diff --git a/README.md b/README.md index 032f0da..e3d4425 100644 --- a/README.md +++ b/README.md @@ -101,27 +101,27 @@ ansible-galaxy install ansibleguy.infra_nftables --roles-path ./roles These are the available fields and aliases: - | Function | Keys | Note | - |----------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------| - | Rule sequence | s, id, seq, sequence | The sequence-id (_integer_) to sort the rules inside a chain. If none is provided one will be auto-generated beginning at 1000. If a duplicate sequence id is provided the role will fail its config-check! | - | Input interface | if, iif, iifname | - | - | Output interface | of, oif, oifname | - | - | Protocol | proto, pr, protocol | - | - | Protocol sub-type | t, type | - | - | Protocol sub-code | co, code | - | - | Destination Address/Network | d, dest, target, destination, 'ip daddr' | - | - | Destination Port | dp, port, dport, dest_port | - | - | Source Address/Network | s, src, source, 'ip saddr' | - | - | Source Port | sp, sport, sport, src_port | - | - | Logging / Log message | l, log, 'log prefix' | If set to 'True' and a 'comment' is provided, it will be used as message. Else no message will be used | - | Traffic counter | count, counter | If set to 'True' a rule-specific counter will be used. Else it will use the provided pre-defined counter | - | Traffic Limit | lim, limit | A limit to set for the rule, see: [Anonymous Limits](https://wiki.nftables.org/wiki-nftables/index.php/Rate_limiting_matchings) and [Pre-defined Limits](https://wiki.nftables.org/wiki-nftables/index.php/Limits) | - | Rule action | a, action | If no action is provided, it will default to 'accept' | - | Source NAT masquerading | m, masque, masquerade | If NAT masquerading should be used | - | Source NAT | snat, src_nat, source_nat, outbound_nat, 'snat to' | - | - | Destination NAT | dnat, dest_nat, destination_nat, 'dnat to' | - | - | Redirect | redir, redirect, 'redirect to' | By using redirect, packets will be forwarded to local machine | | - | Rule comment | c, cmt, comment | - | + | Function | Keys | Note | + |----------------------------------------------------|--------------------------------------------------------------------------|------| + | Rule sequence | s, id, seq, sequence | The sequence-id (_integer_) to sort the rules inside a chain. If none is provided one will be auto-generated beginning at 1000. If a duplicate sequence id is provided the role will fail its config-check! | + | Input interface | if, iif, iifname | - | + | Output interface | of, oif, oifname | - | + | Protocol | proto, pr, protocol | - | + | Protocol sub-type | t, type | - | + | Protocol sub-code | co, code | - | + | Destination Address/Network | d, dest, target, destination, 'ip daddr', d6, dest6, target6, 'ip6 daddr' | - | + | Destination Port | dp, port, dport, dest_port | - | + | Source Address/Network | s, src, source, 'ip saddr', s6, src6, source6, 'ip6 saddr' | - | + | Source Port | sp, sport, sport, src_port | - | + | Logging / Log message | l, log, 'log prefix' | If set to 'True' and a 'comment' is provided, it will be used as message. Else no message will be used | + | Traffic counter | count, counter | If set to 'True' a rule-specific counter will be used. Else it will use the provided pre-defined counter | + | Traffic Limit | lim, limit | A limit to set for the rule, see: [Anonymous Limits](https://wiki.nftables.org/wiki-nftables/index.php/Rate_limiting_matchings) and [Pre-defined Limits](https://wiki.nftables.org/wiki-nftables/index.php/Limits) | + | Rule action | a, action | If no action is provided, it will default to 'accept' | + | Source NAT masquerading | m, masque, masquerade | If NAT masquerading should be used | + | Source NAT | snat, src_nat, source_nat, outbound_nat, 'snat to' | - | + | Destination NAT | dnat, dest_nat, destination_nat, 'dnat to' | - | + | Redirect | redir, redirect, 'redirect to' | By using redirect, packets will be forwarded to local machine | | + | Rule comment | c, cmt, comment | - | Only one of Action, Source-NAT, Masquerading or Destination-NAT can be set for one rule! diff --git a/defaults/main/0_hardcoded.yml b/defaults/main/0_hardcoded.yml index f9c1891..0c5133b 100644 --- a/defaults/main/0_hardcoded.yml +++ b/defaults/main/0_hardcoded.yml @@ -38,9 +38,6 @@ NFT_HC: nat: [] route: [] - # todo: unclear to me if those are the only valid priorities or one can use any (?) - priorities: ['-400', '-300', '-225', '-200', '-150', '-100', '0', '50', '100', '225', '300'] - set: types: [ 'ipv4_addr', 'ipv6_addr', 'ether_addr', 'inet_proto', 'inet_service', @@ -57,8 +54,8 @@ NFT_HC: translate: # sequence of fields needed in nft config sequence: [ - 'iifname', 'oifname', 'proto', 'type', 'code', 'dport', 'ip daddr', 'sport', - 'ip saddr', 'log prefix', 'counter', 'limit', + 'iifname', 'oifname', 'proto', 'type', 'code', 'dport', 'ip daddr', 'ip6 daddr', 'sport', + 'ip saddr', 'ip6 saddr', 'log prefix', 'counter', 'limit', 'action', 'masquerade', 'snat to', 'dnat to', 'comment', ] @@ -68,7 +65,9 @@ NFT_HC: dport: ['port', 'dest_port', 'dp'] sport: ['sport', 'src_port', 'sp'] 'ip daddr': ['dest', 'destination', 'target', 'd'] + 'ip6 daddr': ['dest6', 'destination6', 'target', 'd6'] 'ip saddr': ['src', 'source', 's'] + 'ip6 saddr': ['src6', 'source6', 's6'] 'log prefix': ['log', 'l'] comment: ['cmt', 'c'] type: ['t'] diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 9b52ea9..6e411ba 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -84,6 +84,9 @@ - {proto: 'icmp', if: '$int_public', limit: 'icmp_limit', comment: 'limit icmp traffic from public int with pre-defined limit'} - {proto: 'udp', port: 51820, counter: true, comment: 'Count wireguard packets', action: none} - {proto: 'udp', port: 51821, counter: 'invalid_packages', comment: 'Count wrong wireguard packets with pre-defined counter', action: none} + - {proto: 'tcp', port: [80, 443], comment: 'v6 test1', dest6: '2001:db8::1'} + - {proto: 'udp', port: 1339, comment: 'v6 test2', src6: '2001:db8::1'} + - {proto: 'udp', port: 1339, comment: 'v6 test3', src6: '2001:db8::1', dest6: '2001:db8:1:1'} outgoing: hook: 'output' diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 7bb5389..1f6eb66 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -60,6 +60,10 @@ - 'iifname "$int_private" tcp dport 8888 dnat ip to 192.168.10.1:8888' - 'oifname \"$int_private\" ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } masquerade' - 'oifname \"$int_private2\" ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } snat ip to 192.168.0.1' + # ipv6 + - 'tcp dport { 80, 443 } ip6 daddr 2001:db8::1 accept comment \"v6 test1\"' + - 'udp dport 1339 ip6 saddr 2001:db8::1 accept comment \"v6 test2\"' + - 'udp dport 1339 ip6 daddr 2001:db8::1:1 ip6 saddr 2001:db8::1 accept comment \"v6 test3\"' ignore_errors: true register: rule_check diff --git a/tasks/chain.yml b/tasks/chain.yml index c554650..dab37db 100644 --- a/tasks/chain.yml +++ b/tasks/chain.yml @@ -5,7 +5,6 @@ that: > nft_chain.type in NFT_HC.choices.chain.types and nft_chain.hook in NFT_HC.choices.hook[nft_table.type][nft_chain.type] and - nft_chain.priority | string in NFT_HC.choices.priorities and nft_chain.rules | nftables_merge_rules(NFT_CONFIG, nft_table, nft_chain_name) | nftables_unique_sequence(NFT_HC.rules.sort) @@ -19,8 +18,7 @@ Make sure these rules are followed: 1. Chain type is defined and valid ({{ NFT_HC.choices.chain.types | join(', ') }}), 2. Chain hook is valid for the current table type ({{ NFT_HC.choices.hook[nft_table.type][nft_chain.type] | default([]) | join(', ') }}), - 3. Chain priority is valid ({{ NFT_HC.choices.priorities | join(', ') }}), - 4. Rules have no duplicate sequence configured" + 3. Rules have no duplicate sequence configured" when: - nft_config_check_chain.failed is defined - nft_config_check_chain.failed diff --git a/tasks/check_debian.yml b/tasks/check_debian.yml index be361d4..b9186c2 100644 --- a/tasks/check_debian.yml +++ b/tasks/check_debian.yml @@ -18,4 +18,5 @@ when: > ansible_virtualization_role is undefined or ansible_virtualization_role != 'guest' or - 'docker' not in ansible_virtualization_tech_guest + ('docker' not in ansible_virtualization_tech_guest and + 'lxc' not in ansible_virtualization_tech_guest) diff --git a/tasks/check_debian_kernel_config.yml b/tasks/check_debian_kernel_config.yml index 6c3c479..61c36de 100644 --- a/tasks/check_debian_kernel_config.yml +++ b/tasks/check_debian_kernel_config.yml @@ -11,7 +11,8 @@ when: > ansible_virtualization_role is undefined or ansible_virtualization_role != 'guest' or - 'docker' not in ansible_virtualization_tech_guest + ('docker' not in ansible_virtualization_tech_guest and + 'lxc' not in ansible_virtualization_tech_guest) - name: NFTables | Check | Checking kernel config ansible.builtin.assert: diff --git a/tasks/debian10.yml b/tasks/debian10.yml index d6b603a..5dd6391 100644 --- a/tasks/debian10.yml +++ b/tasks/debian10.yml @@ -8,7 +8,7 @@ filename: 'buster-backports' - name: NFTables | Debian 10 | Installing - ansible.builtin.apt: + ansible.builtin.package: name: ['nftables'] state: present default_release: 'buster-backports' diff --git a/tasks/main.yml b/tasks/main.yml index d86b0c7..7cfb336 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -117,7 +117,7 @@ tags: config - name: NFTables | Installing bash-completion - ansible.builtin.apt: + ansible.builtin.package: name: 'bash-completion' state: present when: NFT_CONFIG.enable.bash_completion