Commit 746b3ce6 authored by Pietsch, Martin's avatar Pietsch, Martin

move commit

parents
Description
===========
This role provides manages the packet filter pf.
Requirement
===========
User defined variables
----------------------
- network
Process
=======
main
----
1. enable pf
2. start pf
configure
---------
1. generate pf.conf
2. reload pf
---
# defaults file for package.pf
\ No newline at end of file
---
# handlers file for package.pf
\ No newline at end of file
galaxy_info:
author: your name
description: your description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: license (GPLv2, CC-BY, etc)
min_ansible_version: 1.2
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If Travis integration is configured, only notifications for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
#github_branch:
#
# platforms is a list of platforms, and each platform has a name and a list of versions.
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
\ No newline at end of file
- name: configure pf
template:
src: pf.conf.j2
dest: /etc/pf.conf
owner: root
group: wheel
mode: 0444
- name: reload pf
service:
name: pf
state: reloaded
---
- include_tasks: configure.yml
- name: enable pf
service:
name: pf
enabled: yes
- name: enable pf
service:
name: pf
state: started
{% if network.nat is defined %}
{% set natifs = [] %}
{% for nif in network.nat if not nif.intdevice in natifs %}
{% if loop.index == 1 %}
scrub in all
{% endif %}
{% do natifs.append(nif.intdevice) %}
{% if nif.ipv4 is defined %}
{{ 'nat on %s inet from %s:network to any -> (%s)' | format(nif.extdevice, nif.intdevice, nif.extdevice) }}
{% endif %}
{% if nif.ipv6 is defined %}
{{ 'nat on %s inet6 from %s:network to any -> (%s)' | format(nif.extdevice, nif.intdevice, nif.extdevice) }}
{% endif %}
{% endfor %}
{% for nif in network.nat %}
{% for fwd in (nif.forwards | default({})) %}
{% if fwd.to is defined and nif.ipv4 is defined %}
{% set proto = ('proto %s' | format(fwd.protocol | default('tcp'))) %}
{% set srcaddr = 'any' %}
{% set srcport = '' %}
{% if fwd.from is defined %}
{% set srcaddr = ('%s' | format(fwd.from.ipv4 | default('any') )) %}
{% set srcport = ('port %s' | format(fwd.from.port)) if fwd.from.port is defined else '' %}
{% endif %}
{% set destaddr = ('%s' | format(network.devices[nif.extdevice].ipv4)) if network.devices[nif.extdevice].ipv4 is defined else '' %}
{% set destport = ('port %s' | format(fwd.to.port)) if fwd.to.port is defined else '' %}
{% set natport = ('port %s' | format(fwd.to.natport)) if fwd.to.natport is defined else '' %}
{% set rule = 'rdr on %s inet %s from %s %s to %s %s -> %s %s' | format(nif.extdevice, proto, srcaddr, srcport, destaddr, destport, nif.ipv4 | regex_replace("/[0-9]*", ""), natport) %}
{{ rule | regex_replace('\\s+', ' ') | trim() }}
{% endif %}
{% if fwd.to is defined and nif.ipv6 is defined %}
{% set proto = ('proto %s' | format(fwd.protocol | default('tcp'))) %}
{% set srcaddr = 'any' %}
{% set srcport = '' %}
{% if fwd.from is defined %}
{% set srcaddr = ('%s' | format(fwd.from.ipv6 | default('any') )) %}
{% set srcport = ('port %s' | format(fwd.from.port)) if fwd.from.port is defined else '' %}
{% endif %}
{% set destaddr = ('%s' | format(network.devices[nif.extdevice].ipv6)) if network.devices[nif.extdevice].ipv6 is defined else '' %}
{% set destport = ('port %s' | format(fwd.to.port)) if fwd.to.port is defined else '' %}
{% set natport = ('port %s' | format(fwd.to.natport)) if fwd.to.natport is defined else '' %}
{% set rule = 'rdr on %s inet6 %s from %s %s to %s %s -> %s %s' | format(nif.extdevice, proto, srcaddr, srcport, destaddr, destport, nif.ipv6 | regex_replace("/[0-9]*", ""), natport) %}
{{ rule | regex_replace('\\s+', ' ') | trim() }}
{% endif %}
{% endfor %}
{% endfor %}
{% endif %}
{% if network.firewall is defined %}
{% for rl in (firewall.rules | default({})) %}
{% set dir = ('%s' | format(rl.direction)) if rl.direction is defined else '' %}
{% set if = ('on %s' | format(rl.interface)) if rl.interface is defined else '' %}
{% set af = ('%s' | format(rl.af)) if rl.af is defined else '' %}
{% set proto = ('proto %s' | format(rl.protocol)) if rl.protocol is defined else '' %}
{% set srcaddr = ('from %s' | format(rl.src_address)) if rl.src_address is defined else '' %}
{% set srcport = ('port %s' | format(rl.src_port)) if rl.src_port is defined else '' %}
{% set dstaddr = ('to %s' | format(rl.dst_address)) if rl.dst_address is defined else '' %}
{% set dstport = ('port %s' | format(rl.dst_port)) if rl.dst_port is defined else '' %}
{% set rule = '%s %s %s %s %s %s %s %s %s' | format(rl.action, dir, if, af, proto, srcaddr, srcport, dstaddr, dstport) %}
{{ rule | regex_replace('\\s+', ' ') | trim() }}
{% endfor %}
{% endif %}
---
- hosts: localhost
remote_user: root
roles:
- package.pf
\ No newline at end of file
---
# vars file for package.pf
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment