diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index f326f56827..65f5ad9ba0 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -218,10 +218,10 @@ - config - base -- name: Nftables +- name: Nftables ipv4 ansible.builtin.template: src: "{{ item }}" - dest: /etc/sysconfig/nftables.conf + dest: /etc/nftables/fedora-infra-ipv4.nft mode: '0600' validate: "/sbin/nft --check --file %s" with_first_found: @@ -290,6 +290,48 @@ - config - base +- name: Nftables ipv6 + ansible.builtin.template: + src: "{{ item }}" + dest: /etc/nftables/fedora-infra-ipv6.nft + mode: '0600' + validate: "/sbin/nft --check --file %s" + with_first_found: + - nftables/nftables-ipv6.{{ datacenter }} + - nftables/nftables-ipv6.{{ inventory_hostname }} + - nftables/nftables-ipv6.{{ host_group }} + - nftables/nftables-ipv6.{{ env }} + - nftables/nftables-ipv6 + when: + - baseiptables|bool + - nftables + notify: + - Restart nftables + - Reload libvirtd + tags: + - ip6tables + - config + - base + +- name: Nftables sysconfig + ansible.builtin.template: + src: "{{ item }}" + dest: /etc/sysconfig/nftables.conf + mode: '0600' + validate: "/sbin/nft --check --file %s" + with_first_found: + - nftables/sysconfig.conf + when: + - baseiptables|bool + - nftables + notify: + - Restart nftables + - Reload libvirtd + tags: + - iptables + - config + - base + - name: Ip6tables service enabled service: name=ip6tables state=started enabled=true tags: diff --git a/roles/base/templates/nftables/nf6tables b/roles/base/templates/nftables/nftables-ipv6 similarity index 100% rename from roles/base/templates/nftables/nf6tables rename to roles/base/templates/nftables/nftables-ipv6 diff --git a/roles/base/templates/nftables/sysconfig.conf b/roles/base/templates/nftables/sysconfig.conf new file mode 100644 index 0000000000..6b106887a5 --- /dev/null +++ b/roles/base/templates/nftables/sysconfig.conf @@ -0,0 +1,12 @@ +# Uncomment the include statement here to load the default config sample +# in /etc/nftables for nftables service. + +#include "/etc/nftables/main.nft" + +include "/etc/nftables/fedora-infra-ipv4.nft" + +include "/etc/nftables/fedora-infra-ipv6.nft" + +# To customize, either edit the samples in /etc/nftables, append further +# commands to the end of this file or overwrite it after first service +# start by calling: 'nft list ruleset >/etc/sysconfig/nftables.conf'.