From 60d991ff487ca3e5035ab58dda5677e74f930cf4 Mon Sep 17 00:00:00 2001
From: Michael Wilson <mw@ciphron.de>
Date: Fri, 25 Nov 2022 11:14:47 +0100
Subject: [PATCH] only block traffic on external interfaces

---
 linux/nftables/defaults/main.yml       | 4 ++--
 linux/nftables/templates/nftables.conf | 6 +++++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/linux/nftables/defaults/main.yml b/linux/nftables/defaults/main.yml
index edf69a0..3b22c59 100644
--- a/linux/nftables/defaults/main.yml
+++ b/linux/nftables/defaults/main.yml
@@ -1,5 +1,5 @@
-nftables_whitelisted_interfaces:
-  - lo
+nftables_external_interfaces:
+  - ens3
 nftables_tcp_in:
   - 22
   - 80
diff --git a/linux/nftables/templates/nftables.conf b/linux/nftables/templates/nftables.conf
index 2c3068f..57b01c9 100644
--- a/linux/nftables/templates/nftables.conf
+++ b/linux/nftables/templates/nftables.conf
@@ -31,9 +31,13 @@ table inet firewall {
         # Allow traffic from established and related packets, drop invalid
         ct state vmap { established : accept, related : accept, invalid : drop } 
 
-        {% for interface in nftables_whitelisted_interfaces %}
+        {% if nftables_external_interfaces is defined %}
+        {% for interface in ansible_interfaces %}
+        {% if interface not in nftables_blacklisted_interfaces %}
         iifname {{ interface }} accept
+        {% endif %}
         {% endfor %}
+        {% endif %}
 
         # Jump to chain according to layer 3 protocol using a verdict map
         meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }