template nftables accepted ports

5d011c95 · Rafael László · dce5a59b · 5d011c95 · 5d011c95
Commit 5d011c95 authored Sep 16, 2021 by Rafael László
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -10,6 +10,11 @@ lan_port: ens224
 #   dnat:
 #     - dport: 6443
 #       to: 192.168.69.1:6443
+#   accept:
+#     - saddr: 152.66.0.0/16
+#       dport: 10022
+#     - saddr: 10.0.0.0/8
+#       dport: 10022

 # netplan:
 #   network:

--- a/templates/etc/nftables.conf.j2
+++ b/templates/etc/nftables.conf.j2
@@ -22,7 +22,11 @@ table inet filter {

    ip protocol icmp accept

-    tcp dport {{ ssh_port | default("10022", true) }} accept comment "SSH in"
+{% if nftables.accept is defined %}
+{% for accept in nftables.accept %}
+    ip saddr {{ accept.saddr }} tcp dport {{ accept.dport }} accept comment "{{ accept.comment }}"
+{% endfor %}
+{% endif %}    
  }

  chain forward {