init

.pylintrc

@@ -327,7 +327,7 @@ indent-after-paren=4
 indent-string='    '
 
 # Maximum number of characters on a single line.
-max-line-length=100
+max-line-length=120
 
 # Maximum number of lines in a module.
 max-module-lines=1000
@@ -415,7 +415,10 @@ disable=raw-checker-failed,
         suppressed-message,
         useless-suppression,
         deprecated-pragma,
-        use-symbolic-message-instead
+        use-symbolic-message-instead,
+        C0114, C0115, C0116,  # docstrings
+        C0103,  # var naming
+        R0801,  # similar code
 
 # Enable the message, report, category or checker with the given id(s). You can
 # either give multiple identifier separated by comma (,) or put this option

README.md

@@ -10,6 +10,7 @@ Role to deploy Addons for NFTables on Linux servers.
 
 [![Molecule Test Status](https://badges.ansibleguy.net/addons_nftables.molecule.svg)](https://github.com/ansibleguy/_meta_cicd/blob/latest/templates/usr/local/bin/cicd/molecule.sh.j2)
 [![YamlLint Test Status](https://badges.ansibleguy.net/addons_nftables.yamllint.svg)](https://github.com/ansibleguy/_meta_cicd/blob/latest/templates/usr/local/bin/cicd/yamllint.sh.j2)
+[![PyLint Test Status](https://badges.ansibleguy.net/addons_nftables.pylint.svg)](https://github.com/ansibleguy/_meta_cicd/blob/latest/templates/usr/local/bin/cicd/pylint.sh.j2)
 [![Ansible-Lint Test Status](https://badges.ansibleguy.net/addons_nftables.ansiblelint.svg)](https://github.com/ansibleguy/_meta_cicd/blob/latest/templates/usr/local/bin/cicd/ansiblelint.sh.j2)
 [![Ansible Galaxy](https://img.shields.io/ansible/role/GALAXY_ID)](https://galaxy.ansible.com/ansibleguy/ROLE)
 [![Ansible Galaxy Downloads](https://img.shields.io/badge/dynamic/json?color=blueviolet&label=Galaxy%20Downloads&query=%24.download_count&url=https%3A%2F%2Fgalaxy.ansible.com%2Fapi%2Fv1%2Froles%2FGALAXY_ID%2F%3Fformat%3Djson)](https://galaxy.ansible.com/ansibleguy/addons_nftables)
@@ -77,22 +78,42 @@ ansible-galaxy install ansibleguy.addons_nftables --roles-path ./roles
 
 ## Usage
 
-You can 
+You can manage the NFTables base-config using the [ansibleguy.infra_nftables](https://github.com/ansibleguy/infra_nftables) role!
 
 ### Config
 
 Define the config as needed:
 
 ```yaml
-app:
+nftables_addons:
+  enable:
+    dns: true  # enable DNS-addon
+    dns_v6: true  # enable IPv6-processing of DNS-addon
+    iplist: true  # enable IPList-addon
+    iplist_v6: true  # enable IPv6-processing of IPList-addon
+    # timer: true  # you could disable the timer-management if you want to do it yourself
+    # systemd: true  # update addons using a systemd-timer
+    # cron: false  # update addons using a cron-job
+
+  path:
+    base_config: '/etc/nftables.conf'
+    addon:
+      dir: '/etc/nftables.d/addons'
+
+  timer:
+    systemd:
+      dns: '*:0/15'  # update every 15min
+      iplist: '*-*-* 00,12:00:00'  # update twice a day
+
+    # cron:
+    #   dns:  # every 15min
+    #     minute: '*/15'
+    #   iplist:  # twice a day
+    #     minute: '0'
+    #     hour: '0,12'
 
 ```
 
-You might want to use 'ansible-vault' to encrypt your passwords:
-```bash
-ansible-vault encrypt_string
-```
-
 ### Execution
 
