infra/ansible-role-firewall
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add support for ipv6 nat

Browse source
This commit is contained in:
nd 2020-11-01 02:17:54 +01:00
parent 8a8192749b
commit 063d097404
No known key found for this signature in database
GPG key ID: 21B5CD4DEE3670E9
2 changed files with 19 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
defaults/main.yml
View file

@ -8,6 +8,8 @@ firewall:
output: {} output: {}
nat_prerouting: {} nat_prerouting: {}
nat_postrouting: {} nat_postrouting: {}
nat6_prerouting: {}
nat6_postrouting: {}
chains: chains:
input: input:
allow_ssh: tcp dport ssh allow_ssh: tcp dport ssh
@ -15,6 +17,8 @@ firewall:
forward: {} forward: {}
nat_prerouting: {} nat_prerouting: {}
nat_postrouting: {} nat_postrouting: {}
nat6_prerouting: {}
nat6_postrouting: {}
policies: policies:
input: drop input: drop
output: accept output: accept

16
templates/nftables.conf.j2
View file

@ -60,7 +60,7 @@ table inet filter {
} }
} }
table nat { table ip nat {
# NAT # NAT
chain prerouting { chain prerouting {
type nat hook prerouting priority -100; type nat hook prerouting priority -100;
@ -74,4 +74,18 @@ table nat {
} }
} }
table ip6 nat {
# NAT
chain prerouting {
type nat hook prerouting priority -100;
{{ nftchain('nat6_prerouting') }}
}
chain postrouting {
type nat hook postrouting priority 100;
{{ nftchain('nat6_postrouting') }}
}
}
include "/etc/nftables.d/*.nft" include "/etc/nftables.d/*.nft"