Role - tripleo_nftables¶
Role Documentation¶
Welcome to the “tripleo_nftables” role documentation.
Role Defaults¶
This section highlights all of the defaults and variables set within the “tripleo_nftables” role.
# All variables intended for modification should be placed in this file.
# All variables within this role should have a prefix of "tripleo_nftables_"
# Example rule definition
tripleo_nftables_rules:
- rule:
proto: all
state:
- RELATED
- ESTABLISHED
rule_name: 000 accept related established rules
- rule:
ipversion: ipv4
proto: icmp
rule_name: 001 accept all icmp
- rule:
ipversion: ipv6
proto: ipv6-icmp
state: []
rule_name: 001 accept all ipv6-icmp
- rule:
interface: lo
proto: all
state: []
rule_name: 002 accept all to lo interface
- rule:
destination: fe80::/64
dport: 546
ipversion: ipv6
proto: udp
state:
- NEW
rule_name: 004 accept ipv6 dhcpv6
- rule:
jump: LOG
limit: 20/min
limit_burst: 15
proto: all
level: warn
flags: all
prefix: 'DROPPING: '
state: []
rule_name: 999 log all
Molecule Scenarios¶
Molecule is being used to test the “tripleo_nftables” role. The following section highlights the drivers in service and provides an example playbook showing how the role is leveraged.
Scenario: action¶
Molecule Inventory¶
hosts:
all:
hosts:
instance:
ansible_host: localhost
Example action playbook¶
- name: Converge
hosts: all
vars:
tripleo_nftables_rules:
- rule_name: 000 related established
rule:
proto: all
state:
- established
- related
- rule_name: 001 local
rule:
proto: all
interface: lo
state: []
- rule_name: 010 testing action
rule:
proto: tcp
dport: 1211
action: drop
roles:
- role: tripleo_nftables
tasks:
- name: Ensure we drop connections on TCP/1211
become: true
lineinfile:
path: /etc/nftables/tripleo-rules.nft
line: add rule inet filter TRIPLEO_INPUT tcp dport { 1211 } ct state new counter
drop comment "010 testing action"
register: line_in_file
- name: Clean everything nftables related
import_role:
name: tripleo_nftables
tasks_from: cleanup.yml
- name: Fail if file was changed
when: line_in_file is changed
fail:
msg: tripleo-rules.nft has been changed, meaning rule generation is wrong.
Scenario: destination¶
Molecule Inventory¶
hosts:
all:
hosts:
instance:
ansible_host: localhost
Example destination playbook¶
- name: Converge
hosts: all
vars:
tripleo_nftables_rules:
- rule_name: 000 related established
rule:
proto: all
state:
- established
- related
- rule_name: 001 local
rule:
proto: all
interface: lo
state: []
- rule_name: 010 testing destination
rule:
proto: tcp
destination: fd00:fd00:fd00:2000::/64
dport: 1211
roles:
- role: tripleo_nftables
tasks:
- name: Cleanup nftables
import_role:
name: tripleo_nftables
tasks_from: cleanup.yml
Scenario: source¶
Molecule Inventory¶
hosts:
all:
hosts:
instance:
ansible_host: localhost
Example source playbook¶
- name: Converge
hosts: all
vars:
tripleo_nftables_rules:
- rule_name: 000 related established
rule:
proto: all
state:
- established
- related
- rule_name: 001 local
rule:
proto: all
interface: lo
state: []
- rule_name: 010 testing source
rule:
proto: tcp
source: fd00:fd00:fd00:2000::/64
dport: 1211
roles:
- role: tripleo_nftables
tasks:
- name: Cleanup nftables
import_role:
name: tripleo_nftables
tasks_from: cleanup.yml
Scenario: default¶
Molecule Inventory¶
hosts:
all:
hosts:
instance:
ansible_host: localhost
Example default playbook¶
- name: Converge
hosts: all
roles:
- role: tripleo_nftables
tasks:
- name: Cleanup nftables
import_role:
name: tripleo_nftables
tasks_from: cleanup.yml
