Skip to content

Commit

Permalink
added 'ip6 saddr' and 'ip6 daddr' support
Browse files Browse the repository at this point in the history
  • Loading branch information
@ansibleguy
ansibleguy committed Jul 22, 2023
1 parent d427b11 commit 37893a7
Show file tree
Hide file tree
Showing 9 changed files with 39 additions and 33 deletions.
42 changes: 21 additions & 21 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,27 +101,27 @@ ansible-galaxy install ansibleguy.infra_nftables --roles-path ./roles

These are the available fields and aliases:

| Function | Keys | Note |
|----------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|
| Rule sequence | s, id, seq, sequence | The sequence-id (_integer_) to sort the rules inside a chain. If none is provided one will be auto-generated beginning at 1000. If a duplicate sequence id is provided the role will fail its config-check! |
| Input interface | if, iif, iifname | - |
| Output interface | of, oif, oifname | - |
| Protocol | proto, pr, protocol | - |
| Protocol sub-type | t, type | - |
| Protocol sub-code | co, code | - |
| Destination Address/Network | d, dest, target, destination, 'ip daddr' | - |
| Destination Port | dp, port, dport, dest_port | - |
| Source Address/Network | s, src, source, 'ip saddr' | - |
| Source Port | sp, sport, sport, src_port | - |
| Logging / Log message | l, log, 'log prefix' | If set to 'True' and a 'comment' is provided, it will be used as message. Else no message will be used |
| Traffic counter | count, counter | If set to 'True' a rule-specific counter will be used. Else it will use the provided pre-defined counter |
| Traffic Limit | lim, limit | A limit to set for the rule, see: [Anonymous Limits](https://wiki.nftables.org/wiki-nftables/index.php/Rate_limiting_matchings) and [Pre-defined Limits](https://wiki.nftables.org/wiki-nftables/index.php/Limits) |
| Rule action | a, action | If no action is provided, it will default to 'accept' |
| Source NAT masquerading | m, masque, masquerade | If NAT masquerading should be used |
| Source NAT | snat, src_nat, source_nat, outbound_nat, 'snat to' | - |
| Destination NAT | dnat, dest_nat, destination_nat, 'dnat to' | - |
| Redirect | redir, redirect, 'redirect to' | By using redirect, packets will be forwarded to local machine | |
| Rule comment | c, cmt, comment | - |
| Function | Keys | Note |
|----------------------------------------------------|--------------------------------------------------------------------------|------|
| Rule sequence | s, id, seq, sequence | The sequence-id (_integer_) to sort the rules inside a chain. If none is provided one will be auto-generated beginning at 1000. If a duplicate sequence id is provided the role will fail its config-check! |
| Input interface | if, iif, iifname | - |
| Output interface | of, oif, oifname | - |
| Protocol | proto, pr, protocol | - |
| Protocol sub-type | t, type | - |
| Protocol sub-code | co, code | - |
| Destination Address/Network | d, dest, target, destination, 'ip daddr', d6, dest6, target6, 'ip6 daddr' | - |
| Destination Port | dp, port, dport, dest_port | - |
| Source Address/Network | s, src, source, 'ip saddr', s6, src6, source6, 'ip6 saddr' | - |
| Source Port | sp, sport, sport, src_port | - |
| Logging / Log message | l, log, 'log prefix' | If set to 'True' and a 'comment' is provided, it will be used as message. Else no message will be used |
| Traffic counter | count, counter | If set to 'True' a rule-specific counter will be used. Else it will use the provided pre-defined counter |
| Traffic Limit | lim, limit | A limit to set for the rule, see: [Anonymous Limits](https://wiki.nftables.org/wiki-nftables/index.php/Rate_limiting_matchings) and [Pre-defined Limits](https://wiki.nftables.org/wiki-nftables/index.php/Limits) |
| Rule action | a, action | If no action is provided, it will default to 'accept' |
| Source NAT masquerading | m, masque, masquerade | If NAT masquerading should be used |
| Source NAT | snat, src_nat, source_nat, outbound_nat, 'snat to' | - |
| Destination NAT | dnat, dest_nat, destination_nat, 'dnat to' | - |
| Redirect | redir, redirect, 'redirect to' | By using redirect, packets will be forwarded to local machine | |
| Rule comment | c, cmt, comment | - |

Only one of Action, Source-NAT, Masquerading or Destination-NAT can be set for one rule!

