Initial version of iptables to nftables conversion.

2024-10-04 16:46:26 -04:00 · 2024-10-04 16:46:26 -04:00 · 80aa4bbbc2
commit 80aa4bbbc2
parent f6b0cd0d48
49 changed files with 1040 additions and 0 deletions
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@ -97,6 +97,8 @@ csi_relationship: |
 csi_security_category: Unspecified
 custom6_rules: []
 custom_rules: []
+nft_custom6_rules: []
+nft_custom_rules: []
 # most of our systems are in IAD2
 datacenter: iad2
 # These are used to:
--- a/inventory/group_vars/autosign
+++ b/inventory/group_vars/autosign
@ -18,6 +18,7 @@ csi_security_category: High
 # Make connections from signing bridges stateless, they break sigul connections
 # https://bugzilla.redhat.com/show_bug.cgi?id=1283364
 custom_rules: ['-A INPUT --proto tcp --sport 44334 --source 10.3.169.120 -j ACCEPT']
+nft_custom_rules: ['add rule ip filter INPUT ip saddr 10.3.169.120 tcp sport 44334 counter accept']
 fedmsg_error_recipients: []
 host_group: autosign
 ipa_client_shell_groups:
--- a/inventory/group_vars/autosign_hardware
+++ b/inventory/group_vars/autosign_hardware
@ -2,4 +2,5 @@
 # Make connections from signing bridges stateless, they break sigul connections
 # https://bugzilla.redhat.com/show_bug.cgi?id=1283364
 custom_rules: ['-A INPUT --proto tcp --sport 44334 --source 10.3.169.120 -j ACCEPT']
+nft_custom_rules: ['add rule ip filter INPUT ip saddr 10.3.169.120 tcp sport 44334 counter accept']
 host_group: autosign
--- a/inventory/group_vars/bastion
+++ b/inventory/group_vars/bastion
@ -17,6 +17,9 @@ csi_security_category: High
 # allow ntp from internal RH 10 nets
 #
 custom_rules: ['-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited', '-A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT']
+nft_custom_rules:
+  - 'add rule ip filter INPUT ip saddr 192.168.100.0/24 counter reject with icmp type host-prohibited'
+  - 'add rule ip filter INPUT ip saddr 10.0.0.0/8 udp dport 123 counter accept'
 #
 # This host is externally reachable
 #
--- a/inventory/group_vars/bastion_stg
+++ b/inventory/group_vars/bastion_stg
@ -28,6 +28,9 @@ csi_security_category: High
 # allow ntp from internal RH 10 nets
 #
 custom_rules: ['-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited', '-A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT']
+nft_custom_rules:
+ - 'add rule ip filter INPUT ip saddr 192.168.100.0/24 counter reject with icmp type host-prohibited'
+ - 'add rule ip filter INPUT ip saddr 10.0.0.0/8 udp dport 123 counter accept'
 #
 # Set this to get fasjson-client cron to make the aliases file
 #
--- a/inventory/group_vars/batcave
+++ b/inventory/group_vars/batcave
@ -20,6 +20,9 @@ csi_relationship: |
 csi_security_category: High
 # Neeed for rsync from log01 for logs.
 custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT']
+nft_custom_rules:
+  - 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept'
+  - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept'
 #
 # This host is externally reachable
 #
--- a/inventory/group_vars/bodhi_backend
+++ b/inventory/group_vars/bodhi_backend
@ -7,6 +7,7 @@ bodhi_message_routing_keys:
 # Make connections from signing bridges stateless, they break sigul connections
 # https://bugzilla.redhat.com/show_bug.cgi?id=1283364
 custom_rules: ['-A INPUT --proto tcp --sport 44334 --source 10.5.125.71 -j ACCEPT']
+nft_custom_rules: ['add rule ip filter INPUT ip saddr 10.5.125.71 tcp sport 44334 counter accept']
 host_group: bodhi2
 ipa_client_shell_groups:
  - sysadmin-bodhi
--- a/inventory/group_vars/bodhi_backend_stg
+++ b/inventory/group_vars/bodhi_backend_stg
@ -30,6 +30,7 @@ csi_security_category: Moderate
 # https://bugzilla.redhat.com/show_bug.cgi?id=1283364
 # this is sign-bridge01.iad2 ip 10.3.169.120
 custom_rules: ['-A INPUT --proto tcp --sport 44334 --source 10.3.169.120 -j ACCEPT']
+nft_custom_rules: ['add rule ip filter INPUT ip saddr 10.3.169.120 tcp sport 44334 counter accept']
 host_group: bodhi2
 ipa_client_shell_groups:
  - sysadmin-bodhi
--- a/inventory/group_vars/certgetter
+++ b/inventory/group_vars/certgetter
@ -2,6 +2,9 @@
 # Define resources for this group of hosts here.
 # Neeed for rsync from log01 for logs.
 custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT']
+nft_custom_rules:
+  - 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept'
+  - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept'
 lvm_size: 20000
 mem_size: 2048
 num_cpus: 2
--- a/inventory/group_vars/certgetter_stg
+++ b/inventory/group_vars/certgetter_stg
@ -2,6 +2,9 @@
 # Define resources for this group of hosts here.
 # Neeed for rsync from log01 for logs.
 custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT']
+nft_custom_rules:
+  - 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept'
+  - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept'
 lvm_size: 20000
 mem_size: 2048
 num_cpus: 2
--- a/inventory/group_vars/copr_keygen_aws
+++ b/inventory/group_vars/copr_keygen_aws
@ -8,6 +8,11 @@ custom_rules:
    - '-A INPUT -p tcp -m tcp -s 52.44.175.77 --dport 5167 -j ACCEPT'
    - '-A INPUT -p tcp -m tcp -s 172.30.2.145 --dport   80 -j ACCEPT'
    - '-A INPUT -p tcp -m tcp -s 172.30.2.145 --dport 5167 -j ACCEPT'
+nft_custom_rules:
+    - 'add rule ip filter INPUT ip saddr 52.44.175.77 tcp dport   80 counter accept'
+    - 'add rule ip filter INPUT ip saddr 52.44.175.77 tcp dport 5167 counter accept'
+    - 'add rule ip filter INPUT ip saddr 172.30.2.145 tcp dport   80 counter accept'
+    - 'add rule ip filter INPUT ip saddr 172.30.2.145 tcp dport 5167 counter accept'
 freezes: false
 tcp_ports: [22,
    # node_exporter/prometheus
--- a/inventory/group_vars/copr_keygen_dev_aws
+++ b/inventory/group_vars/copr_keygen_dev_aws
@ -8,6 +8,11 @@ custom_rules:
    - '-A INPUT -p tcp -m tcp -s 172.30.2.173    --dport 5167 -j ACCEPT'
    - '-A INPUT -p tcp -m tcp -s 18.208.10.131   --dport   80 -j ACCEPT'
    - '-A INPUT -p tcp -m tcp -s 18.208.10.131   --dport 5167 -j ACCEPT'
+nft_custom_rules:
+    - 'add rule ip filter INPUT ip saddr 172.30.2.173  tcp dport   80 counter accept'
+    - 'add rule ip filter INPUT ip saddr 172.30.2.173  tcp dport 5167 counter accept'
+    - 'add rule ip filter INPUT ip saddr 18.208.10.131 tcp dport   80 counter accept'
+    - 'add rule ip filter INPUT ip saddr 18.208.10.131 tcp dport 5167 counter accept'
 freezes: false
 tcp_ports: [22,
    # node_exporter/prometheus
--- a/inventory/group_vars/github2fedmsg
+++ b/inventory/group_vars/github2fedmsg
@ -2,6 +2,9 @@
 # Define resources for this group of hosts here.
 # Neeed for rsync from log01 for logs.
 custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT']
+nft_custom_rules:
+  - 'add rule ip filter INPUT ip saddr 10.3.163.39  tcp dport 873 counter accept'
+  - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept'
