This Ansible role allows you to install nftables
and manage its configuration.
For more information about nftables
, please check the official project page .
Variables and properties in bold are mandatory. Others are optional.
Variable name
Description
Default value
nftables_flush_ruleset
Wether we should flush the current ruleset or not.
yes
nftables_config_file
Path to the configuration file.
/etc/nftables.conf
nftables_tables
A list of table .
[]
Property name
Description
Default value
name
Name of the table.
family
Address family of the table. If specified, must be either ip
, ip6
, inet
, arp
, bridge
or netdev
.
ip
sets
A list of set .
maps
A list of map .
verdict_maps
A list of verdict_map .
chains
A list of chain .
Documentation
Property name
Description
name
Name of the set.
type
Type of the elements contained in the set. Must be either ipv4_addr
, ipv6_addr
, ether_addr
, inet_service
, inet_proto
, icmp_type
, icmpv6_type
or mark
.
size
Number of elements the set can contain.
policy
The set selection policy. If specified, must be either performance
or memory
.
timeout
How long the elements stay in the set.
flags
A list of flags. If specified, must contain at least one of the following : constant
, interval
, timeout
.
gc_interval
Garbage collection interval.
elements
A list of elements contained in the set. Elements must conform to the set type
.
Documentation
Property name
Description
name
Name of the map.
keys_type
Type of the keys. Must be either ipv4_addr
, ipv6_addr
, ether_addr
, inet_service
, inet_proto
, icmp_type
, icmpv6_type
or mark
.
values_type
Type of the values. Must be either ipv4_addr
, ipv6_addr
, ether_addr
, inet_service
, inet_proto
, mark
, counter
or quota
.
elements
A list of elements contained in the map. Elements must conform to the map keys_type
and values_type
.
Documentation
Property name
Description
key
Key value.
value
Value associated with the key.
A verdict_map
is just a special case of map
where the values_type
is always verdict
. As such, there is no values_type
property. Also, elements contained in a verdict_map
have a verdict
property instead of the value
property.
Property name
Description
name
Name of the map.
keys_type
Type of the keys. Must be either ipv4_addr
, ipv6_addr
, ether_addr
, inet_service
, inet_proto
, icmp_type
, icmpv6_type
or mark
.
elements
A list of elements contained in the verdict map.
verdict_map element properties
Property name
Description
key
Key value.
verdict
Verdict associated with the key.
Property name
Description
name
Name of the chain.
base
Base rule for the chain.
rules
List of rules contained in the chain.
Documentation
Property name
Description
type
The type of the chain. Must be either filter
, nat
or route
.
hook
Hook where the chain is attached. Available values depend on type
.
priority
Integer determining the order of the chains attached to the same hook
.
policy
Default policy for the chain. If specified, must be either accept
or drop
.
Documentation
Documentation
Property name
Description
position
Integer determining the order of the rules in the chain.
statement
Rule statement.
comment
A comment describing the rule.
Here is a small example of what your file should look like.
IMPORTANT : DO NOT use this as your firewall !
---
nftables_flush_ruleset : yes
nftables_config_path : /etc/nftables.rules
nftables_tables :
- name : firewall
family : inet
sets :
- name : " set1"
type :
size : 10
policy : " performance"
timeout : " 1d"
flags :
- " timeout"
- " interval"
gc_interval : " 12h"
elements :
- 192.0.2.1
- 192.0.2.2
maps :
- name : " map1"
keys_type : " inet_service"
values_type : " ipv4_addr"
elements :
- key : ssh
value : " 192.0.2.10"
- name : " map2"
keys_type : " inet_service"
values_type : " ipv4_addr"
elements :
- key : ftp
value : " 192.0.2.25"
verdict_maps :
- name : " vmap1"
keys_type : " inet_service"
elements :
- key : " 192.0.2.10"
value : " accept"
chains :
- name : " My input filter"
base :
type : " filter"
hook : " input"
priority : 0
policy : " drop"
rules :
- position : 2
statement : " ct state invalid log prefix 'Invalid_IN: ' drop"
comment : " Log and drop invalid packets."
- position : 1
statement : " iif lo accept"
- position : 3
statement : " ct state {established,related} accept"
- name : " My output filter"
base :
type : " filter"
hook : " output"
priority : -10
policy : " accept"
rules :
- position : 1
statement : " ip daddr 192.0.2.100 counter"
...
Testing involves the following steps:
Check the role syntax
Do a first run
Do a second run and check for idempotence.
On the following OS:
Debian 9
CentOS 7
Ubuntu 18.04
Code reviews, patches, comments, bug reports and feature requests are welcome. Please read the Contributing Guide for further details.