From 2e3f4fa81c45da54712ece3461ef2f6d91428b5c Mon Sep 17 00:00:00 2001
From: James Antill <james@and.org>
Date: Tue, 29 Apr 2025 15:05:29 -0400
Subject: [PATCH] Add the main nft_block_rules addition to bastion template.

Signed-off-by: James Antill <james@and.org>
---
 roles/base/templates/nftables/nftables.bastion | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/roles/base/templates/nftables/nftables.bastion b/roles/base/templates/nftables/nftables.bastion
index 9f18d10e9b..bbdc4878df 100644
--- a/roles/base/templates/nftables/nftables.bastion
+++ b/roles/base/templates/nftables/nftables.bastion
@@ -94,6 +94,13 @@ add rule ip filter INPUT ip saddr 216.205.24.0/24  tcp dport 25 counter accept
 add rule ip filter INPUT ip saddr 63.128.21.0/24   tcp dport 25 counter accept
 add rule ip filter INPUT ip saddr 207.211.30.40/26 tcp dport 25 counter accept
 
+{% if nft_block_rules is defined %}
+# if there are block rules - put them in as-is
+{% for rule in nft_block_rules %}
+{{ rule }}
+{% endfor %}
+{% endif %}
+
 # if the host/group defines incoming tcp_ports - allow them
 {% if tcp_ports is defined %}
 {% for port in tcp_ports %}