 deployment_type: prod
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
--- a/inventory/group_vars/github2fedmsg_stg
+++ b/inventory/group_vars/github2fedmsg_stg
@ -2,6 +2,9 @@
 # Define resources for this group of hosts here.
 # Neeed for rsync from log01 for logs.
 custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT']
+nft_custom_rules:
+  - 'add rule ip filter INPUT ip saddr 10.3.163.39  tcp dport 873 counter accept'
+  - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept'
 deployment_type: stg
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
--- a/inventory/group_vars/ipa
+++ b/inventory/group_vars/ipa
@ -1,6 +1,7 @@
 ---
 # Define resources for this group of hosts here.
 custom_rules: ['-A INPUT -p udp -m udp -s 10.3.0.0/16 --dport 53 -j ACCEPT']
+nft_custom_rules: ['add rule ip filter INPUT ip saddr 10.3.0.0/16 udp dport 53 counter accept']
 host_backup_targets: ['/var/lib/ipa/backup', '/var/log/dirsrv/slapd-FEDORAPROJECT-ORG']
 ipa_client_shell_groups:
  - sysadmin-accounts
--- a/inventory/group_vars/ipsilon
+++ b/inventory/group_vars/ipsilon
@ -2,6 +2,9 @@
 # Define resources for this group of hosts here.
 # Neeed for rsync from log01 for logs.
 custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT']
+nft_custom_rules:
+  - 'add rule ip filter INPUT ip saddr 10.3.163.39  tcp dport 873 counter accept'
+  - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept'
 ipa_host_group: ipsilon
 ipa_host_group_desc: Ipsilon SSO application
 lvm_size: 50000
--- a/inventory/group_vars/ipsilon_stg
+++ b/inventory/group_vars/ipsilon_stg
@ -2,6 +2,9 @@
 # Define resources for this group of hosts here.
 # Neeed for rsync from log01 for logs.
 custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT']
+nft_custom_rules:
+  - 'add rule ip filter INPUT ip saddr 10.3.163.39  tcp dport 873 counter accept'
+  - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept'
 ipa_host_group: ipsilon
 ipa_host_group_desc: Ipsilon SSO application
 ipa_client_shell_groups:
--- a/inventory/group_vars/kernel_qa
+++ b/inventory/group_vars/kernel_qa
@ -1,5 +1,6 @@
 ---
 custom_rules: ['-A INPUT -p tcp -m tcp -s 192.168.122.0/24 --dport 2049 -j ACCEPT']
+nft_custom_rules: ['add rule ip filter INPUT ip saddr 192.168.122.0/24 tcp dport 2049 counter accept']
 freezes: false
 ipa_client_shell_groups:
  - sysadmin-kernel
--- a/inventory/group_vars/koji
+++ b/inventory/group_vars/koji
@ -3,6 +3,10 @@
 custom_rules: [
   # Needed for keepalived
   '-A INPUT -d 224.0.0.0/8 -j ACCEPT', '-A INPUT -p vrrp -j ACCEPT']
+# Needed for keepalived
+nft_custom_rules:
+  - 'add rule ip filter INPUT ip daddr 224.0.0.0/8 counter accept'
+  - 'add rule ip filter INPUT ip protocol vrrp counter accept'
 docker_registry: "candidate-registry.fedoraproject.org"
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
--- a/inventory/group_vars/kojipkgs
+++ b/inventory/group_vars/kojipkgs
@ -20,6 +20,10 @@ csi_security_category: Moderate
 custom_rules: [
  # Need for rsync from log01 for logs.
  '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT']
+# Need for rsync from log01 for logs.
+nft_custom_rules:
+  - 'add rule ip filter INPUT ip saddr 10.3.163.39  tcp dport 873 counter accept'
+  - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept'
 ipa_client_shell_groups:
  - sysadmin-noc
  - sysadmin-releng
--- a/inventory/group_vars/openqa_tap_workers
+++ b/inventory/group_vars/openqa_tap_workers
@ -1,6 +1,10 @@
 # firewall rules to allow openQA openvswitch guests to communicate
 # uses interface definition from host vars
 custom_rules: ['-A FORWARD -i br0 -j ACCEPT', '-A FORWARD -m state -i {{ openqa_tap_iface }} -o br0 --state RELATED,ESTABLISHED -j ACCEPT', '-A INPUT -i br0 -j ACCEPT']
+nft_custom_rules:
+  - 'add rule ip filter FORWARD iifname "br0" counter accept'
+  - 'add rule ip filter FORWARD iifname "{{ openqa_tap_iface }}" oifname "br0" ct state related,established counter accept'
+  - 'add rule ip filter INPUT iifname "br0" counter accept'
 # for iptables rules...maybe other stuff in future? both staging
 # and prod workers are in this group
 host_group: openqa-tap-workers
--- a/inventory/group_vars/os_proxies
+++ b/inventory/group_vars/os_proxies
@ -4,6 +4,12 @@ custom_rules: [
  '-A INPUT -d 224.0.0.0/8 -j ACCEPT', '-A INPUT -p vrrp -j ACCEPT',
  # machinectl api
  '-A INPUT -p tcp --dport 22623 --src 38.145.48.0/27 -j ACCEPT']
+nft_custom_rules:
+  # Needed for keepalived
+  - 'add rule ip filter INPUT ip daddr 224.0.0.0/8 counter accept'
+  - 'add rule ip filter INPUT ip protocol vrrp counter accept'
+  # machinectl api
+  - 'add rule ip filter INPUT ip saddr 38.145.48.0/27 tcp dport 22623 counter accept'
 datacenter: cloud
 host_group: cloud
 lvm_size: 20000
--- a/inventory/group_vars/pagure
+++ b/inventory/group_vars/pagure
@ -7,6 +7,11 @@ custom_rules: [
    '-A INPUT -s 47.76.209.138/32 -j REJECT',
    '-A INPUT -s 47.76.99.127/32 -j REJECT'
 ]
+nft_custom_rules:
+  - 'add rule ip filter INPUT ip saddr 81.69.171.38   counter reject'
+  - 'add rule ip filter INPUT ip saddr 175.24.248.206 counter reject'
+  - 'add rule ip filter INPUT ip saddr 47.76.209.138  counter reject'
+  - 'add rule ip filter INPUT ip saddr 47.76.99.127   counter reject'
 csi_primary_contact: Fedora admins - admin@fedoraproject.org
 csi_purpose: Run the pagure instances for fedora
 csi_relationship: |
--- a/inventory/group_vars/people
+++ b/inventory/group_vars/people
@ -17,6 +17,7 @@ csi_relationship: |
 csi_security_category: Low
 # Neeed for rsync from log01 for logs.
 custom_rules: ['-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT']
+nft_custom_rules: ['add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept']
 fedmsg_certs:
  - can_send:
      - logger.log
--- a/inventory/group_vars/proxies
+++ b/inventory/group_vars/proxies
@ -24,6 +24,32 @@ custom_rules: [
  # Allow openqa01 to talk to the inbound fedmsg relay.
  '-A INPUT -p tcp -m tcp --dport 9941 -s 10.3.174.0/24 -j ACCEPT',
  '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.123 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.124 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.125 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.126 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.65 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.127 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.128 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.129 -j ACCEPT']
+nft_custom_rules:
+  # Need for rsync from log01 for logs.
+  - 'add rule ip filter INPUT ip saddr 10.3.163.39     tcp dport 873 counter accept'
+  - 'add rule ip filter INPUT ip saddr 192.168.1.59    tcp dport 873 counter accept'
+  - 'add rule ip filter INPUT ip saddr 209.132.181.102 tcp dport 873 counter accept'
+  # allow varnish from localhost
+  - 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6081 counter accept'
+  - 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6082 counter accept'
+  # also allow varnish from internal for purge requests
+  - 'add rule ip filter INPUT ip saddr 192.168.1.0/24 tcp dport 6081 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.0/24  tcp dport 6081 counter accept'
+  # Allow happinesspackets.fedorainfracloud.org to talk to inbound fedmsg relay.
+  - 'add rule ip filter INPUT ip saddr 209.132.184.58 tcp dport 9941 counter accept'
+  # Allow openqa01 to talk to the inbound fedmsg relay.
+  - 'add rule ip filter INPUT ip saddr 10.3.174.0/24 tcp dport 9941 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.120 tcp dport 22623 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.121 tcp dport 22623 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.122 tcp dport 22623 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.123 tcp dport 22623 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.124 tcp dport 22623 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.125 tcp dport 22623 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.126 tcp dport 22623 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.65  tcp dport 22623 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.127 tcp dport 22623 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.128 tcp dport 22623 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.129 tcp dport 22623 counter accept'
 external: true
 ipa_client_shell_groups:
  - fi-apprentice
--- a/inventory/group_vars/proxies_stg
+++ b/inventory/group_vars/proxies_stg
@ -22,6 +22,30 @@ custom_rules: [
  # yet as of 2015-04-27 (threebean).
  '-A INPUT -p tcp -m tcp --dport 9941 -s 104.207.133.220 -j ACCEPT',
  '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.115 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.116 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.117 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.118 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.119 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.123 -j ACCEPT']
+nft_custom_rules:
+  # Need for rsync from log01 for logs.