 Run the playbook:
@@ -101,8 +122,8 @@ ansible-playbook -K -D -i inventory/hosts.yml playbook.yml
 ```
 
 There are also some useful **tags** available:
-* 
-*
+* dns
+* iplist
 
 To debug errors - you can set the 'debug' variable at runtime:
 ```bash

defaults/main/0_hardcoded.yml

@@ -1,3 +1,8 @@
 ---
 
-
+NFT_ADD_HC:
+  min_py3_version: '3.3'  # 'ipaddress' builtin
+  dump_keys:
+    dns: 'dns'
+    iplist: 'iplist'
+  cron_prefix: 'nftables_addon'

defaults/main/1_main.yml

@@ -4,8 +4,62 @@ no_prompts: false
 debug: false
 
 # default config => is overwritten by provided config
-defaults_app: {}
+defaults_nftables_addons:
+  enable:
+    dns: false
+    dns_v6: false
+    iplist: false
+    iplist_v6: false
+    timer: true
+    systemd: true
+    cron: false
 
-APP_CONFIG: "{{ defaults_app | combine(app, recursive=true) }}"
+  appendix:  # will be appended to the var-names
+    ipv4: ''
+    ipv6: 'v6'
 
-defaults_instance: {}
+  config:
+    iplists: {}
+    #  variable:
+    #    urls: ['https://check.torproject.org/torbulkexitlist']
+    #    separator: "\n"
+    dns_records: {}
+    #  variable: ['dns1', 'dns2']
+
+  path:
+    lib: '/usr/lib/nftables'
+    base_config: '/etc/nftables.conf'
+    addon:
+      dir: '/etc/nftables.d/addons'
+      dns: 'dns.nft'
+      dns_dump: 'dns.json'
+      iplist: 'iplist.nft'
+      iplist_dump: 'iplist.json'
+
+  cmd_reload: 'sudo systemctl restart nftables.service'  # if no systemd is available: use 'sudo nft -f { base_config }'
+
+  timer:
+    systemd:
+      # for date-time format see:
+      #   https://wiki.archlinux.org/title/Systemd/Timers
+      #   https://silentlad.com/systemd-timers-oncalendar-(cron)-format-explained
+      dns: '*:0/15'  # every 15min
+      iplist: '*-*-* 00,12:00:00'  # twice a day
+      user: 'root'
+      group: 'root'
+      syslog_id_prefix: 'nftables_addon'
+      service_prefix: 'ansibleguy.addons_nftables-'
+
+    cron:  # see module: ansible.builtin.cron and https://crontab.guru/
+      dns:  # every 15min
+        minute: '*/15'
+        hour:
+        day:
+        weekday:
+      iplist:  # twice a day
+        minute: '0'
+        hour: '0,12'
+        day:
+        weekday:
+
+NTF_ADD_CONFIG: "{{ defaults_nftables_addons | combine(nftables_addons, recursive=true) }}"

files/usr/lib/nftables/dns_resolver.py

@@ -0,0 +1,42 @@
+#!/usr/bin/env python3
+
+# Source: https://github.com/superstes/python3-resolver
+# Copyright (C) 2023  René Pascal Rath
+# License: GNU General Public License v3.0
+
+from socket import getaddrinfo, gaierror
+from ipaddress import IPv4Address, AddressValueError
+
+DUMMY_PORT = 80
+
+
+def _is_ipv4_address(i: str) -> bool:
+    try:
+        IPv4Address(i)
+        return True
+
+    except AddressValueError:
+        return False
+
+
+def _sorted(data: list) -> list:
+    data.sort()
+    return data
+
+
+def resolve(name: str) -> list:
+    try:
+        raw = getaddrinfo(name, DUMMY_PORT)
+        # pylint: disable=R1718
+        return _sorted(list(set([r[4][0] for r in raw])))
+
+    except (gaierror, UnicodeError):
+        return []
+
+
+def resolve_ipv4(name: str) -> list:
+    return _sorted([i for i in resolve(name) if _is_ipv4_address(i)])
+
+
+def resolve_ipv6(name: str) -> list:
+    return _sorted([i for i in resolve(name) if not _is_ipv4_address(i)])

molecule/default/molecule.yml

@@ -16,6 +16,8 @@ _references:
 
