Remove nftables config from wireguard_endpoint
This commit is contained in:
parent
bdcd5095ed
commit
1d4e03d521
2 changed files with 0 additions and 104 deletions
|
|
@ -4,7 +4,6 @@
|
|||
pkg:
|
||||
- ifupdown2
|
||||
- wireguard
|
||||
- nftables
|
||||
state: latest
|
||||
update_cache: yes
|
||||
|
||||
|
|
@ -42,21 +41,4 @@
|
|||
diff: no
|
||||
notify:
|
||||
- Reload network interfaces
|
||||
|
||||
- name: Enable nftables
|
||||
systemd:
|
||||
name: nftables.service
|
||||
state: started
|
||||
enabled: yes
|
||||
|
||||
#- name: Configure nftables
|
||||
# template:
|
||||
# src: nftables.conf.j2
|
||||
# dest: /etc/nftables.conf
|
||||
# validate: /sbin/nft -c -f %s
|
||||
# owner: root
|
||||
# group: root
|
||||
# mode: u=rw,g=r,o=
|
||||
# notify:
|
||||
# - Reload nftables
|
||||
...
|
||||
|
|
|
|||
|
|
@ -1,86 +0,0 @@
|
|||
#!/usr/sbin/nft -f
|
||||
# {{ ansible_managed }}
|
||||
|
||||
flush ruleset
|
||||
|
||||
#table ip nat {
|
||||
#
|
||||
# chain prerouting {
|
||||
# type nat hook prerouting priority -100
|
||||
# policy accept
|
||||
# }
|
||||
#
|
||||
# chain postrouting {
|
||||
# type nat hook prerouting priority 100
|
||||
# policy accept
|
||||
#
|
||||
# #{% for endpoint in wireguard_endpoints %}
|
||||
# #oifname "{{ endpoint.name }}" masquerade
|
||||
# #{% endfor %}
|
||||
# }
|
||||
#
|
||||
#}
|
||||
|
||||
table inet filter {
|
||||
|
||||
set blacklist_v4 {
|
||||
type ipv4_addr
|
||||
}
|
||||
|
||||
set blacklist_v6 {
|
||||
type ipv6_addr
|
||||
}
|
||||
|
||||
chain blacklist {
|
||||
ip saddr @blacklist_v4 drop
|
||||
ip6 saddr @blacklist_v6 drop
|
||||
}
|
||||
|
||||
chain conntrack {
|
||||
ct state invalid drop
|
||||
ct state related, established accept
|
||||
}
|
||||
|
||||
chain input {
|
||||
type filter hook input priority 0
|
||||
policy drop
|
||||
|
||||
iif lo accept
|
||||
|
||||
jump blacklist
|
||||
jump conntrack
|
||||
|
||||
# TODO: ansible + separate nftables module
|
||||
ip protocol icmp accept
|
||||
|
||||
{% for rule in nftables_basic_input_rules %}
|
||||
{{ rule.proto }} \
|
||||
{% if "saddr" in rule %} saddr {{ rule.saddr }} \ {% endif %}
|
||||
{% if "sport" in rule %} sport {{ rule.sport }} \ {% endif %}
|
||||
{% if "daddr" in rule %} daddr {{ rule.daddr }} \ {% endif %}
|
||||
{% if "dport" in rule %} dport {{ rule.dport }} \ {% endif %}
|
||||
{{ rule.verdict }}
|
||||
{% endfor %}
|
||||
}
|
||||
|
||||
chain forward {
|
||||
type filter hook forward priority 0
|
||||
policy drop
|
||||
|
||||
iif lo accept
|
||||
|
||||
jump blacklist
|
||||
jump conntrack
|
||||
|
||||
{% for endpoint in wireguard_endpoints %}
|
||||
iifname "{{ endpoint.name }}" accept
|
||||
{% endfor %}
|
||||
}
|
||||
|
||||
chain output {
|
||||
type filter hook output priority 0
|
||||
policy accept
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Loading…
Reference in a new issue