+  - 'add rule ip filter INPUT ip saddr 10.3.163.39  tcp dport 873 counter accept'
+  - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept'
+  # allow varnish from localhost
+  - 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6081 counter accept'
+  - 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6082 counter accept'
+  # also allow varnish from internal for purge requests
+  - 'add rule ip filter INPUT ip saddr 192.168.1.0/24 tcp dport 6081 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.0/24  tcp dport 6081 counter accept'
+  # Allow stg.fedoramagazine.org running at vultr.com to talk inbound fedmsg
+  # Contact cydrobolt about the status of this.  It hasn't hit prod status
+  # yet as of 2015-04-27 (threebean).
+  #!# FIXME: Keep??
+  - 'add rule ip filter INPUT ip saddr 104.207.133.220 tcp dport 9941 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.166.115 tcp dport 22623 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.166.116 tcp dport 22623 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.166.117 tcp dport 22623 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.166.118 tcp dport 22623 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.166.119 tcp dport 22623 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.166.120 tcp dport 22623 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.166.121 tcp dport 22623 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.166.122 tcp dport 22623 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.166.123 tcp dport 22623 counter accept'
 external: true
 ipa_client_shell_groups:
  - fi-apprentice
--- a/inventory/group_vars/rabbitmq
+++ b/inventory/group_vars/rabbitmq
@ -4,6 +4,14 @@ custom_rules: [
  '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
  # Inter-node traffic
  '-A INPUT -p tcp -m tcp -s 10.3.163.78 --dport 25672 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.79 --dport 25672 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.80 --dport 25672 -j ACCEPT']
+nft_custom_rules:
+  # Neeed for rsync from log01 for logs.
+  - 'add rule ip filter INPUT ip saddr 10.3.163.39  tcp dport 873 counter accept'
+  - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept'
+  # Inter-node traffic
+  - 'add rule ip filter INPUT ip saddr 10.3.163.78 tcp dport 25672 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.79 tcp dport 25672 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.80 tcp dport 25672 counter accept'
 ipa_host_group: rabbitmq
 ipa_host_group_desc: RabbitMQ service
 ipa_shell_groups:
--- a/inventory/group_vars/rabbitmq_stg
+++ b/inventory/group_vars/rabbitmq_stg
@ -4,6 +4,14 @@ custom_rules: [
  '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT',
  # Inter-node traffic
  '-A INPUT -p tcp -m tcp -s 10.3.166.78 --dport 25672 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.166.79 --dport 25672 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.166.80 --dport 25672 -j ACCEPT']
+nft_custom_rules:
+  # Neeed for rsync from log01 for logs.
+  - 'add rule ip filter INPUT ip saddr 10.3.163.39  tcp dport 873 counter accept'
+  - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept'
+  # Inter-node traffic
+  - 'add rule ip filter INPUT ip saddr 10.3.166.78 tcp dport 25672 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.166.79 tcp dport 25672 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.166.80 tcp dport 25672 counter accept'
 datacenter: iad2
 ipa_host_group: rabbitmq
 ipa_host_group_desc: RabbitMQ service
--- a/inventory/group_vars/repospanner_temp
+++ b/inventory/group_vars/repospanner_temp
@ -5,6 +5,15 @@ csi_purpose: repospanner git syncing host
 # For the MOTD
 csi_security_category: Low
 custom_rules: ['-A INPUT -p tcp -m tcp -s 8.43.84.211 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 8.43.84.212 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 8.43.85.76 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 152.19.134.149 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 209.132.181.20 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 8.43.85.78 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 152.19.134.191 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 140.211.169.199 --dport 8443:8445 -j ACCEPT']
+nft_custom_rules:
+  - 'add rule ip filter INPUT ip saddr 8.43.84.211     tcp dport 8443-8445 counter accept'
+  - 'add rule ip filter INPUT ip saddr 8.43.84.212     tcp dport 8443-8445 counter accept'
+  - 'add rule ip filter INPUT ip saddr 8.43.85.76      tcp dport 8443-8445 counter accept'
+  - 'add rule ip filter INPUT ip saddr 152.19.134.149  tcp dport 8443-8445 counter accept'
+  - 'add rule ip filter INPUT ip saddr 209.132.181.20  tcp dport 8443-8445 counter accept'
+  - 'add rule ip filter INPUT ip saddr 8.43.85.78      tcp dport 8443-8445 counter accept'
+  - 'add rule ip filter INPUT ip saddr 152.19.134.191  tcp dport 8443-8445 counter accept'
+  - 'add rule ip filter INPUT ip saddr 140.211.169.199 tcp dport 8443-8445 counter accept'
 lvm_size: 50000
 max_mem_size: 16348
 mem_size: 8192
--- a/inventory/group_vars/retrace
+++ b/inventory/group_vars/retrace
@ -14,6 +14,9 @@ csi_relationship: |
 custom_rules:
  - '-A INPUT -p tcp -m tcp -s 10.5.78.11 --dport 2049 -j ACCEPT'
  - '-A INPUT -p tcp -m tcp -s 10.5.78.11 --dport 5432 -j ACCEPT'
+nft_custom_rules:
+  - 'add rule ip filter INPUT ip saddr 10.5.78.11 tcp dport 2049 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.5.78.11 tcp dport 5432 counter accept'
 env: production
 # Since retrace is on the qa network, it needs to actively connect to our
 # inbound relay.
--- a/inventory/group_vars/value
+++ b/inventory/group_vars/value
@ -17,6 +17,15 @@ custom_rules: [
  '-A INPUT -p tcp -m tcp -s 10.3.163.10 --dport 5050 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.20 --dport 5050 -j ACCEPT',
  # batcave01 also needs access to announce commits.
  '-A INPUT -p tcp -m tcp -s 10.3.163.35 --dport 5050 -j ACCEPT']
+nft_custom_rules:
+  # Needed for rsync from log01 for logs.
+  - 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept'
+  - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept'
+  # Needed to let nagios on noc01 and noc02 pipe alerts to zodbot here
+  - 'add rule ip filter INPUT ip saddr 10.3.163.10 tcp dport 5050 counter accept'
+  - 'add rule ip filter INPUT ip saddr 192.168.1.20 tcp dport 5050 counter accept'
+  # batcave01 also needs access to announce commits.
+  - 'add rule ip filter INPUT ip saddr 10.3.163.35 tcp dport 5050 counter accept'
 deployment_type: prod
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
--- a/inventory/group_vars/value_stg
+++ b/inventory/group_vars/value_stg
@ -17,6 +17,16 @@ custom_rules: [
  '-A INPUT -p tcp -m tcp -s 10.3.163.10 --dport 5050 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.10 --dport 5050 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 152.19.134.192 --dport 5050 -j ACCEPT',
  # batcave01 also needs access to announce commits.
  '-A INPUT -p tcp -m tcp -s 10.3.163.35 --dport 5050 -j ACCEPT']
+nft_custom_rules:
+  # Neeed for rsync from log01 for logs.
+  - 'add rule ip filter INPUT ip saddr 10.3.163.39  tcp dport 873 counter accept'
+  - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept'
+  # Needed to let nagios on noc01 and noc02 (noc01.stg) pipe alerts to zodbot here
+  - 'add rule ip filter INPUT ip saddr 10.3.163.10    tcp dport 5050 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.10    tcp dport 5050 counter accept'
+  - 'add rule ip filter INPUT ip saddr 152.19.134.192 tcp dport 5050 counter accept'
+  # batcave01 also needs access to announce commits.
