nft role + disable iptables when nft enabled

2024-07-24 21:32:13 +02:00 · 2024-07-24 21:32:13 +02:00 · 848917a72c
commit 848917a72c
parent a74dba4557
17 changed files with 348 additions and 57 deletions
--- a/roles/common/handlers/main.yaml
+++ b/roles/common/handlers/main.yaml
@ -29,3 +29,4 @@
  with_items:
    - { c: iptables, ip: v4 }
    - { c: ip6tables, ip: v6 }
+  when: not nft | bool
--- a/roles/common/tasks/main.yaml
+++ b/roles/common/tasks/main.yaml
@ -66,8 +66,6 @@
      - etckeeper
      - git
      - htop
-      - iptables
-      - iptables-persistent
      - jq
      - net-tools
      - netcat-openbsd
@ -133,6 +131,7 @@
    - ipv4
    - ipv6
  notify: persist iptables
+  when: not nft | bool

 - name: Allow ICMP
  ansible.builtin.iptables:
@ -144,6 +143,7 @@
    - { ip: ipv4, proto: icmp }
    - { ip: ipv6, proto: ipv6-icmp }
  notify: persist iptables
+  when: not nft | bool

 - name: Allow related and established connections
  ansible.builtin.iptables:
@ -155,6 +155,7 @@
    - ipv4
    - ipv6
  notify: persist iptables
+  when: not nft | bool

 - name: Allow local connections
  ansible.builtin.iptables:
@ -164,6 +165,7 @@
    ip_version: "{{ item.v }}"
  with_items: "{{ trusted_ranges }}"
  notify: persist iptables
+  when: not nft | bool

 - name: Deny inbound connections
  ansible.builtin.iptables:
@ -174,3 +176,4 @@
    - ipv4
    - ipv6
  notify: persist iptables
+  when: not nft | bool