 dependency:
   name: galaxy
+  options:
+    role-file: 'requirements_roles.yml'
 driver:
   name: docker
 platforms:

molecule/default/prepare.yml

@@ -2,13 +2,30 @@
 
 - name: Prepare
   hosts: all
-  tasks:
-    - name: Installing troubleshooting utils
-      apt:
-        name: ['less', 'nano', 'net-tools', 'dnsutils', 'iproute2']
-        state: present
-
-    - name: Installing Role dependencies
-      apt:
-        name: ['kmod']
-        state: present
+  vars:
+    nftables:
+      enable:
+        sets: false  # debian (11) kernel 5.x does not support it
+
+      tables:
+        example:
+          chains:
+            incoming:
+              vars:
+                chain_var: '1.1.1.1'
+
+              hook: 'input'
+              rules:
+                - sequence: 1
+                  raw: 'ct state invalid counter log prefix "DROP invalid sates" drop'
+                - seq: 2
+                  raw: 'ct state {established, related} counter accept comment "Allow open sessions"'
+                - s: 3
+                  raw: 'iifname "lo" accept comment "Allow loopback traffic"'
+
+            outgoing:
+              hook: 'output'
+              policy: 'accept'
+
+  roles:
+    - ansibleguy.infra_nftables

molecule/default/requirements_roles.yml

@@ -0,0 +1,4 @@
+---
+
+roles:
+  - src: 'ansibleguy.infra_nftables'

molecule/default/verify.yml

@@ -1,13 +1,18 @@
 ---
 
 - name: Verify
-  hosts: grp_tester
+  hosts: all
   gather_facts: false
-  tasks: []
-  #  - name: Checking if zoneminder web-service is reachable
-  #    ansible.builtin.uri:
-  #      url: 'https://192.168.0.2'
-  #      return_content: yes
-  #      validate_certs: false
-  #    register: page
-  #    failed_when: "'Zoneminder' not in page.content"
+  tasks:
+    - name: Checking that config is valid
+      ansible.builtin.command: "nft -cf {{ item }}"
+      changed_when: false
+      loop:
+        - '/etc/nftables.d/addons/dns.nft'
+        - '/etc/nftables.d/addons/iplist.nft'
+        - '/etc/nftables.conf'
+
+    - name: Checking that service survives restart
+      ansible.builtin.systemd:
+        name: 'nftables.service'
+        state: restarted

playbook.yml

@@ -6,4 +6,4 @@
   become: true
   gather_facts: yes
   roles:
-  - ansibleguy.ROLE
+  - ansibleguy.addons_nftables

tasks/dns.yml

@@ -0,0 +1,25 @@
+---
+
+- name: NFTables-Addons | DNS | Copying helper-script
+  ansible.builtin.copy:
+    src: 'files/usr/lib/nftables/dns_resolver.py'
+    dest: "{{ NTF_ADD_CONFIG.path.lib }}/dns_resolver.py"
+    owner: 'root'
+    group: 'root'
+    mode: 0750
+
+- name: NFTables-Addons | DNS | Copying script
+  ansible.builtin.template:
+    src: 'templates/usr/lib/nftables/dns.py'
+    dest: "{{ NTF_ADD_CONFIG.path.lib }}/dns.py"
+    owner: 'root'
+    group: 'root'
+    mode: 0750
+
+- name: NFTables-Addons | DNS | Timer
+  ansible.builtin.include_tasks: timer/main.yml
+  vars:
+    addon_key: 'dns'
+  args:
+    apply:
+      tags: dns

tasks/iplist.yml

@@ -0,0 +1,17 @@
+---
+
+- name: NFTables-Addons | IP-List | Copying script
+  ansible.builtin.template:
+    src: 'templates/usr/lib/nftables/iplist.py'
+    dest: "{{ NTF_ADD_CONFIG.path.lib }}/iplist.py"
+    owner: 'root'
+    group: 'root'
+    mode: 0750
+
+- name: NFTables-Addons | IP-List | Timer
+  ansible.builtin.include_tasks: timer/main.yml
+  vars:
+    addon_key: 'iplist'
+  args:
+    apply:
+      tags: iplist