+  - 'add rule ip filter INPUT ip saddr 10.3.163.35 tcp dport 5050 counter accept'
 deployment_type: stg
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
--- a/inventory/host_vars/db-fas01.iad2.fedoraproject.org
+++ b/inventory/host_vars/db-fas01.iad2.fedoraproject.org
@ -9,6 +9,18 @@ custom_rules: [
  '-A INPUT -p tcp -m tcp -s 10.3.163.10   --dport 5432 -j ACCEPT',
  # Ipsilon VMs
  '-A INPUT -p tcp -m tcp -s 10.3.163.105  --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.106  --dport 5432 -j ACCEPT']
+nft_custom_rules:
+  # Openshift nodes (egress policy will block connection from non-authorized projects)
+  - 'add rule ip filter INPUT ip saddr 10.3.163.69 tcp dport 5432 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.70 tcp dport 5432 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.71 tcp dport 5432 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.72 tcp dport 5432 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.73 tcp dport 5432 counter accept'
+  # noc01 needs to connect to check the db
+  - 'add rule ip filter INPUT ip saddr 10.3.163.10 tcp dport 5432 counter accept'
+  # Ipsilon VMs
+  - 'add rule ip filter INPUT ip saddr 10.3.163.105 tcp dport 5432 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.106 tcp dport 5432 counter accept'
 # This is a generic list, monitored by collectd
 databases:
  - fas2
--- a/inventory/host_vars/db-fas01.stg.iad2.fedoraproject.org
+++ b/inventory/host_vars/db-fas01.stg.iad2.fedoraproject.org
@ -13,6 +13,8 @@ custom_rules:
  # - '-A INPUT -p tcp -m tcp -s 10.5.128.107 --dport 5432 -j ACCEPT'
  # TODO: lock it down more
  - '-A INPUT -p tcp -m tcp -s 10.3.166.0/24 --dport 5432 -j ACCEPT'
+nft_custom_rules:
+  - 'add rule ip filter INPUT ip saddr 10.3.166.0/24 tcp dport 5432 counter accept'
 # This is a generic list, monitored by collectd
 databases:
  - fas2
--- a/inventory/host_vars/db-koji01.iad2.fedoraproject.org
+++ b/inventory/host_vars/db-koji01.iad2.fedoraproject.org
@ -3,6 +3,11 @@
 # Only allow postgresql access from the frontend node.
 #
 custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.169.104 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.169.105 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.169.10 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.10 --dport 5432 -j ACCEPT']
+nft_custom_rules:
+  - 'add rule ip filter INPUT ip saddr 10.3.169.104 tcp dport 5432 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.169.105 tcp dport 5432 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.169.10  tcp dport 5432 counter accept'
+  - 'add rule ip filter INPUT ip saddr 10.3.163.10  tcp dport 5432 counter accept'
 # This is a generic list, monitored by collectd
 databases:
  - koji
--- a/inventory/host_vars/db-koji01.stg.iad2.fedoraproject.org
+++ b/inventory/host_vars/db-koji01.stg.iad2.fedoraproject.org
@ -3,6 +3,7 @@
 # Only allow postgresql access from the frontend node.
 #
 custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.167.64 --dport 5432 -j ACCEPT']
+nft_custom_rules: ['add rule ip filter INPUT ip saddr 10.3.167.64 tcp dport 5432 counter accept']
 # This is a generic list, monitored by collectd
 databases:
  - koji
--- a/inventory/host_vars/db01.iad2.fedoraproject.org
+++ b/inventory/host_vars/db01.iad2.fedoraproject.org
@ -3,6 +3,7 @@
 # We should narrow this down at some point
 #
 custom_rules: ['-A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT']
+nft_custom_rules: ['add rule ip filter INPUT tcp dport 5432 counter accept']
 # This is a generic list, monitored by collectd
 databases:
  - anitya
--- a/inventory/host_vars/db01.stg.iad2.fedoraproject.org
+++ b/inventory/host_vars/db01.stg.iad2.fedoraproject.org
@ -3,6 +3,7 @@
 # We should narrow this down at some point
 #
 custom_rules: ['-A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT']
+nft_custom_rules: ['add rule ip filter INPUT tcp dport 5432 counter accept']
 # This is a generic list, monitored by collectd
 databases:
  - askfedora
--- a/inventory/host_vars/noc01.iad2.fedoraproject.org
+++ b/inventory/host_vars/noc01.iad2.fedoraproject.org
@ -5,6 +5,11 @@ custom_rules: [
  '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT',
  '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT'
  ]
+nft_custom_rules:
+  - 'add rule ip filter INPUT ip saddr 192.168.1.20 tcp dport 5666 counter accept'
+  # needed to allow rsync from log01
+  - 'add rule ip filter INPUT ip saddr 10.3.163.39  tcp dport 873 counter accept'
+  - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept'
 datacenter: iad2
 eth0_ipv4_gw: 10.3.163.254
 eth0_ipv4_ip: 10.3.163.10
--- a/roles/base/templates/nftables/nf6tables
+++ b/roles/base/templates/nftables/nf6tables
@ -0,0 +1,58 @@
+# {{ ansible_managed }}
+add table ip6 filter
+add chain ip6 filter INPUT { type filter hook input priority 0; policy accept; }
+add chain ip6 filter FORWARD { type filter hook forward priority 0; policy accept; }
+add chain ip6 filter OUTPUT { type filter hook output priority 0; policy accept; }
+
+# loopback allowed
+add rule ip6 filter INPUT iifname "lo" counter accept
+
+# Accept ping and traceroute (needs icmp)
+add rule ip6 filter INPUT meta l4proto ipv6-icmp counter accept
+
+# Established connections allowed
+add rule ip6 filter INPUT ct state related,established counter accept
+
+# Established connections allowed
+add rule ip6 filter OUTPUT ct state related,established counter accept
+
+# allow dhcp6d from aws
+add rule ip6 filter INPUT ip6 daddr fe80::/64 udp sport 547 udp dport 546 counter accept
+
+# if the blocked_ips is defined - drop them
+{% if blocked_ip_v6 is defined %}
+{% for ip in blocked_ip_v6 %}
+add rule ip6 filter INPUT ip6 saddr {{ ip }} counter drop
+{% endfor %}
+{% endif %}
+
+# allow ssh - always
+add rule ip6 filter INPUT ct state new tcp dport 22 counter accept
+
+# for nrpe (if we want noc02 to be able to get into remote systems)
+#add rule ip6 filter INPUT ip6 saddr 2600:2701:4000:5211:dead:beef:fe:fed9 tcp dport 5666 counter accept
+
+# if the host/group defines incoming tcp_ports - allow them
+{% if tcp_ports is defined %}
+{% for port in tcp_ports %}
+add rule ip6 filter INPUT tcp dport {{ port }} counter accept
+{% endfor %}
+{% endif %}
+
+# if the host/group defines incoming udp_ports - allow them
+{% if udp_ports is defined %}
+{% for port in udp_ports %}
+add rule ip6 filter INPUT udp dport {{ port }} counter accept
+{% endfor %}
+{% endif %}
+
+# if there are custom6 rules - put them in as-is
+{% if nft_custom6_rules is defined %}
+{% for rule in nft_custom6_rules %}
+{{ rule }}
+{% endfor %}
+{% endif %}
+
+# otherwise kick everything out
+add rule ip6 filter INPUT counter reject with icmpv6 type admin-prohibited
+add rule ip6 filter FORWARD counter reject with icmpv6 type admin-prohibited
--- a/roles/base/templates/nftables/nftables
+++ b/roles/base/templates/nftables/nftables
@ -0,0 +1,127 @@
+# {{ ansible_managed }}
+add table ip filter
+add chain ip filter   INPUT { type filter hook input priority 0; policy accept; }
+add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; }
+add chain ip filter  OUTPUT { type filter hook output priority 0; policy accept; }
+
+# allow ping and traceroute
+add rule ip filter INPUT ip protocol icmp counter accept
+
+# localhost is fine
+add rule ip filter INPUT iifname "lo" counter accept
+
+# Established connections allowed
+add rule ip filter  INPUT ct state related,established counter accept
+add rule ip filter OUTPUT ct state related,established counter accept
+
+# allow ssh - always
+add rule ip filter INPUT ct state new tcp dport 22 counter accept
+
+# for nrpe - allow it from nocs
+add rule ip filter INPUT ip saddr 192.168.1.10  tcp dport 5666 counter accept
+add rule ip filter INPUT ip saddr 192.168.1.166 tcp dport 5666 counter accept
+# FIXME - this is the global nat-ip and we need the noc01-specific ip
+add rule ip filter INPUT ip saddr 38.145.60.16  tcp dport 5666 counter accept
+add rule ip filter INPUT ip saddr 38.145.60.15  tcp dport 5666 counter accept
+add rule ip filter INPUT ip saddr 10.3.163.10   tcp dport 5666 counter accept
+add rule ip filter INPUT ip saddr 10.3.166.10   tcp dport 5666 counter accept
+# zabbix01
+add rule ip filter INPUT                        tcp dport 10051 counter accept
+add rule ip filter INPUT ip saddr 10.3.163.198  tcp dport 10050 counter accept
+
+{% if env != 'staging' and datacenter == 'iad2' and inventory_hostname not in groups['staging_friendly'] %}
+#
+# In the iad2 datacenter, both production and staging hosts are in different
+# vlans, and different subnets. However, just as a precaution, we want prod machines to
+# reject connections from any staging host just in case there's some globally enabled port.
