Role - tripleo_nftables

Role Documentation

Welcome to the “tripleo_nftables” role documentation.

Role Defaults

This section highlights all of the defaults and variables set within the “tripleo_nftables” role.

# All variables intended for modification should be placed in this file.

# All variables within this role should have a prefix of "tripleo_nftables_"
tripleo_nftables_src: /var/lib/tripleo-config/firewall

Molecule Scenarios

Molecule is being used to test the “tripleo_nftables” role. The following section highlights the drivers in service and provides an example playbook showing how the role is leveraged.

Scenario: action

Molecule Inventory

hosts:
  all:
    hosts:
      instance:
        ansible_host: localhost

Example action playbook

- name: Converge
  hosts: all
  become: true
  vars:
    tripleo_nftables_src: /opt/tripleo-firewall
  tasks:
  - name: Run role
    ansible.builtin.import_role:
      name: tripleo_nftables
  - name: Ensure we drop connections on TCP/1211
    lineinfile:
      path: /etc/nftables/tripleo-rules.nft
      line: add rule inet filter TRIPLEO_INPUT tcp dport { 1211 } ct state new counter
        drop comment "010 testing action"
    register: line_in_file

  - name: Clean everything nftables related
    import_role:
      name: tripleo_nftables
      tasks_from: cleanup.yml

  - name: Fail if file was changed
    when: line_in_file is changed
    fail:
      msg: tripleo-rules.nft has been changed, meaning rule generation is wrong.

Scenario: default

Molecule Inventory

hosts:
  all:
    hosts:
      instance:
        ansible_host: localhost

Example default playbook

- name: Converge
  hosts: all
  roles:
  - role: tripleo_nftables
  tasks:
  - name: Cleanup nftables
    import_role:
      name: tripleo_nftables
      tasks_from: cleanup.yml

Scenario: destination

Molecule Inventory

hosts:
  all:
    hosts:
      instance:
        ansible_host: localhost

Example destination playbook

- name: Converge
  hosts: all
  vars:
    tripleo_nftables_src: /opt/tripleo-firewall
  roles:
  - role: tripleo_nftables
  tasks:
  - name: Cleanup nftables
    import_role:
      name: tripleo_nftables
      tasks_from: cleanup.yml

Scenario: update_rules

Molecule Inventory

hosts:
  all:
    hosts:
      instance:
        ansible_host: localhost

Example update_rules playbook

- name: Converge
  hosts: all
  vars:
    tripleo_nftables_src: /opt/tripleo-firewall
  roles:
  - role: tripleo_nftables
  tasks:
  - name: Update snippet
    become: true
    tripleo_nftables_snippet:
      dest: /opt/tripleo-firewall/ruleset.yml
      content: |
        - rule_name: '00 related established'
          rule:
            proto: all
            state:
              - related
              - established
        - rule_name: '01 local link'
          rule:
            proto: all
            interface: lo
            state: []
        - rule_name: '02 ssh from all'
          rule:
            proto: tcp
            dport: 22
  - name: Cleanup nftables
    ansible.builtin.import_role:
      name: tripleo_nftables
      tasks_from: cleanup.yml

Scenario: source

Molecule Inventory

hosts:
  all:
    hosts:
      instance:
        ansible_host: localhost

Example source playbook

- name: Converge
  hosts: all
  vars:
    tripleo_nftables_src: /opt/tripleo-firewall
  roles:
  - role: tripleo_nftables
  tasks:
  - name: Cleanup nftables
    import_role:
      name: tripleo_nftables
      tasks_from: cleanup.yml