From 7641a5d5d152db349082b1d0ec93a40888b2ef8e Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 23 Jan 2020 04:29:12 +0100
Subject: Convert firewall to nftables.

Debian Buster uses the nftables framework by default.
---
 roles/common/tasks/firewall.yml | 48 +++++++++++++++--------------------------
 1 file changed, 17 insertions(+), 31 deletions(-)

(limited to 'roles/common/tasks/firewall.yml')

diff --git a/roles/common/tasks/firewall.yml b/roles/common/tasks/firewall.yml
index 133b631..fd1ad92 100644
--- a/roles/common/tasks/firewall.yml
+++ b/roles/common/tasks/firewall.yml
@@ -1,41 +1,27 @@
-- name: Install some packages required for the firewall
-  apt: pkg={{ packages }}
-  vars:
-    packages:
-    - iptables
-    - netmask
-    - bsdutils
+- name: Install nftables
+  apt: pkg=nftables
 
-- name: Create directory /etc/iptables
-  file: path=/etc/iptables
-        state=directory
-        owner=root group=root
-        mode=0755
-
-- name: Generate /etc/iptables/services
-  template: src=etc/iptables/services.j2
-            dest=/etc/iptables/services
-            owner=root group=root
-            mode=0600
-
-- name: Copy /usr/local/sbin/update-firewall.sh
-  copy: src=usr/local/sbin/update-firewall.sh
-        dest=/usr/local/sbin/update-firewall.sh
+- name: Copy /usr/local/sbin/update-firewall
+  copy: src=usr/local/sbin/update-firewall
+        dest=/usr/local/sbin/update-firewall
         owner=root group=staff
         mode=0755
 
-- name: Make the rulesets persistent
-  copy: src=etc/network/{{ item }}
-        dest=/etc/network/{{ item }}
-        owner=root group=root
-        mode=0755
-  with_items:
-    - if-pre-up.d/iptables
-    - if-post-down.d/iptables
+- name: Copy /etc/nftables.conf
+  template: src=etc/nftables.conf.j2
+            dest=/etc/nftables.conf
+            owner=root group=root
+            mode=0644
 
 - name: Ensure the firewall is up to date
-  command: /usr/local/sbin/update-firewall.sh -c
+  command: /usr/local/sbin/update-firewall -c
   register: rv
   # A non-zero return value will make ansible stop and show stderr. This
   # is what we want.
   changed_when: rv.rc
+
+- name: Enable nftables.service
+  service: name=nftables enabled=yes
+
+- name: Start nftables.service
+  service: name=nftables state=started
-- 
cgit v1.2.3