+# There are however a few hosts in production we have marked 'staging-friendly'
+# that we do allow staging to talk to for mostly read-only data they need.
+#
+add rule ip filter INPUT ip saddr 10.3.166.0/24 counter reject with icmp type host-prohibited
+add rule ip filter INPUT ip saddr 10.3.167.0/24 counter reject with icmp type host-prohibited
+{% endif %}
+
+{% if vpn %}
+#
+# We want to have all vpn hosts reject most things from the 'less secure' vpn network
+#
+{% if inventory_hostname == 'log01.iad2.fedoraproject.org' %}
+# Allow all vpn hosts to talk to the log server for rsyslog
+add rule ip filter INPUT ip saddr 192.168.100.0/24 tcp dport   514 counter accept
+add rule ip filter INPUT ip saddr 192.168.100.0/24 udp dport 25826 counter accept
+{% endif %}
+{% if inventory_hostname in groups['ipa'] %}
+# Allow all vpn hosts to talk to the ipa servers for auth
+add rule ip filter INPUT ip saddr 192.168.100.0/24 tcp dport  80 counter accept
+add rule ip filter INPUT ip saddr 192.168.100.0/24 tcp dport  88 counter accept
+add rule ip filter INPUT ip saddr 192.168.100.0/24 tcp dport 389 counter accept
+add rule ip filter INPUT ip saddr 192.168.100.0/24 tcp dport 443 counter accept
+add rule ip filter INPUT ip saddr 192.168.100.0/24 tcp dport 464 counter accept
+add rule ip filter INPUT ip saddr 192.168.100.0/24 tcp dport 636 counter accept
+
+add rule ip filter INPUT ip saddr 192.168.100.0/24 udp dport  88 counter accept
+add rule ip filter INPUT ip saddr 192.168.100.0/24 udp dport 464 counter accept
+{% endif %}
+# Reject all further connections from less secure vpn
+add rule ip filter INPUT ip saddr 192.168.100.0/24 counter reject with icmp type host-prohibited
+{% endif %}
+# if the host declares a fedmsg-enabled wsgi app, open ports for it
+{% if wsgi_fedmsg_service is defined %}
+{% for i in range(wsgi_procs * wsgi_threads) %}
+add rule ip filter INPUT tcp dport 30{{ '%02d' % i }} counter accept
+{% endfor %}
+{% endif %}
+
+
+# if the host/group defines incoming tcp_ports - allow them
+{% if tcp_ports is defined %}
+{% for port in tcp_ports %}
+add rule ip filter INPUT tcp dport {{ port }} counter accept
+{% endfor %}
+{% endif %}
+
+# if the host/group defines incoming udp_ports - allow them
+{% if udp_ports is defined %}
+{% for port in udp_ports %}
+add rule ip filter INPUT udp dport {{ port }} counter accept
+{% endfor %}
+{% endif %}
+
+# if there are any proxy-only tcp_ports - allow them
+{% if proxy_tcp_ports is defined %}
+{% for port in proxy_tcp_ports %}
+{% for proxy in (groups['proxies'] + groups['proxies_internal']) %}
+{% if hostvars[proxy]['datacenter'] == "phx2" and 'ansible_eth0' in hostvars[proxy] %}
+add rule ip filter INPUT ip saddr {{ hostvars[proxy]['ansible_eth0']['ipv4']['address'] }} tcp dport {{ port }} counter accept
+{% else %}
+add rule ip filter INPUT ip saddr {{ hostvars[proxy]['ansible_tun0']['ipv4']['address'] }} tcp dport {{ port }} counter accept
+{% endif %}
+{% endfor %}
+# nagios
+add rule ip filter INPUT ip saddr 10.3.163.10 tcp dport {{ port }} counter accept
+{% endfor %}
+{% endif %}
+
+# if there are custom rules - put them in as-is
+{% if nft_custom_rules is defined %}
+{% for rule in nft_custom_rules %}
+{{ rule }}
+{% endfor %}
+{% endif %}
+
+# otherwise kick everything out
+add rule ip filter INPUT   counter reject with icmp type host-prohibited
+add rule ip filter FORWARD counter reject with icmp type host-prohibited
+
+{% if nft_nat_rules %}
+
+add table ip nat
+add chain ip nat  PREROUTING { type nat hook prerouting priority -100; policy accept; }
+add chain ip nat       INPUT { type nat hook input priority 100; policy accept; }
+add chain ip nat      OUTPUT { type nat hook output priority -100; policy accept; }
+add chain ip nat POSTROUTING { type nat hook postrouting priority 100; policy accept; }
+
+{% for rule in nft_nat_rules %}
+{{ rule }}
+{% endfor %}
+{% endif %}
--- a/roles/base/templates/nftables/nftables.kojibuilder
+++ b/roles/base/templates/nftables/nftables.kojibuilder
@ -0,0 +1,202 @@
+# {{ ansible_managed }}
+*add table ip filter
+add chain ip filter   INPUT { type filter hook input priority 0; policy drop; }
+add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; }
+add chain ip filter  OUTPUT { type filter hook output priority 0; policy drop; }
+
+# loopback allowed
+add rule ip filter  INPUT iifname "lo" counter accept
+add rule ip filter OUTPUT oifname "lo" counter accept
+add rule ip filter  INPUT iifname "virbr0" counter accept
+add rule ip filter OUTPUT oifname "virbr0" counter accept
+add rule ip filter  INPUT ip daddr 127.0.0.0/8 counter accept
+add rule ip filter OUTPUT ip daddr 127.0.0.0/8 counter accept
+
+# Accept ping and traceroute (needs icmp)
+add rule ip filter  INPUT ip protocol icmp counter accept
+add rule ip filter OUTPUT ip protocol icmp counter accept
+
+# Established connections allowed
+add rule ip filter  INPUT ct state related,established counter accept
+add rule ip filter OUTPUT ct state related,established counter accept
+
+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+add rule ip filter INPUT ip saddr {{ ip }} counter drop
+{% endfor %}
+{% endif %}
+
+{% if host in groups['osbuild'] %}
+# osbuild api for osbuild koji plugin
+#!# WARNING: This is very different...
+# -A OUTPUT -p tcp --dport 443 -m set --match-set osbuildapi dst -j ACCEPT
+
+add table inet global
+add set inet global osbuildapi { type ipv4_addr ; size 65536; }
+
+add rule ip filter OUTPUT tcp dport 443 ip daddr @osbuildapi accept
+
+# Then in the update script...
+# nft flush set      global osbuildapi
+# ...
