From ac1ae26d7e32aff4603e9cef0a7b3a56f2bca374 Mon Sep 17 00:00:00 2001
From: Michael Wilson <mw@ciphron.de>
Date: Fri, 25 Nov 2022 00:40:21 +0100
Subject: [PATCH] add nftables role

---
 linux/nftables/defaults/main.yml       |  8 ++++
 linux/nftables/handlers/main.yml       |  3 ++
 linux/nftables/tasks/main.yml          | 22 ++++++++++
 linux/nftables/templates/nftables.conf | 59 ++++++++++++++++++++++++++
 linux/nftables/vars/main.yml           |  1 +
 5 files changed, 93 insertions(+)
 create mode 100644 linux/nftables/defaults/main.yml
 create mode 100644 linux/nftables/handlers/main.yml
 create mode 100644 linux/nftables/tasks/main.yml
 create mode 100644 linux/nftables/templates/nftables.conf
 create mode 100644 linux/nftables/vars/main.yml

diff --git a/linux/nftables/defaults/main.yml b/linux/nftables/defaults/main.yml
new file mode 100644
index 0000000..edf69a0
--- /dev/null
+++ b/linux/nftables/defaults/main.yml
@@ -0,0 +1,8 @@
+nftables_whitelisted_interfaces:
+  - lo
+nftables_tcp_in:
+  - 22
+  - 80
+  - 443
+#nftables_udp_in:
+#  - 53
diff --git a/linux/nftables/handlers/main.yml b/linux/nftables/handlers/main.yml
new file mode 100644
index 0000000..9c70000
--- /dev/null
+++ b/linux/nftables/handlers/main.yml
@@ -0,0 +1,3 @@
+- name: reload_nftables
+  shell: "nft -f {{ nftables_ruleset_path }}"
+  become: yes
diff --git a/linux/nftables/tasks/main.yml b/linux/nftables/tasks/main.yml
new file mode 100644
index 0000000..0ec1a4b
--- /dev/null
+++ b/linux/nftables/tasks/main.yml
@@ -0,0 +1,22 @@
+- name: ensure nftables is installed
+  package:
+    name: nftables
+    state: installed
+  become: yes
+
+- name: deploy nftables ruleset
+  template:
+    src: nftables.conf
+    dest: "{{ nftables_ruleset_path }}"
+    owner: root
+    group: root
+    mode: "0600"
+  notify: reload_nftables
+  become: yes
+
+- name: ensure nftables is enabled and started
+  service:
+    name: nftables
+    enabled: true
+    state: started
+  become: yes
diff --git a/linux/nftables/templates/nftables.conf b/linux/nftables/templates/nftables.conf
new file mode 100644
index 0000000..2c3068f
--- /dev/null
+++ b/linux/nftables/templates/nftables.conf
@@ -0,0 +1,59 @@
+flush ruleset                                                                    
+                                                                                 
+table inet firewall {
+                                                                                 
+    chain inbound_ipv4 {
+        # accepting ping (icmp-echo-request) for diagnostic purposes.
+        # However, it also lets probes discover this host is alive.
+        # This sample accepts them within a certain rate limit:
+        #
+        icmp type echo-request limit rate 5/second accept      
+    }
+
+    chain inbound_ipv6 {                                                         
+        # accept neighbour discovery otherwise connectivity breaks
+        #
+        icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
+                                                                                 
+        # accepting ping (icmpv6-echo-request) for diagnostic purposes.
+        # However, it also lets probes discover this host is alive.
+        # This sample accepts them within a certain rate limit:
+        #
+        icmpv6 type echo-request limit rate 5/second accept
+    }
+
+    chain inbound {                                                              
+
+        # By default, drop all traffic unless it meets a filter
+        # criteria specified by the rules that follow below.
+        type filter hook input priority 0; policy drop;
+
+        # Allow traffic from established and related packets, drop invalid
+        ct state vmap { established : accept, related : accept, invalid : drop } 
+
+        {% for interface in nftables_whitelisted_interfaces %}
+        iifname {{ interface }} accept
+        {% endfor %}
+
+        # Jump to chain according to layer 3 protocol using a verdict map
+        meta protocol vmap { ip : jump inbound_ipv4, ip6 : jump inbound_ipv6 }
+
+        {% if nftables_tcp_in is defined %}
+        tcp dport { {{ nftables_tcp_in |join(",") }} } accept
+        {% endif %}
+
+        {% if nftables_udp_in is defined %}
+        udp dport { {{ nftables_udp_in |join(",") }} } accept
+        {% endif %}
+
+        # Uncomment to enable logging of denied inbound traffic
+        # log prefix "[nftables] Inbound Denied: " counter drop
+    }                                                                            
+                                                                                 
+    chain forward {                                                              
+        # Drop everything (assumes this device is not a router)                  
+        type filter hook forward priority 0; policy drop;                        
+    }                                                                            
+                                                                                 
+    # no need to define output chain, default policy is accept if undefined.
+}
diff --git a/linux/nftables/vars/main.yml b/linux/nftables/vars/main.yml
new file mode 100644
index 0000000..c36be1d
--- /dev/null
+++ b/linux/nftables/vars/main.yml
@@ -0,0 +1 @@
+nftables_ruleset_path: /etc/nftables.conf