add support to enable routing

2020-08-07 23:10:46 +02:00 · 2020-08-07 23:10:46 +02:00 · 8a8192749b
commit 8a8192749b
parent a3f13ff8da
5 changed files with 51 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -19,4 +19,5 @@ firewall:
    input: drop
    output: accept
    forward: drop
+  routing: False
  vars: {}
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -3,3 +3,10 @@
    name: nftables
    enabled: True
    state: reloaded
+
+- name: restart netforwarding
+  service:
+    name: netforwarding
+    enabled: True
+    state: restarted
+    daemon_reload: True
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -30,3 +30,18 @@
    mode: "0755"
  notify:
  - reload nftables
+
+- name: copy netforwarding script
+  when: firewall.routing
+  template:
+    src: netforwarding.j2
+    dest: /usr/local/bin/netforwarding
+    mode: 0755
+
+- name: setup netforwarding service
+  when: firewall.routing
+  notify: restart netforwarding
+  template:
+    src: netforwarding.service.j2
+    dest: /etc/systemd/system/netforwarding.service
+    mode: 0644
--- a/templates/netforwarding.j2
+++ b/templates/netforwarding.j2
@ -0,0 +1,14 @@
+#!/bin/sh
+
+case ${1} in
+	start)
+		echo -n '1' > /proc/sys/net/ipv6/conf/all/forwarding
+		echo -n '1' > /proc/sys/net/ipv4/ip_forward
+	;;
+
+	stop)
+		echo -n '0' > /proc/sys/net/ipv4/ip_forward
+		echo -n '0' > /proc/sys/net/ipv6/conf/all/forwarding
+	;;
+
+esac
--- a/templates/netforwarding.service.j2
+++ b/templates/netforwarding.service.j2
@ -0,0 +1,14 @@
+[Unit]
+Description=Enables forwarding in the linux kernel after the firewall is fully loaded
+After=nftables.service
+Requires=nftables.service
+
+[Service]
+RemainAfterExit=yes
+Type=oneshot
+
+ExecStart=/usr/local/bin/netforwarding start
+ExecStop=/usr/local/bin/netforwarding stop
+
+[Install]
+WantedBy=multi-user.target