infra/ansible-role-firewall
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

move rule merging to python plugin

Browse source
This commit is contained in:
nd 2021-09-25 15:58:57 +02:00
parent fb6e4ad1df
commit d83605dca8
No known key found for this signature in database
GPG key ID: 21B5CD4DEE3670E9
2 changed files with 26 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

24
filter_plugins/filters.py Executable file
View file

@ -0,0 +1,24 @@
#!/usr/bin/env python3
import collections
class FilterModule(object):
def filters(self):
return {
'expand_nft_rules': self.expand_nft_rules
}
def expand_nft_rules(self, input_rules, rule_defaults):
rules = []
for rule_name in input_rules:
rule = {
'name': rule_name,
'comment': rule_name,
}
for override in rule_defaults:
rule.update(override)
if not isinstance(input_rules[rule_name], collections.Mapping):
rule['matches'] = input_rules[rule_name]
else:
rule.update(input_rules[rule_name])
rules.append(rule)
return rules

13
templates/nftables.conf.j2
View file

@ -6,17 +6,8 @@
{% endmacro %} {% endmacro %}
{%- macro nftchain(name) -%} {%- macro nftchain(name) -%}
{% set chain_rules = [] %} {% for rule in firewall.chains[name]|expand_nft_rules([firewall.defaults.all, firewall.defaults[name]])|sort(attribute='priority') %}
{% for i in firewall.chains[name] %} {{ nftrule(rule) }}
{% if not firewall.chains[name][i] is mapping %}
{% set tmprule = { 'matches': firewall.chains[name][i] }%}
{% else %}
{% set tmprule = firewall.chains[name][i] %}
{% endif%}
{% set rule = {}|combine(firewall.defaults.all, firewall.defaults[name], {'comment': i}, tmprule, recursive=True) %}{{ chain_rules.append(rule) }}
{% endfor %}
{% for rule in chain_rules|sort(attribute='priority') %}
{{ nftrule(rule) }}
{% endfor %} {% endfor %}
{% endmacro%} {% endmacro%}