+# nft add element ip global osbuildapi { 10.0.0.1 }
+
+# Also See: nft list ruleset
+
+{% endif %}
+
+# kojipkgs
+{% if host in groups['buildvm_s390x'] %}
+add rule ip filter OUTPUT ip daddr 10.16.0.17   tcp dport 80 counter accept
+add rule ip filter OUTPUT ip daddr 10.16.0.35   tcp dport 80 counter accept
+add rule ip filter OUTPUT ip daddr 10.1.102.24  tcp dport 80 counter accept
+add rule ip filter OUTPUT ip daddr 10.1.102.50  tcp dport 80 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.169.106 tcp dport 80 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.169.107 tcp dport 80 counter accept
+{% endif %}
+
+# tang for buildhw
+add rule ip filter OUTPUT ip daddr 10.3.163.37 tcp dport 80 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.38 tcp dport 80 counter accept
+
+# DNS
+add rule ip filter OUTPUT ip daddr 10.3.163.33 udp dport 53 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.33 tcp dport 53 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.34 udp dport 53 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.34 tcp dport 53 counter accept
+
+# bastion smtp
+add rule ip filter OUTPUT ip daddr 10.3.163.31 tcp dport 25 counter accept
+
+# infra.fp.o
+add rule ip filter OUTPUT ip daddr 10.3.163.35 tcp dport  80 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.35 tcp dport 443 counter accept
+
+# rsyslog out to log01
+add rule ip filter OUTPUT ip daddr 10.3.163.39 tcp dport 514 counter accept
+
+# SSH
+add rule ip filter  INPUT ip saddr 10.3.160.0/19 tcp dport 22 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.160.0/19 tcp sport 22 counter accept
+
+{% if inventory_hostname.startswith (('buildvm-s390x-11', 'buildvm-s390x-12', 'buildvm-s390x-13')) %}
+# Allow SSHFS binding to koji01
+add rule ip filter OUTPUT ip daddr 10.3.169.104 tcp dport 22 counter accept
+{% endif %}
+
+# http to pull sources from pkgs lookaside
+#add rule ip filter OUTPUT ip daddr 10.5.125.44 tcp dport 80 counter accept
+
+# https git on pagure,io
+add rule ip filter OUTPUT ip daddr 8.43.85.76 tcp dport 443 counter accept
+
+# admin.fedoraproject.org  for fas (proyx(1)01 and proxy(1)10)
+{% if host in groups['staging'] %}
+add rule ip filter OUTPUT ip daddr 10.3.166.74 tcp dport  80 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.166.74 tcp dport 443 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.166.75 tcp dport  80 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.166.75 tcp dport 443 counter accept
+{% endif %}
+
+add rule ip filter OUTPUT ip daddr 10.3.163.74 tcp dport  80 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.74 tcp dport 443 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.75 tcp dport  80 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.75 tcp dport 443 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.76 tcp dport  80 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.76 tcp dport 443 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.77 tcp dport  80 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.77 tcp dport 443 counter accept
+
+# ipa client ports
+{% if host in groups['staging'] %}
+add rule ip filter OUTPUT ip daddr 10.3.166.21 tcp dport  80 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.166.63 tcp dport  80 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.166.21 tcp dport 443 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.166.63 tcp dport 443 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.166.21 tcp dport 389 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.166.63 tcp dport 389 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.166.21 tcp dport 636 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.166.63 tcp dport 636 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.166.21 tcp dport  88 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.166.63 tcp dport  88 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.166.21 udp dport  88 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.166.63 udp dport  88 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.166.21 tcp dport 464 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.166.63 tcp dport 464 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.166.21 udp dport 464 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.166.63 udp dport 464 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.166.21 udp dport  53 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.166.63 udp dport  53 counter accept
+{% else %}
+add rule ip filter OUTPUT ip daddr 10.3.163.54  tcp dport  80 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.55  tcp dport  80 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.104 tcp dport  80 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.54  tcp dport 443 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.55  tcp dport 443 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.104 tcp dport 443 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.54  tcp dport 389 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.55  tcp dport 389 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.104 tcp dport 389 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.54  tcp dport 636 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.55  tcp dport 636 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.104 tcp dport 636 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.54  tcp dport  88 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.55  tcp dport  88 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.104 tcp dport  88 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.54  udp dport  88 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.55  udp dport  88 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.104 udp dport  88 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.54  tcp dport 464 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.55  tcp dport 464 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.104 tcp dport 464 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.54  udp dport 464 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.55  udp dport 464 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.104 udp dport 464 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.54  udp dport  53 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.55  udp dport  53 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.104 udp dport  53 counter accept
+{% endif %}
+
+{% if host in groups['staging'] %}
+# Allow nfs from koji01
+add rule ip filter  INPUT ip daddr 10.3.167.64 tcp dport 2049 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.167.64 tcp dport 2049 counter accept
+{% endif %}
+#nfs to vtap-fedora-nfs01.storage.phx2.redhat.com - a little to wide-open - but 
+# kinda necessary
+add rule ip filter  INPUT ip saddr 10.3.162.11 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.162.11 counter accept
+#!# NOTE: tcp/udp doesn't translate without a port??
+add rule ip filter  INPUT ip saddr 10.3.162.12 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.162.12 counter accept
+add rule ip filter  INPUT ip saddr 10.3.162.13 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.162.13 counter accept
+add rule ip filter  INPUT ip saddr 10.3.162.14 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.162.14 counter accept
+
+# ntp
+add rule ip filter OUTPUT ip daddr 10.3.163.31 udp dport 123 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.163.32 udp dport 123 counter accept
+
+# dhcp
+add rule ip filter OUTPUT ip daddr 10.3.163.10 udp dport 67 counter accept
+
+# s390x builders ssh
+add rule ip filter  INPUT ip saddr 10.3.0.0/16 tcp dport 22 counter accept
+add rule ip filter OUTPUT ip daddr 10.3.0.0/16 tcp sport 22 counter accept
+
+# if the host/group defines incoming tcp_ports - allow them
+{% for port in tcp_ports %}
+add rule ip filter INPUT tcp dport {{ port }} counter accept
+{% endfor %}
+
+# if the host/group defines incoming udp_ports - allow them
+{% for port in udp_ports %}
+add rule ip filter INPUT udp dport {{ port }} counter accept
+{% endfor %}
+
+# if there are custom rules - put them in as-is
+{% for rule in nft_custom_rules %}
+{{ rule }}
+{% endfor %}
--- a/roles/base/templates/nftables/nftables.osuosl
+++ b/roles/base/templates/nftables/nftables.osuosl
@ -0,0 +1,61 @@
+# {{ ansible_managed }}
+add table ip filter
+add chain ip filter   INPUT { type filter hook input priority 0; policy accept; }
+add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; }
+add chain ip filter  OUTPUT { type filter hook output priority 0; policy accept; }
+
+# allow ping and traceroute
+add rule ip filter INPUT ip protocol icmp counter accept
+
+# localhost is fine
+add rule ip filter INPUT iifname "lo" counter accept
+
+# Established connections allowed
+add rule ip filter  INPUT ct state related,established counter accept
+add rule ip filter OUTPUT ct state related,established counter accept
+
+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+add rule ip filter INPUT ip saddr {{ ip }} counter drop
+{% endfor %}
+{% endif %}
+
+# allow ssh only from needed ips
+# vpn in from tun0
+add rule ip filter INPUT iifname "tun0" ip saddr 192.168.0.0/24 ct state new tcp dport 22 counter accept
+# external ip for iad2
+add rule ip filter INPUT iifname "tun0" ip saddr 38.145.60.0/24 ct state new tcp dport 22 counter accept
+
+# for nrpe - allow it from nocs
+add rule ip filter INPUT ip saddr 192.168.1.10  tcp dport 5666 counter accept
+add rule ip filter INPUT ip saddr 192.168.1.166 tcp dport 5666 counter accept
+# FIXME - this is the global nat-ip and we need the noc01-specific ip
+add rule ip filter INPUT ip saddr 38.145.60.15 tcp dport 5666 counter accept
+add rule ip filter INPUT ip saddr 38.145.60.16 tcp dport 5666 counter accept
+add rule ip filter INPUT ip saddr 10.3.163.10  tcp dport 5666 counter accept
+
+# if the host/group defines incoming tcp_ports - allow them
+{% if tcp_ports is defined %}
+{% for port in tcp_ports %}
+add rule ip filter INPUT tcp dport {{ port }} counter accept
+{% endfor %}
+{% endif %}
+
+# if the host/group defines incoming udp_ports - allow them
+{% if udp_ports is defined %}
+{% for port in udp_ports %}
+add rule ip filter INPUT udp dport {{ port }} counter accept
+{% endfor %}
+{% endif %}
+
+# if there are custom rules - put them in as-is
+{% if nft_custom_rules is defined %}
+{% for rule in nft_custom_rules %}
+{{ rule }}
+{% endfor %}
+{% endif %}
+
+# otherwise kick everything out
+add rule ip filter   INPUT counter reject with icmp type host-prohibited
+add rule ip filter FORWARD counter reject with icmp type host-prohibited
--- a/roles/base/templates/nftables/nftables.releng
+++ b/roles/base/templates/nftables/nftables.releng
@ -0,0 +1,87 @@
+# {{ ansible_managed }}
+#
+# NOTE: Chaging this template updates iptables on all releng hosts :)
+# Please check with sysadmin-main before pushing out an update here.
