add support to enable routing

defaults/main.yml

@@ -19,4 +19,5 @@ firewall:
     input: drop
     output: accept
     forward: drop
+  routing: False
   vars: {}

handlers/main.yml

@@ -3,3 +3,10 @@
     name: nftables
     enabled: True
     state: reloaded
+
+- name: restart netforwarding
+  service:
+    name: netforwarding
+    enabled: True
+    state: restarted
+    daemon_reload: True

tasks/main.yml

@@ -30,3 +30,18 @@
     mode: "0755"
   notify:
   - reload nftables
+
+- name: copy netforwarding script
+  when: firewall.routing
+  template:
+    src: netforwarding.j2
+    dest: /usr/local/bin/netforwarding
+    mode: 0755
+
+- name: setup netforwarding service
+  when: firewall.routing
+  notify: restart netforwarding
+  template:
+    src: netforwarding.service.j2
+    dest: /etc/systemd/system/netforwarding.service
+    mode: 0644

templates/netforwarding.j2

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+case ${1} in
+	start)
+		echo -n '1' > /proc/sys/net/ipv6/conf/all/forwarding
+		echo -n '1' > /proc/sys/net/ipv4/ip_forward
+	;;
+
+	stop)
+		echo -n '0' > /proc/sys/net/ipv4/ip_forward
+		echo -n '0' > /proc/sys/net/ipv6/conf/all/forwarding
+	;;
+
+esac

templates/netforwarding.service.j2

@@ -0,0 +1,14 @@
+[Unit]
+Description=Enables forwarding in the linux kernel after the firewall is fully loaded
+After=nftables.service
+Requires=nftables.service
+
+[Service]
+RemainAfterExit=yes
+Type=oneshot
+
+ExecStart=/usr/local/bin/netforwarding start
+ExecStop=/usr/local/bin/netforwarding stop
+
+[Install]
+WantedBy=multi-user.target