
Run tests only for specific environment (e.g. Ansible 2.9):
tox -e py3-ansible29
Run only specific Molecule subcommand (e.g. molecule verify):
# All test environments
tox -- molecule verify
# Specific test environments
tox -e py3-ansible29 -- molecule verify
SPDX:MIT
See full text in LICENSE file.
This role was created in 2021 by Dmitry Danilov.