commit 88b851cfff64d9b014f7c791562ba3ce41337d7a
Author: nd <git@notandy.de>
Date:   Thu Apr 30 13:51:19 2020 +0200

    initial commit

diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..6fe4b5d
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,17 @@
+firewall:
+  defaults:
+    all:
+      statement: accept
+      matches: ~
+    input: {}
+    forward: {}
+    output: {}
+  chains:
+    input:
+      allow_ssh: tcp dport ssh
+    output: {}
+    forward: {}
+  policies:
+    input: drop
+    output: accept
+    forward: drop
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..b0e498a
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,5 @@
+- name: reload nftables
+  service:
+    name: nftables
+    enabled: True
+    state: reloaded
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..f0b6ff9
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,31 @@
+- name: remove legacy firewalls
+  apt:
+    pkg:
+      - ferm
+      - iptables
+    purge: True
+    state: absent
+
+- name: ensure nft is installed
+  package:
+    name: nftables
+  notify:
+  - reload nftables
+
+- name: setup firewall directories
+  file:
+    path: /etc/nftables.d
+    owner: root
+    group: root
+    mode: "0755"
+    state: directory
+
+- name: update firewall rules
+  template:
+    src: nftables.conf.j2
+    dest: /etc/nftables.conf
+    owner: root
+    group: root
+    mode: "0755"
+  notify:
+  - reload nftables
diff --git a/templates/nftables.conf.j2 b/templates/nftables.conf.j2
new file mode 100644
index 0000000..c72bdb7
--- /dev/null
+++ b/templates/nftables.conf.j2
@@ -0,0 +1,56 @@
+#jinja2:lstrip_blocks: True
+#!/usr/sbin/nft -f
+
+{%- macro nftrule(name, rule) -%}
+	{{rule.matches }} {{ rule.statement }} comment "{{ name }}"
+{% endmacro %}
+
+{%- macro nftchain(name) -%}
+	{% for i in firewall.chains[name] %}
+		{% if not firewall.chains[name][i] is mapping %}
+			{% set tmprule = { 'matches': firewall.chains[name][i] }%}
+		{% else %}
+			{% set tmprule = firewall.chains[name][i] %}
+		{% endif%}
+		{% set rule = {}|combine(firewall.defaults.all, firewall.defaults[name], tmprule, recursive=True) %}
+{{ nftrule(i, rule) }}
+	{% endfor %}
+{% endmacro%}
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0;
+		policy {{ firewall.policies.input }};
+
+		iif lo accept comment "Accept any localhost traffic"
+		ct state invalid drop comment "Drop invalid connections"
+		ct state established,related accept comment "Accept traffic originated from us"
+
+		ip6 nexthdr icmpv6 accept comment "Accept ICMPv6"
+		ip protocol icmp accept comment "Accept ICMP"
+		ip protocol igmp accept comment "Accept IGMP"
+
+		{{ nftchain('input') }}
+
+		counter comment "Count dropped"
+
+	}
+	chain forward {
+		type filter hook forward priority 0;
+		policy {{ firewall.policies.forward }};
+
+		{{ nftchain('forward') }}
+
+		counter comment "Count dropped"
+	}
+	chain output {
+		type filter hook output priority 0;
+		policy {{ firewall.policies.output }};
+
+		{{ nftchain('output') }}
+	}
+}
+
+include "/etc/nftables/*.nft"