From 8a8192749b66021f29b45567220198c674585e68 Mon Sep 17 00:00:00 2001
From: nd <git@notandy.de>
Date: Fri, 7 Aug 2020 23:10:46 +0200
Subject: [PATCH] add support to enable routing

---
 defaults/main.yml                  |  1 +
 handlers/main.yml                  |  7 +++++++
 tasks/main.yml                     | 15 +++++++++++++++
 templates/netforwarding.j2         | 14 ++++++++++++++
 templates/netforwarding.service.j2 | 14 ++++++++++++++
 5 files changed, 51 insertions(+)
 create mode 100755 templates/netforwarding.j2
 create mode 100644 templates/netforwarding.service.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index bdb0d74..336c124 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -19,4 +19,5 @@ firewall:
     input: drop
     output: accept
     forward: drop
+  routing: False
   vars: {}
diff --git a/handlers/main.yml b/handlers/main.yml
index b0e498a..13194b9 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -3,3 +3,10 @@
     name: nftables
     enabled: True
     state: reloaded
+
+- name: restart netforwarding
+  service:
+    name: netforwarding
+    enabled: True
+    state: restarted
+    daemon_reload: True
diff --git a/tasks/main.yml b/tasks/main.yml
index 7be2b79..4b1e262 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -30,3 +30,18 @@
     mode: "0755"
   notify:
   - reload nftables
+
+- name: copy netforwarding script
+  when: firewall.routing
+  template:
+    src: netforwarding.j2
+    dest: /usr/local/bin/netforwarding
+    mode: 0755
+
+- name: setup netforwarding service
+  when: firewall.routing
+  notify: restart netforwarding
+  template:
+    src: netforwarding.service.j2
+    dest: /etc/systemd/system/netforwarding.service
+    mode: 0644
diff --git a/templates/netforwarding.j2 b/templates/netforwarding.j2
new file mode 100755
index 0000000..091280e
--- /dev/null
+++ b/templates/netforwarding.j2
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+case ${1} in
+	start)
+		echo -n '1' > /proc/sys/net/ipv6/conf/all/forwarding
+		echo -n '1' > /proc/sys/net/ipv4/ip_forward
+	;;
+
+	stop)
+		echo -n '0' > /proc/sys/net/ipv4/ip_forward
+		echo -n '0' > /proc/sys/net/ipv6/conf/all/forwarding
+	;;
+
+esac
diff --git a/templates/netforwarding.service.j2 b/templates/netforwarding.service.j2
new file mode 100644
index 0000000..33c3bc6
--- /dev/null
+++ b/templates/netforwarding.service.j2
@@ -0,0 +1,14 @@
+[Unit]
+Description=Enables forwarding in the linux kernel after the firewall is fully loaded
+After=nftables.service
+Requires=nftables.service
+
+[Service]
+RemainAfterExit=yes
+Type=oneshot
+
+ExecStart=/usr/local/bin/netforwarding start
+ExecStop=/usr/local/bin/netforwarding stop
+
+[Install]
+WantedBy=multi-user.target