~craftyguy/ansible-nftables

ab3f309c5095c9e985270ce0dbabf19ecd4e0b9e — BhEaN 2 years ago fedcad3 + 701e75c
Merge branch 'update-ansible-version' into 'master'

Update ansible version

See merge request ansible-roles/nftables!19
M .ansible-lint => .ansible-lint +2 -0
@@ 1,5 1,7 @@
---
# https://ansible-lint.readthedocs.io/en/latest/configuring.html

verbosity: 0
parseable: false
quiet: false
loop_var_prefix: "nftables_"

M .editorconfig => .editorconfig +5 -5
@@ 11,7 11,7 @@ insert_final_newline = true
trim_trailing_whitespace = true
indent_style = space
indent_size = 4
max_line_length = 120
max_line_length = 160

[*.{yml,yaml,yml.j2,yaml.j2}]
indent_size = 2


@@ 22,14 22,14 @@ indent_size = 2
[*.{tf,tfvars}]
indent_size = 2

[*.{md,md.j2}]
max_line_length = 140
[*.{md,markdown}]
max_line_length = 180
trim_trailing_whitespace = false

[*.go]
[Makefile]
indent_style = tab

[Makefile]
[*.go]
indent_style = tab

[COMMIT_EDITMSG]

M .yamllint => .yamllint +1 -1
@@ 18,7 18,7 @@ rules:
    level: error

  line-length:
    max: 130
    max: 160

  document-start:
    present: true

M Makefile => Makefile +1 -2
@@ 83,5 83,4 @@ ansible/tests: check-virtualenv

help: ## Prints this help.
	@$(call print_title, "Useful targets:")
	@awk 'BEGIN {FS = ":.*?## "} /^[/a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2); \
		printf  "%-15s  %s\n", $$1, $$2}' $(MAKEFILE_LIST)
	@awk 'BEGIN {FS = ":.*?##"} /^[a-zA-Z_-]+:.*?##/ { printf "  %-10s %s\n", $$1, $$2 } /^##@/ { printf "%-15s  %s\n", $$1, $$2}' $(MAKEFILE_LIST)

M README.md => README.md +9 -18
@@ 2,14 2,12 @@
[![Semantic Versioning](https://img.shields.io/badge/Semantic%20Versioning-2.0.0-green)](https://semver.org/spec/v2.0.0.html)
[![Pipelines](https://code.vandalsweb.com/ansible-roles/prometheus/badges/master/pipeline.svg)](https://code.vandalsweb.com/ansible-roles/prometheus/pipelines)

Ansible role - Nftables
===
# Ansible role - Nftables
This [Ansible](https://www.ansible.com/) role install and configure a
[Linux Netfilter Nftables](https://netfilter.org/projects/nftables/index.html) server and its rules.


Project management
---
## Project management
To provide an easy way to manage the project, there are some _make targets_ to run the most common tasks:

- To download dependencies, requirements, etc: `make deps`.


@@ 18,8 16,7 @@ To provide an easy way to manage the project, there are some _make targets_ to r
- To clean the temporary files, built artifacts and _clean_ the project directory: `make clean`.


Requirements
---
## Requirements
You only need [Python](https://www.python.org/) (v3, of course!). The rest of the packages or dependencies required to run the project
are downloaded with the `make deps` command, but as in the resto of projects based on Python, it's a good recommendation to use a
[Virtualenv](https://virtualenv.pypa.io/en/latest/) before download dependencies, just like this:


@@ 31,8 28,7 @@ $ source .venv/bin/activate
``` 


Role Variables
---
## Role Variables
Almost every options have a _default_ value (you can check these values in `defaults/main.yml` file), but you can override as much as
you want (from _command-line_ param, in your own `vars.yml` file, etc).



@@ 45,8 41,7 @@ you want (from _command-line_ param, in your own `vars.yml` file, etc).
    - `nftables_ruleset`: Definition of the firewall ruleset (see below).


Ruleset definition
---
## Ruleset definition
To define the firewall rules you have to use the `nftables_ruleset` parameter. This parameter could contain a list of tables. Each of these
tables could contain a list of chains. Each of these chains could contain a list of rules.



@@ 105,8 100,7 @@ The parameters of a list of rules are:
      the goto statement


Example Playbook
---
## Example Playbook
A basic _playbook_ example to allow established connections from everywhere, ping requests from everywhere, _http_ and _https_ connections
from everywhere, _SSH_ connections from everywhere except `172.26.0.2` and enabling the NAT in `eth1` interface could be:



@@ 162,8 156,7 @@ from everywhere, _SSH_ connections from everywhere except `172.26.0.2` and enabl
```


References
---
## References
Tools, external libraries, useful references and other third-part software used in the project:

- [Semantic Versioning (semver)](https://semver.org): A simple set of rules and requirements that dictate how version numbers are assigned


@@ 180,11 173,9 @@ Tools, external libraries, useful references and other third-part software used 
  classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool.


License
---
## License
This project is licensed under MIT License. See [LICENSE](LICENSE) for more details.


Author
---
## Author
This project is just another amazing idea of _BhEaN_, created on 2020.

M defaults/main.yml => defaults/main.yml +1 -1
@@ 18,4 18,4 @@ nftables_config_path: /etc/nftables.conf
nftables_ruleset: []

# Misc
TEST_ENV: "{{ 'molecule-' in ansible_hostname }}"
test_env: "{{ 'molecule-' in ansible_hostname }}"

M meta/main.yml => meta/main.yml +3 -1
@@ 1,5 1,7 @@
---
galaxy_info:
  role_name: nftables
  namespace: "bhean"
  author: "BhEaN"
  description: "Install and configure a Netfilter Nftables server and its rules"
  company: "vandalsWeb.com"


@@ 15,7 17,7 @@ galaxy_info:
  # - CC-BY
  license: "MIT"

  min_ansible_version: 2.9
  min_ansible_version: 4.1

  # If this a Container Enabled role, provide the minimum Ansible Container version.
  # min_ansible_container_version:

M requirements-tests.txt => requirements-tests.txt +5 -5
@@ 1,5 1,5 @@
molecule~=3.2
molecule-docker~=0.3
docker~=4.4
yamllint~=1.25
ansible-lint~=4.3
molecule~=3.3
molecule-docker~=0.2
docker~=5.0
yamllint~=1.26
ansible-lint~=5.0

M requirements.txt => requirements.txt +1 -1
@@ 1,1 1,1 @@
ansible~=2.10
ansible~=4.1

M tasks/01-validate.yml => tasks/01-validate.yml +9 -9
@@ 19,18 19,18 @@
  delegate_to: localhost
  assert:
    that:
      - "table.family == 'ip' or
        table.family == 'arp' or
        table.family == 'ip6' or
        table.family == 'bridge' or
        table.family == 'inet' or
        table.family == 'netdev'"
    msg: "The table family must be 'ip', 'ip6', 'inet', 'arp', 'bridge' or 'netdev' (not '{{ table.family }}')"
      - "nftables_ruleset.family == 'ip' or
        nftables_ruleset.family == 'arp' or
        nftables_ruleset.family == 'ip6' or
        nftables_ruleset.family == 'bridge' or
        nftables_ruleset.family == 'inet' or
        nftables_ruleset.family == 'netdev'"
    msg: "The table family must be 'ip', 'ip6', 'inet', 'arp', 'bridge' or 'netdev' (not '{{ nftables_ruleset.family }}')"
    quiet: yes
  loop: "{{ nftables_ruleset }}"
  loop_control:
    label: "{{ table.family }}"
    loop_var: table
    label: "{{ nftables_ruleset.family }}"
    loop_var: nftables_ruleset
  when:
    - nftables_ruleset is defined
    - nftables_ruleset | length > 0