Commit 3575ca66 authored by Wágner Ferenc's avatar Wágner Ferenc
Browse files

Activate nftables in two stages to avoid self lockout

parent f4cb71c4
......@@ -17,6 +17,29 @@
group: root
mode: 0644
- name: Check for connection tracking entries
become: yes
cmd: head -c1 /proc/net/nf_conntrack
ignore_errors: yes
check_mode: no
changed_when: False
register: nf_conntrack_head
- name: Start up connection tracking to avoid locking ourselves out
become: yes
cmd: nft -f -
stdin: |
table inet ansible_temporary {
chain ansible_temporary {
type filter hook input priority 0; policy accept;
ct state new log prefix "New connection: " level info
when: nf_conntrack_head.stdout == ''
notify: Reload nftables ruleset
- name: Load candidate ruleset into a temporary network namespace, then dump it
become: yes
#!/usr/sbin/nft -f
# Optionally blacklist ip_tables in modprobe.d (
# On pristine setup through SSH bring up connection tracking: $ sudo ./ct.nft
# Install the final rule set: $ sudo ./firewall.nft
# Save the resolved rule set: $ sudo nft --stateless -nnn list ruleset | sudo tee /etc/nftables.conf; sudo chmod -x /etc/nftables.conf
# Load it on boot: $ sudo systemctl enable nftables.service
# Ansible idea: create the resolved rule set by templating and load it under
# unshare with a local-only nsswitch.conf to exclude network-reliance (DNS,
# LDAP, etc.) Even better: patch nft to provide this function. Or resolution
# instead of loading.
flush ruleset
table inet filter {
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment