ansible-role-firewall/templates/nftables.conf.j2

#jinja2:lstrip_blocks: True
#!/usr/sbin/nft -f

{%- macro nftrule(rule) -%}
	{{rule.matches }} {% if not rule.statement == "counter" %}counter {% endif %}{{ rule.statement }} comment "{{ rule.comment }}"
{% endmacro %}

{%- macro nftchain(name) -%}
	{% set chain_rules = [] %}
	{% for i in firewall.chains[name] %}
		{% if not firewall.chains[name][i] is mapping %}
			{% set tmprule = { 'matches': firewall.chains[name][i] }%}
		{% else %}
			{% set tmprule = firewall.chains[name][i] %}
		{% endif%}
		{% set rule = {}|combine(firewall.defaults.all, firewall.defaults[name], {'comment': i}, tmprule, recursive=True) %}{{ chain_rules.append(rule) }}
	{% endfor %}
	{% for rule in chain_rules|sort(attribute='priority') %}
	{{ nftrule(rule) }}
	{% endfor %}
{% endmacro%}

flush ruleset

{% for i in firewall.vars %}
define {{ i }} = { {{ firewall.vars[i]|join(', ') }} }
{% endfor %}

table inet filter {
	chain input {
		type filter hook input priority 0;
		policy {{ firewall.policies.input }};

{{ nftchain('input') }}

		counter comment "Count dropped"

	}
	chain forward {
		type filter hook forward priority 0;
		policy {{ firewall.policies.forward }};

{{ nftchain('forward') }}

		counter comment "Count dropped"
	}
	chain output {
		type filter hook output priority 0;
		policy {{ firewall.policies.output }};

{{ nftchain('output') }}
	}
}

table ip nat {
# NAT
	chain prerouting {
		type nat hook prerouting priority -100;

{{ nftchain('nat_prerouting') }}
	}
	chain postrouting {
		type nat hook postrouting priority 100;

{{ nftchain('nat_postrouting') }}
	}
}

table ip6 nat {
# NAT
	chain prerouting {
		type nat hook prerouting priority -100;

{{ nftchain('nat6_prerouting') }}
	}
	chain postrouting {
		type nat hook postrouting priority 100;

{{ nftchain('nat6_postrouting') }}
	}
}

include "/etc/nftables.d/*.nft"