Requirements

1. Install Ansible:

sudo apt install python3
python3 -m ensurepip --upgrade
pip3 install ansible

Variables You Need

Check the variables listed in the defaults.

You can add firewall settings for your host (in ../host_vars/[host_name].yaml) or for a group of hosts (in ../group_vars/[group_name].yaml) using this structure (see molecule.default.vars/test.yaml for an example):

# This variable points to the rules applied to the remote host
# It's a dictionary of tables, each with chains and rules, see molecule/default/vars/test.yaml
nftables_ruleset:
  # The names here become tables
  # They must specify the firewall type and name, for example:
  "inet firewall":

    # Description of the table
    comment: "Firewall for the device"

    chains:

      # Name of the chain
      input:
        # Name of the variable from nftables_rules
        # that you want to include in this chain
        - input_hook
        - valid_connections
        - ...

  # Another table with the same structure
  # Valid families include inet, inet6, netdev, etc.
  "inet foo":

# The possible rules are defined under `nftables_rules`
# Each rule has two parts:
# -> def: the definition of the rules in correct nftables syntax
# -> depends_on: optional list of dependencies from nftables_variables
# Check molecule/default/vars/test.yaml for an example

nftables_rules:
  input_hook: >
    type filter hook input priority 0; policy drop;
  valid_connections:
    def: |
        ct state established, related accept
        ct state invalid drop

  new_connections:
    def: |
        ct state new accept


# These are variable definitions that include dependencies
# Ensure the keys match
# Check molecule/default/vars/test.yaml for an example
nftables_variables:

  tcp_ports:
    comment: Configuration for TCP ports
    def: |
      {% if nftables_open_tcp_ports_global %}define OPEN_TCP_PORTS = { {{ nftables_open_tcp_ports_global | join(",") }} }{% endif +%}
      {% if nftables_open_tcp_ports_local %}define LOCAL_OPEN_TCP_PORTS = { {{ nftables_open_tcp_ports_local | join(",") }} }{% endif +%}
      {% if nftables_open_tcp_ports_vpn %}define VPN_TCP_PORTS = { {{ nftables_open_tcp_ports_vpn | join(",") }} }{% endif +%}

  ...

The Ansible playbook will check if the necessary variables are provided to the role using an argument_spec.

Example Playbook

Here's a simple example (assuming you've defined the variables somewhere):

hosts:
  - foo
roles:
  - pimvh.nftables

Summary - What Happens When You Run This

• Check if rules and other variables are defined
• Install nftables and its Python interface
• Create required nftable tables
• Create empty dynamic tables
• Create an empty blocklist
• Copy a nftables template to the nftables directory
• Update the nftables service to link to our new main file
• Create a script to reload the firewall, which saves tables not under our control to files and reloads the firewall
• If nftables_abuseip_api_key is defined, add a script to obtain the blocklist from their API and create a systemd service for that
• Enable the nftables service if requested
• Uninstall iptables if requested

Future Improvements

• Simplify the structure of rules to be passed
• Enhance the argument_specs for nftables_variables and nftables_ruleset