This Ansible role allows you to install nftables
and manage its configuration.
For more information about nftables
, please check the official project page.
Variables and properties in bold are mandatory. Others are optional.
Variable name | Description | Default value |
---|---|---|
nftables_flush_ruleset |
Wether we should flush the current ruleset or not. | yes |
nftables_config_file |
Path to the configuration file. | /etc/nftables.conf |
nftables_tables |
A list of table. | [] |
Property name | Description | Default value |
---|---|---|
name |
Name of the table. | |
family |
Address family of the table. If specified, must be either ip , ip6 , inet , arp , bridge or netdev . |
ip |
sets |
A list of set. | |
maps |
A list of map. | |
verdict_maps |
A list of verdict_map. | |
chains |
A list of chain. |
Property name | Description |
---|---|
name |
Name of the set. |
type |
Type of the elements contained in the set. Must be either ipv4_addr , ipv6_addr , ether_addr , inet_service , inet_proto , icmp_type , icmpv6_type or mark . |
size |
Number of elements the set can contain. |
policy |
The set selection policy. If specified, must be either performance or memory . |
timeout |
How long the elements stay in the set. |
flags |
A list of flags. If specified, must contain at least one of the following : constant , interval , timeout . |
gc_interval |
Garbage collection interval. |
elements |
A list of elements contained in the set. Elements must conform to the set type . |
Property name | Description |
---|---|
name |
Name of the map. |
keys_type |
Type of the keys. Must be either ipv4_addr , ipv6_addr , ether_addr , inet_service , inet_proto , icmp_type , icmpv6_type or mark . |
values_type |
Type of the values. Must be either ipv4_addr , ipv6_addr , ether_addr , inet_service , inet_proto , mark , counter or quota . |
elements |
A list of elements contained in the map. Elements must conform to the map keys_type and values_type . |
Property name | Description |
---|---|
key |
Key value. |
value |
Value associated with the key. |
A verdict_map
is just a special case of map
where the values_type
is always verdict
. As such, there is no values_type
property. Also, elements contained in a verdict_map
have a verdict
property instead of the value
property.
Property name | Description |
---|---|
name |
Name of the map. |
keys_type |
Type of the keys. Must be either ipv4_addr , ipv6_addr , ether_addr , inet_service , inet_proto , icmp_type , icmpv6_type or mark . |
elements |
A list of elements contained in the verdict map. |
Property name | Description |
---|---|
key |
Key value. |
verdict |
Verdict associated with the key. |
Property name | Description |
---|---|
name |
Name of the chain. |
base |
Base rule for the chain. |
rules |
List of rules contained in the chain. |
Property name | Description |
---|---|
type |
The type of the chain. Must be either filter , nat or route . |
hook |
Hook where the chain is attached. Available values depend on type . |
priority |
Integer determining the order of the chains attached to the same hook . |
policy |
Default policy for the chain. If specified, must be either accept or drop . |
Property name | Description |
---|---|
position |
Integer determining the order of the rules in the chain. |
statement |
Rule statement. |
comment |
A comment describing the rule. |
Here is a small example of what your file should look like.
IMPORTANT: DO NOT use this as your firewall !
---
nftables_flush_ruleset: yes
nftables_config_path: /etc/nftables.rules
nftables_tables:
- name: firewall
family: inet
sets:
- name: "set1"
type:
size: 10
policy: "performance"
timeout: "1d"
flags:
- "timeout"
- "interval"
gc_interval: "12h"
elements:
- 192.0.2.1
- 192.0.2.2
maps:
- name: "map1"
keys_type: "inet_service"
values_type: "ipv4_addr"
elements:
- key: ssh
value: "192.0.2.10"
- name: "map2"
keys_type: "inet_service"
values_type: "ipv4_addr"
elements:
- key: ftp
value: "192.0.2.25"
verdict_maps:
- name: "vmap1"
keys_type: "inet_service"
elements:
- key: "192.0.2.10"
value: "accept"
chains:
- name: "My input filter"
base:
type: "filter"
hook: "input"
priority: 0
policy: "drop"
rules:
- position: 2
statement: "ct state invalid log prefix 'Invalid_IN: ' drop"
comment: "Log and drop invalid packets."
- position: 1
statement: "iif lo accept"
- position: 3
statement: "ct state {established,related} accept"
- name: "My output filter"
base:
type: "filter"
hook: "output"
priority: -10
policy: "accept"
rules:
- position: 1
statement: "ip daddr 192.0.2.100 counter"
...
Testing involves the following steps:
- Check the role syntax
- Do a first run
- Do a second run and check for idempotence.
On the following OS:
- Debian 9
- CentOS 7
- Ubuntu 18.04
Code reviews, patches, comments, bug reports and feature requests are welcome. Please read the Contributing Guide for further details.