+#
+add table ip filter
+add chain ip filter   INPUT { type filter hook input priority 0; policy drop; }
+add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; }
+add chain ip filter  OUTPUT { type filter hook output priority 0; policy accept; }
+
+# loopback allowed
+add rule ip filter INPUT iifname "lo" counter accept
+
+# Accept ping and traceroute (needs icmp)
+add rule ip filter INPUT ip protocol icmp counter accept
+
+# Established connections allowed
+add rule ip filter INPUT ct state related,established counter accept
+
+# Overwrite any global rules
+# for nrpe - allow it from nocs
+add rule ip filter INPUT ip saddr 192.168.1.10  tcp dport 5666 counter accept
+add rule ip filter INPUT ip saddr 192.168.1.166 tcp dport 5666 counter accept
+# FIXME - this is the global nat-ip and we need the noc01-specific ip
+add rule ip filter INPUT ip saddr 38.145.60.16 tcp dport 5666 counter accept
+add rule ip filter INPUT ip saddr 38.145.60.15 tcp dport 5666 counter accept
+add rule ip filter INPUT ip saddr 10.3.163.10  tcp dport 5666 counter accept
+add rule ip filter INPUT ip saddr 10.3.166.10  tcp dport 5666 counter accept
+# Zabbix
+add rule ip filter INPUT tcp dport 10051 counter accept
+add rule ip filter INPUT ip saddr 10.3.163.198 tcp dport 10050 counter accept
+
+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+add rule ip filter INPUT ip saddr {{ ip }} counter drop
+{% endfor %}
+{% endif %}
+
+# SSH
+#!# NOTE: Do we still need/wants these 13+ years later?
+# ssh block against uni in .cz where problem(s) have been cited
+# added by skvidal on jan 24 2011 - as per request from spot
+add rule ip filter INPUT ip saddr 147.251.0.0/16 tcp dport 22 counter reject
+# matches last rule for a service we want blocked
+add rule ip filter INPUT ip saddr 192.168.100.0/24 tcp dport 22 counter reject with tcp reset
+add rule ip filter INPUT tcp dport 22 counter accept
+
+# Allow all netapp traffic
+add rule ip filter INPUT ip saddr 10.3.162.0/24 counter accept
+
+
+# Custom Services
+
+# Services TCP
+add rule ip filter INPUT tcp dport  22 counter accept
+add rule ip filter INPUT tcp dport  80 counter accept
+add rule ip filter INPUT tcp dport 443 counter accept
+
+# Services UDP
+
+# more services we use - ports for random services and TG listeners.
+# if the host/group defines incoming tcp_ports - allow them
+{% if tcp_ports is defined %}
+{% for port in tcp_ports %}
+add rule ip filter INPUT tcp dport {{ port }} counter accept
+{% endfor %}
+{% endif %}
+
+# if the host/group defines incoming udp_ports - allow them
+{% if udp_ports is defined %}
+{% for port in udp_ports %}
+add rule ip filter INPUT udp dport {{ port }} counter accept
+{% endfor %}
+{% endif %}
+
+# if there are custom rules - put them in as-is
+{% if nft_custom_rules is defined %}
+{% for rule in nft_custom_rules %}
+{{ rule }}
+{% endfor %}
+{% endif %}
+
+# Extra protection for 192.168.100.x vpn hosts.
+add rule ip filter INPUT ip saddr 192.168.100.0/24 counter reject with icmp type host-prohibited
+
+add rule ip filter   INPUT counter reject with icmp type host-prohibited
--- a/roles/base/templates/nftables/nftables.sign
+++ b/roles/base/templates/nftables/nftables.sign
@ -0,0 +1,22 @@
+# {{ ansible_managed }}
+add table ip filter
+add chain ip filter   INPUT { type filter hook input priority 0; policy accept; }
+add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; }
+add chain ip filter  OUTPUT { type filter hook output priority 0; policy accept; }
+
+# loopback allowed
+add rule ip filter INPUT iifname "lo" counter accept
+
+# Accept ping and traceroute (needs icmp)
+add rule ip filter INPUT ip protocol icmp counter accept
+
+# Established connections allowed
+add rule ip filter INPUT ct state related,established counter accept
+
+# Allow connections from client/server
+add rule ip filter INPUT tcp dport 44333-44334 counter accept
+
+# otherwise kick everything out
+add rule ip filter   INPUT counter reject with icmp type host-prohibited
+add rule ip filter FORWARD counter reject with icmp type host-prohibited
+
--- a/roles/base/templates/nftables/nftables.staging
+++ b/roles/base/templates/nftables/nftables.staging
@ -0,0 +1,75 @@
+# {{ ansible_managed }}
+add table ip filter
+add chain ip filter INPUT { type filter hook input priority 0; policy accept; }
+add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; }
+add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; }
+
+# allow ping and traceroute
+add rule ip filter INPUT ip protocol icmp counter accept
+
+# localhost is fine
+add rule ip filter INPUT iifname "lo" counter accept
+
+# Established connections allowed
+add rule ip filter INPUT ct state related,established counter accept
+add rule ip filter OUTPUT ct state related,established counter accept
+
+# allow ssh - always
+add rule ip filter INPUT ct state new tcp dport 22 counter accept
+
+# for nrpe - allow it from nocs
+add rule ip filter INPUT ip saddr 192.168.1.10  tcp dport 5666 counter accept
+add rule ip filter INPUT ip saddr 192.168.1.166 tcp dport 5666 counter accept
+# FIXME - this is the global nat-ip and we need the noc01-specific ip
+add rule ip filter INPUT ip saddr 38.145.60.16  tcp dport 5666 counter accept
+add rule ip filter INPUT ip saddr 38.145.60.15  tcp dport 5666 counter accept
+add rule ip filter INPUT ip saddr 10.3.163.10   tcp dport 5666 counter accept
+# zabbix01.stg
+add rule ip filter INPUT tcp dport 10051 counter accept
+add rule ip filter INPUT ip saddr 10.3.166.61 tcp dport 10050 counter accept
+
+
+# if the host declares a fedmsg-enabled wsgi app, open ports for it
+{% if wsgi_fedmsg_service is defined %}
+{% for i in range(wsgi_procs * wsgi_threads) %}
+add rule ip filter INPUT tcp dport 30{{ '%02d' % i }} counter accept
+{% endfor %}
+{% endif %}
+
+# if the host/group defines incoming tcp_ports - allow them
+{% for port in tcp_ports %}
+add rule ip filter INPUT tcp dport {{ port }} counter accept
+{% endfor %}
+
+# if the host/group defines incoming udp_ports - allow them
+{% for port in udp_ports %}
+add rule ip filter INPUT udp dport {{ port }} counter accept
+{% endfor %}
+
+# if there are any proxy-only tcp_ports - allow them
+{% if proxy_tcp_ports is defined %}
+{% for port in proxy_tcp_ports %}
+{% for proxy in groups['proxies_stg'] %}
+{% if hostvars[proxy]['vpn'] %}
+#!# FIXME: This test is the negation of the one in iptables.
+add rule ip filter INPUT ip saddr {{ hostvars[proxy]['ansible_tun0']['ipv4']['address'] }} tcp dport {{ port }} counter accept
+{% else %}
+add rule ip filter INPUT ip saddr {{ hostvars[proxy]['ansible_eth0']['ipv4']['address'] }} tcp dport {{ port }} counter accept
+{% endif %}
+{% endfor %}
+# No nagios
+{% endfor %}
+{% endif %}
+
+# if there are custom rules - put them in as-is
+{% if nft_custom_rules is defined %}
+{% for rule in nft_custom_rules %}
+{{ rule }}
+{% endfor %}
+{% endif %}
+
+# otherwise kick everything out
+add rule ip filter INPUT   counter reject with icmp type host-prohibited
+add rule ip filter FORWARD counter reject with icmp type host-prohibited
+
+# No nat rules
--- a/roles/base/templates/nftables/nftables.storinator01.fedorainfracloud.org
+++ b/roles/base/templates/nftables/nftables.storinator01.fedorainfracloud.org
@ -0,0 +1,89 @@
+# {{ ansible_managed }}
+add table ip filter
+add chain ip filter   INPUT { type filter hook input priority 0; policy accept; }
+add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; }
+add chain ip filter  OUTPUT { type filter hook output priority 0; policy accept; }
+
+# allow ping and traceroute
+add rule ip filter INPUT ip protocol icmp counter accept
+
+# localhost is fine
+add rule ip filter INPUT iifname "lo" counter accept
+
+# Established connections allowed
+add rule ip filter  INPUT ct state related,established counter accept
+add rule ip filter OUTPUT ct state related,established counter accept
+
+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+add rule ip filter INPUT ip saddr {{ ip }} counter drop
+{% endfor %}
+{% endif %}
+
+# allow ssh - always
+add rule ip filter INPUT ct state new tcp dport 22 counter accept
+
+# for nrpe - allow it from nocs
+add rule ip filter INPUT ip saddr 192.168.1.10 tcp dport 5666 counter accept
+add rule ip filter INPUT ip saddr 192.168.1.166 tcp dport 5666 counter accept
+# FIXME - this is the global nat-ip and we need the noc01-specific ip
+add rule ip filter INPUT ip saddr 38.145.60.16 tcp dport 5666 counter accept
+add rule ip filter INPUT ip saddr 38.145.60.15 tcp dport 5666 counter accept
+# NOTE: we don't allow 10.3.163.10 / 10.3.166.10 or zabbix?
