main.yml 1.68 KB
Newer Older
Wágner Ferenc's avatar
Wágner Ferenc committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
- name: Install nftables
  become: yes
  apt:
    name: nftables
    state: present

- name: Blacklist ip_tables
  become: yes
  copy:
    content: |
      # Emphasize that we use nftables exclusively.  No networkd or nspawn.
      # (https://bugs.freedesktop.org/show_bug.cgi?id=89269)
      # https://cgit.freedesktop.org/systemd/systemd/tree/src/core/kmod-setup.c be damned.
      blacklist ip_tables
    dest: /etc/modprobe.d/no-iptables.conf
    owner: root
    group: root
    mode: 0644

20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
- name: Check for connection tracking entries
  become: yes
  command:
    cmd: head -c1 /proc/net/nf_conntrack
  ignore_errors: yes
  check_mode: no
  changed_when: False
  register: nf_conntrack_head

- name: Start up connection tracking to avoid locking ourselves out
  become: yes
  command:
    cmd: nft -f -
    stdin: |
      table inet ansible_temporary {
        chain ansible_temporary {
          type filter hook input priority 0; policy accept;
          ct state new log prefix "New connection: " level info
        }
      }
  when: nf_conntrack_head.stdout == ''
  notify: Reload nftables ruleset

Wágner Ferenc's avatar
Wágner Ferenc committed
43
44
45
46
47
48
49
50
51
52
53
- name: Load candidate ruleset into a temporary network namespace, then dump it
  become: yes
  command:
    cmd: unshare --net sh -c 'nft --file - && nft --stateless -nnn list ruleset'
    stdin: "{{ lookup('template', 'firewall.nft') }}"
  register: nftables_ruleset_candidate
  check_mode: no
  changed_when: False

- name: Install new nftables ruleset
  become: yes
54
55
  template:
    src: nftables.conf
Wágner Ferenc's avatar
Wágner Ferenc committed
56
57
58
59
60
61
62
63
64
65
66
    dest: /etc/nftables.conf
    owner: root
    group: root
    mode: 0644
  notify: Reload nftables ruleset

- name: Enable nftables service
  become: yes
  systemd:
    name: nftables
    enabled: yes