nftables: create a block rules section and move pagure blocks to it

Before the custom rules was actually intended to _allow_ more things
on a particular host. Putting those blocks in there was useless because
custom rules were applied _after_ all the allowed ports, so it wasn't
really blocking anything.

This moves them to a block_rules applied before the ports are allowed
Also move pagure's to that new rule list.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

inventory/group_vars/pagure

@@ -7,12 +7,13 @@ custom_rules: [
     '-A INPUT -s 47.76.209.138/32 -j REJECT',
     '-A INPUT -s 47.76.99.127/32 -j REJECT'
 ]
-nft_custom_rules:
+nft_block_rules:
   - 'add rule ip filter INPUT ip saddr 81.69.171.38   counter reject'
   - 'add rule ip filter INPUT ip saddr 175.24.248.206 counter reject'
   - 'add rule ip filter INPUT ip saddr 47.76.0.0/14  counter reject'
   - 'add rule ip filter INPUT ip saddr 47.80.0.0/13  counter reject'
   - 'add rule ip filter INPUT ip saddr 47.74.0.0/15  counter reject'
+  - 'add rule ip filter INPUT ip saddr 66.249.64.0/24  counter reject'
 # For the MOTD
 db_backup_dir: ['/backups']
 dbs_to_backup: ['pagure']

roles/base/templates/nftables/nftables

@@ -67,6 +67,12 @@ add rule ip filter INPUT ip saddr 192.168.100.0/24 counter reject with icmp type
 {% endif %}
 
 
+{% if nft_block_rules is defined %}
+# if there are block rules - put them in as-is
+{% for rule in nft_block_rules %}
+{{ rule }}
+{% endfor %}
+{% endif %}
 # if the host/group defines incoming tcp_ports - allow them
 {% if tcp_ports is defined %}
 {% for port in tcp_ports %}