#!/usr/bin/env ansible-playbook --- - hosts: - isp-1.rtr.infra.auro.re - isp-2.rtr.infra.auro.re vars: nftables__vars: adm_ipv6: 2a09:6840:128::/56 adm_ipv4: 10.128.0.0/16 backbone_ipv6: 2a09:6840:203::/56 backbone_ipv4: 10.203.0.0/16 mgmt_ipv6: 2a09:6840:211::/56 mgmt_ipv4: 10.211.0.0/16 clients_ipv6: 2a09:6841::/48 clients_ipv4: 100.64.0.0/10 nftables__tables: blacklist: type: inet sets: blacklist_ipv6: type: ipv6_addr flags: - interval blacklist_ipv4: type: ipv4_addr flags: - interval chains: filter: type: filter hook: prerouting priority: "raw - 10" policy: accept rules: - "ip6 saddr @blacklist_ipv6 counter drop" - "ip saddr @blacklist_ipv4 counter drop" reverse_path_filter: type: inet chains: filter: type: filter hook: prerouting priority: raw policy: accept rules: - "fib saddr . iif oif missing pkttype unicast drop" filter: type: inet sets: allowed_clients_ipv6: type: ipv6_addr flags: - interval allowed_clients_ipv4: type: ipv4_addr flags: - interval chains: conntrack: rules: - "ct state { established, related } accept" - "ct state invalid counter drop" input_backbone: rules: - "ip6 nexthdr { ospf, vrrp, icmpv6 } accept" - "ip protocol { ospf, vrrp, icmp } accept" - "tcp dport 179 accept" input_mgmt: rules: - "ip6 nexthdr icmpv6 accept" - "ip protocol icmp accept" - "tcp dport 22 accept" input_other: rules: - "ip6 nexthdr icmpv6 accept" - "ip protocol icmp accept" input: type: filter hook: input priority: filter policy: drop rules: - "jump conntrack" - "iif lo accept" # FIXME: don't use ifaces - "ip6 saddr fe80::/10 iifname ens19 goto input_backbone" - "ip6 saddr vmap { \ $backbone_ipv6: goto input_backbone, \ $mgmt_ipv6: goto input_mgmt, \ $adm_ipv6: goto input_mgmt \ }" - "ip saddr vmap { \ $backbone_ipv4: goto input_backbone, \ $mgmt_ipv4: goto input_mgmt, \ $adm_ipv4: goto input_mgmt \ }" - "goto input_other" forward_clients: rules: - "ip6 daddr $clients_ipv6 drop" - "ip daddr $clients_ipv4 drop" - "ip6 saddr @allowed_clients_ipv6 accept" - "ip saddr @allowed_clients_ipv4 accept" forward: type: filter hook: forward priority: filter policy: drop rules: - "jump conntrack" - "ip6 saddr $clients_ipv6 goto forward_clients" - "ip saddr $clients_ipv4 goto forward_clients" output: type: filter hook: output priority: filter policy: accept rules: - "jump conntrack" roles: - nftables - hosts: - infra-1.rtr.infra.auro.re - infra-2.rtr.infra.auro.re vars: nftables__vars: adm_ipv6: 2a09:6840:128::/56 adm_ipv4: 10.128.0.0/16 backbone_ipv6: 2a09:6840:203::/56 backbone_ipv4: 10.203.0.0/16 mgmt_ipv6: 2a09:6840:211::/56 mgmt_ipv4: 10.211.0.0/16 int_ipv6: 2a09:6840:206::/56 int_ipv4: 10.206.0.0/16 local_ipv4: - 100.64.0.0/10 - 10.0.0.0/8 - 45.66.108.0/22 nftables__tables: blacklist: type: inet sets: blacklist_ipv6: type: ipv6_addr flags: - interval blacklist_ipv4: type: ipv4_addr flags: - interval chains: filter: type: filter hook: prerouting priority: "raw - 10" policy: accept rules: - "ip6 saddr @blacklist_ipv6 counter drop" - "ip saddr @blacklist_ipv4 counter drop" reverse_path_filter: type: inet chains: filter: type: filter hook: prerouting priority: raw policy: accept rules: - "fib saddr . iif oif missing pkttype unicast drop" filter: type: inet chains: conntrack: rules: - "ct state { established, related } accept" - "ct state invalid counter drop" input_backbone: rules: - "ip6 nexthdr { ospf, vrrp, icmpv6 } accept" - "ip protocol { ospf, vrrp, icmp } accept" - "tcp dport 179 accept" input_mgmt: rules: - "ip6 nexthdr icmpv6 accept" - "ip protocol icmp accept" - "tcp dport 22 accept" input_other: rules: - "ip6 nexthdr icmpv6 accept" - "ip protocol icmp accept" input: type: filter hook: input priority: filter policy: drop rules: - "jump conntrack" - "iif lo accept" # FIXME: don't use ifaces - "ip6 saddr fe80::/10 iifname ens19 goto input_backbone" - "ip6 saddr vmap { \ $backbone_ipv6: goto input_backbone, \ $mgmt_ipv6: goto input_mgmt, \ $adm_ipv6: goto input_mgmt \ }" - "ip saddr vmap { \ $backbone_ipv4: goto input_backbone, \ $mgmt_ipv4: goto input_mgmt, \ $adm_ipv4: goto input_mgmt \ }" - "goto input_other" forward: type: filter hook: forward priority: filter policy: drop rules: - "jump conntrack" - "ip6 saddr $int_ipv6 accept" # FIXME - "ip saddr $int_ipv4 accept" # FIXME output: type: filter hook: output priority: filter policy: accept rules: - "jump conntrack" nat: type: ip chains: postrouting: type: nat hook: postrouting priority: srcnat policy: accept rules: - "ip daddr != $local_ipv4 snat to 10.128.10.4" roles: - nftables ...