From 5d011c9559c220eb2feee32a7170ea0caa7dcb91 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20L=C3=A1szl=C3=B3?= <rlacko99@gmail.com>
Date: Thu, 16 Sep 2021 11:10:34 +0200
Subject: [PATCH] template nftables accepted ports

---
 defaults/main.yml              | 5 +++++
 templates/etc/nftables.conf.j2 | 6 +++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index db1d9e3..a77baa9 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -10,6 +10,11 @@ lan_port: ens224
 #   dnat:
 #     - dport: 6443
 #       to: 192.168.69.1:6443
+#   accept:
+#     - saddr: 152.66.0.0/16
+#       dport: 10022
+#     - saddr: 10.0.0.0/8
+#       dport: 10022
 
 # netplan:
 #   network:
diff --git a/templates/etc/nftables.conf.j2 b/templates/etc/nftables.conf.j2
index f72e107..68a66f9 100644
--- a/templates/etc/nftables.conf.j2
+++ b/templates/etc/nftables.conf.j2
@@ -22,7 +22,11 @@ table inet filter {
 
     ip protocol icmp accept
 
-    tcp dport {{ ssh_port | default("10022", true) }} accept comment "SSH in"
+{% if nftables.accept is defined %}
+{% for accept in nftables.accept %}
+    ip saddr {{ accept.saddr }} tcp dport {{ accept.dport }} accept comment "{{ accept.comment }}"
+{% endfor %}
+{% endif %}    
   }
 
   chain forward {
-- 
GitLab