Expand Down
9 changes: 4 additions & 5 deletions defaults/main/0_hardcoded.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,9 +38,6 @@ NFT_HC:
nat: []
route: []

# todo: unclear to me if those are the only valid priorities or one can use any (?)
priorities: ['-400', '-300', '-225', '-200', '-150', '-100', '0', '50', '100', '225', '300']

set:
types: [
'ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service',
Expand All @@ -57,8 +54,8 @@ NFT_HC:
translate:
# sequence of fields needed in nft config
sequence: [
'iifname', 'oifname', 'proto', 'type', 'code', 'dport', 'ip daddr', 'sport',
'ip saddr', 'log prefix', 'counter', 'limit',
'iifname', 'oifname', 'proto', 'type', 'code', 'dport', 'ip daddr', 'ip6 daddr', 'sport',
'ip saddr', 'ip6 saddr', 'log prefix', 'counter', 'limit',
'action', 'masquerade', 'snat to', 'dnat to', 'comment',
]

Expand All @@ -68,7 +65,9 @@ NFT_HC:
dport: ['port', 'dest_port', 'dp']
sport: ['sport', 'src_port', 'sp']
'ip daddr': ['dest', 'destination', 'target', 'd']
'ip6 daddr': ['dest6', 'destination6', 'target', 'd6']
'ip saddr': ['src', 'source', 's']
'ip6 saddr': ['src6', 'source6', 's6']
'log prefix': ['log', 'l']
comment: ['cmt', 'c']
type: ['t']
Expand Down
3 changes: 3 additions & 0 deletions molecule/default/converge.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,9 @@
- {proto: 'icmp', if: '$int_public', limit: 'icmp_limit', comment: 'limit icmp traffic from public int with pre-defined limit'}
- {proto: 'udp', port: 51820, counter: true, comment: 'Count wireguard packets', action: none}
- {proto: 'udp', port: 51821, counter: 'invalid_packages', comment: 'Count wrong wireguard packets with pre-defined counter', action: none}
- {proto: 'tcp', port: [80, 443], comment: 'v6 test1', dest6: '2001:db8::1'}
- {proto: 'udp', port: 1339, comment: 'v6 test2', src6: '2001:db8::1'}
- {proto: 'udp', port: 1339, comment: 'v6 test3', src6: '2001:db8::1', dest6: '2001:db8:1:1'}

outgoing:
hook: 'output'
Expand Down
4 changes: 4 additions & 0 deletions molecule/default/verify.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,10 @@
- 'iifname "$int_private" tcp dport 8888 dnat ip to 192.168.10.1:8888'
- 'oifname \"$int_private\" ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } masquerade'
- 'oifname \"$int_private2\" ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } snat ip to 192.168.0.1'
# ipv6
- 'tcp dport { 80, 443 } ip6 daddr 2001:db8::1 accept comment \"v6 test1\"'
- 'udp dport 1339 ip6 saddr 2001:db8::1 accept comment \"v6 test2\"'
- 'udp dport 1339 ip6 daddr 2001:db8::1:1 ip6 saddr 2001:db8::1 accept comment \"v6 test3\"'

ignore_errors: true
register: rule_check
Expand Down
4 changes: 1 addition & 3 deletions tasks/chain.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@
that: >
nft_chain.type in NFT_HC.choices.chain.types and
nft_chain.hook in NFT_HC.choices.hook[nft_table.type][nft_chain.type] and
nft_chain.priority | string in NFT_HC.choices.priorities and
nft_chain.rules |
nftables_merge_rules(NFT_CONFIG, nft_table, nft_chain_name) |
nftables_unique_sequence(NFT_HC.rules.sort)
Expand All @@ -19,8 +18,7 @@
Make sure these rules are followed:
1. Chain type is defined and valid ({{ NFT_HC.choices.chain.types | join(', ') }}),
2. Chain hook is valid for the current table type ({{ NFT_HC.choices.hook[nft_table.type][nft_chain.type] | default([]) | join(', ') }}),
3. Chain priority is valid ({{ NFT_HC.choices.priorities | join(', ') }}),
4. Rules have no duplicate sequence configured"
3. Rules have no duplicate sequence configured"
when:
- nft_config_check_chain.failed is defined
- nft_config_check_chain.failed
Expand Down
3 changes: 2 additions & 1 deletion tasks/check_debian.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,5 @@
when: >
ansible_virtualization_role is undefined or
ansible_virtualization_role != 'guest' or
'docker' not in ansible_virtualization_tech_guest
('docker' not in ansible_virtualization_tech_guest and
'lxc' not in ansible_virtualization_tech_guest)
3 changes: 2 additions & 1 deletion tasks/check_debian_kernel_config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@
when: >
ansible_virtualization_role is undefined or
ansible_virtualization_role != 'guest' or
'docker' not in ansible_virtualization_tech_guest
('docker' not in ansible_virtualization_tech_guest and
'lxc' not in ansible_virtualization_tech_guest)
- name: NFTables | Check | Checking kernel config
ansible.builtin.assert:
Expand Down
2 changes: 1 addition & 1 deletion tasks/debian10.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
filename: 'buster-backports'

- name: NFTables | Debian 10 | Installing
ansible.builtin.apt:
ansible.builtin.package:
name: ['nftables']
state: present
default_release: 'buster-backports'
Expand Down
2 changes: 1 addition & 1 deletion tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@
tags: config

- name: NFTables | Installing bash-completion
ansible.builtin.apt:
ansible.builtin.package:
name: 'bash-completion'
state: present
when: NFT_CONFIG.enable.bash_completion
Expand Down

0 comments on commit 37893a7

Please sign in to comment.