+
+# if the host/group defines incoming tcp_ports - allow them
+# NOTE: These are specific to eth0
+{% if tcp_ports_eth0 is defined %}
+{% for port in tcp_ports_eth0 %}
+add rule ip filter INPUT iifname "eth0" tcp dport {{ port }} counter accept
+{% endfor %}
+{% endif %}
+
+# if the host/group defines incoming udp_ports - allow them
+# NOTE: These are specific to eth0
+{% if udp_ports_eth0 is defined %}
+{% for port in udp_ports_eth0 %}
+add rule ip filter INPUT iifname "eth0" udp dport {{ port }} counter accept
+{% endfor %}
+{% endif %}
+
+# if the host/group defines incoming tcp_ports - allow them
+# NOTE: These are specific to eth1
+{% if tcp_ports_eth1 is defined %}
+{% for port in tcp_ports_eth1 %}
+add rule ip filter INPUT iifname "eth1" tcp dport {{ port }} counter accept
+{% endfor %}
+{% endif %}
+
+# if the host/group defines incoming udp_ports - allow them
+# NOTE: These are specific to eth1
+{% if udp_ports_eth1 is defined %}
+{% for port in udp_ports_eth1 %}
+add rule ip filter INPUT iifname "eth1" udp dport {{ port }} counter accept
+{% endfor %}
+{% endif %}
+
+# if there are custom rules - put them in as-is
+{% if nft_custom_rules is defined %}
+{% for rule in nft_custom_rules %}
+{{ rule }}
+{% endfor %}
+{% endif %}
+
+# otherwise kick everything out
+add rule ip filter   INPUT counter reject with icmp type host-prohibited
+add rule ip filter FORWARD counter reject with icmp type host-prohibited
+
+{% if nft_nat_rules %}
+#!# FIXME: These are different priority to iptables template...
+add table ip nat
+add chain ip nat  PREROUTING { type nat hook prerouting priority 0; policy accept; }
+add chain ip nat       INPUT { type nat hook input priority 0; policy accept; }
+add chain ip nat      OUTPUT { type nat hook output priority 0; policy accept; }
+add chain ip nat POSTROUTING { type nat hook postrouting priority 0; policy accept; }
+
+{% for rule in nft_nat_rules %}
+{{ rule }}
+{% endfor %}
+{% endif %}
--- a/roles/base/templates/nftables/nftables.torrent02.fedoraproject.org
+++ b/roles/base/templates/nftables/nftables.torrent02.fedoraproject.org
@ -0,0 +1,94 @@
+# {{ ansible_managed }}
+add table ip filter
+add chain ip filter   INPUT { type filter hook input priority 0; policy accept; }
+add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; } 
+add chain ip filter  OUTPUT { type filter hook output priority 0; policy accept; }
+
+# allow ping and traceroute
+add rule ip filter INPUT ip protocol icmp counter accept
+
+# localhost is fine
+add rule ip filter INPUT iifname "lo" counter accept
+
+# Established connections allowed
+add rule ip filter  INPUT ct state related,established counter accept
+add rule ip filter OUTPUT ct state related,established counter accept
+
+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+add rule ip filter INPUT ip saddr {{ ip }} counter drop
+{% endfor %}
+{% endif %}
+
+# allow ssh - always
+add rule ip filter INPUT ct state new tcp dport 22 counter accept
+
+# for nrpe - allow it from nocs
+add rule ip filter INPUT ip saddr 192.168.1.10  tcp dport 5666 counter accept
+add rule ip filter INPUT ip saddr 192.168.1.166 tcp dport 5666 counter accept
+# FIXME - this is the global nat-ip and we need the noc01-specific ip
+add rule ip filter INPUT ip saddr 38.145.60.16 tcp dport 5666 counter accept
+add rule ip filter INPUT ip saddr 38.145.60.15 tcp dport 5666 counter accept
+add rule ip filter INPUT ip saddr 10.3.163.10  tcp dport 5666 counter accept
+# NOTE: This doesn't include 10.3.166.10
+# NOTE: This doesn't include zabbix.
+
+{% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging_friendly'] %}
+#
+# In the phx2 datacenter, both production and staging hosts are in the same 
+# subnet/vlan. We want production hosts to reject connectons from staging group hosts
+# to prevent them from interfering with production. There are however a few hosts in 
+# production we have marked 'staging-friendly' that we do allow staging to talk to for 
+# mostly read-only data they need.
+#
+{% for host in groups['staging']|sort %}
+{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
+add rule ip filter INPUT ip saddr {{ hostvars[host]['eth0_ip'] }} counter reject with icmp type host-prohibited
+{% else %}# {{ host }} has no 'eth0_ip' listed
+{% endif %}
+{% endfor %}
+{% endif %}
+
+# if the host declares a fedmsg-enabled wsgi app, open ports for it
+{% if wsgi_fedmsg_service is defined %}
+{% for i in range(wsgi_procs * wsgi_threads) %}
+add rule ip filter INPUT tcp dport 30{{ '%02d' % i }} counter accept
+{% endfor %}
+{% endif %}
+
+
+# if the host/group defines incoming tcp_ports - allow them
+{% if tcp_ports is defined %}
+{% for port in tcp_ports %}
+add rule ip filter INPUT tcp dport {{ port }} counter accept
+{% endfor %}
+{% endif %}
+
+# if the host/group defines incoming udp_ports - allow them
+{% if udp_ports is defined %}
+{% for port in udp_ports %}
+add rule ip filter INPUT udp dport {{ port }} counter accept
+{% endfor %}
+{% endif %}
+
+# if there are custom rules - put them in as-is
+{% if nft_custom_rules is defined %}
+{% for rule in nft_custom_rules %}
+{{ rule }}
+{% endfor %}
+{% endif %}
+
+# otherwise kick everything out
+add rule ip filter INPUT   counter reject with icmp type host-prohibited
+add rule ip filter FORWARD counter reject with icmp type host-prohibited
+
+add table ip raw
+add chain ip raw PREROUTING { type filter hook prerouting priority -300; policy accept; }
+add chain ip raw     OUTPUT { type filter hook output priority -300; policy accept; }
+
+#
+# We don't want to track all the torrent tracker connections, there's too many.
+#
+add rule ip raw PREROUTING tcp dport 6969 counter notrack
+add rule ip raw     OUTPUT tcp sport 6969 counter notrack
--- a/roles/koji_builder/templates/osbuildapi-update-nft.sh
+++ b/roles/koji_builder/templates/osbuildapi-update-nft.sh
@ -0,0 +1,32 @@
+#!/bin/bash
+
+# in staging we need to allow api.stage and in prod api.
+{% if env == 'staging' %}
+RESOLVEQUERY=`resolvectl -4 --cache=no --legend=no query api.stage.openshift.com 2> /dev/null`
+{% else %}
+RESOLVEQUERY=`resolvectl -4 --cache=no --legend=no query api.openshift.com 2> /dev/null`
+{% endif %}
+test $? -eq 0 || exit $?
+
+NEWIPS=`echo "$RESOLVEQUERY" | grep link | sed -E 's/.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/g' | sort -n`
+
+
+# both stage and prod authenticate using sso.redhat.com
+RESOLVEQUERY=`resolvectl -4 --cache=no --legend=no query sso.redhat.com 2> /dev/null`
+test $? -eq 0 || exit $?
+
+NEWIDENTITYIPS=`echo "$RESOLVEQUERY" | grep link | sed -E 's/.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/g' | sort -n`
+
+# Empty the filter: We do this at the end for a small window.`
+nft flush set global osbuildapi
+
+# Add the IPs...
+for j in $NEWIPS
+do
+     nft add element ip global osbuildapi { $j }
+done
+
+for j in $NEWIDENTITYIPS
+do
+     nft add element ip global osbuildapi { $j }
+done