pixx/apLukov
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
David Zálešák
2024-10-30 01:50:38 +01:00
commit 587ca23374
147 changed files with 7521 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

192
roles/firewall/README.md Normal file
View File

@@ -0,0 +1,192 @@
# `flyoverhead.openwrt.firewall`
OpenWRT `firewall` configuration
- configure defaults settings
- create/delete/configure firewall zones
- create/delete/configure firewall zone forwardings
- create/delete/configure firewall traffic rules
- create/delete/configure firewall port forwardings
- create/delete/configure firewall ip sets
- create/delete/configure firewall nat rules
## Role Variables
| Variable | Descritpion | Status | Type | Default/Example |
| :--- | :--- | :--- | :--- | :--- |
| `firewall_defaults` | [Minimal firewall configuration](https://openwrt.org/docs/guide-user/firewall/firewall_configuration#defaults) | | `dictionary` | |
|  `input` | Set policy for the `INPUT` chain of the `filter` table (`ACCEPT`, `REJECT`, `DROP`) | `optional` | `string` | `REJECT` |
|  `forward` | Set policy for the `FORWARD` chain of the `filter` table (`ACCEPT`, `REJECT`, `DROP`) | `optional` | `string` | `REJECT` |
|  `output` | Set policy for the `OUTPUT` chain of the `filter` table (`ACCEPT`, `REJECT`, `DROP`) | `optional` | `string` | `REJECT` |
|  `drop_invalid` | Drop invalid packets | `optional` | `boolean` | `0` |
|  `synflood_protect` | Enable SYN flood protection | `optional` | `boolean` | `0` |
|  `synflood_rate` | Set rate limit (packets/second) for SYN packets which the traffic is considered a flood | `optional` | `string` | `25/s` |
|  `synflood_burst` | Set burst limit for SYN packets which the traffic is considered a flood if it exceeds the allowed rate | `optional` | `string` | `50` |
|  `flow_offloading` | Enable software flow offloading for connections | `optional` | `boolean` | `0` |
|  `flow_offloading_hw` | Enable hardware flow offloading for connections | `optional` | `boolean` | `0` |
| `firewall_zones` | List of [firewall zones](https://openwrt.org/docs/guide-user/firewall/firewall_configuration#zones) | | `list of dictionaries` | |
|  `id` | Unique zone ID | `mandatory` | `string` | `guest` |
|  `name` | Unique zone name | `mandatory` | `string` | `guest` |
|  `state` | Zone status (`present` or `absent`) | `required` | `string` | `present` |
|  `network` | List of interfaces attached to this zone (if omitted and neither extra* options, subnets nor devices are given, the value of `name` is used by default) | `required` | `list` | `["lan"]` |
|  `masq` | Masquerade outgoing zone IPv4 traffic | `optional` | `boolean` | `0` |
|  `mtu_fix` | Enable MSS clamping for outgoing zone traffic | `optional` | `boolean` | `0` |
|  `input` | Default policy for incoming zone traffic (`ACCEPT`, `REJECT`, `DROP`) | `optional` | `string` | `DROP` |
|  `forward` | Default policy for forwarded zone traffic (`ACCEPT`, `REJECT`, `DROP`) | `optional` | `string` | `DROP` |
|  `output` | Default policy for outgoing zone traffic (`ACCEPT`, `REJECT`, `DROP`) | `optional` | `string` | `DROP` |
|  `family` | Protocol family used by iptables rule (`ipv4`, `ipv6` or `any`) | `optional` | `string` | `any` |
|  `enabled` | Enable zone | `optional` | `boolean` | `1` |
| `firewall_forwardings` | List of [zone forwardings](https://openwrt.org/docs/guide-user/firewall/firewall_configuration#forwardings) | | (`list of dictionaries`) | |
|  `name` | Unique forwarding name | `mandatory` | `string` | `guest` |
|  `state` | Forwarding status (`present` or `absent`) | `required` | `string` | `present` |
|  `src` | Traffic source zone (one of the defined `zone names`) | `mandatory` | `string` | `lan` |
|  `dest` | Traffic destination zone (one of the defined `zone names`) | `mandatory` | `string` | `wan` |
|  `family` | Protocol family used by iptables rule (`ipv4`, `ipv6` or `any`) | `optional` | `string` | `any` |
|  `ipset` | Match traffic against the given ipset | `optional` | `string` | `ipset_example` |
|  `enabled` | Enable forwarding | `optional` | `boolean` | `1` |
| `firewall_rules` | List of [traffic rules](https://openwrt.org/docs/guide-user/firewall/firewall_configuration#rules) | | (`list of dictionaries`) | |
|  `id` | Unique rule ID | `mandatory` | `string` | `rule_example` |
|  `name` | Unique rule name | `mandatory` | `string` | `Example rule` |
|  `state` | Rule status (`present` or `absent`) | `required` | `string` | `present` |
|  `src` | Traffic source zone (one of the defined `zone names` or `*` for any zone) | `required` | `string` | `wan` |
|  `src_ip` | Match incoming traffic from the specified source IP address | `optional` | `string` | `192.168.1.1` |
|  `src_port` | Match incoming traffic from the specified source port or port range, if relevant `proto` is specified | `optional` | `list` | `["22", "80", "3000-3010"]` |
|  `src_mac` | Match incoming traffic from the specified MAC address | `optional` | `string` | `00:11:22:33:44:55` |
|  `dest` | Traffic destination zone (one of the defined `zone names` or `*` for any zone) | `required` | `string` | `lan` |
|  `dest_ip` | Match incoming traffic directed to the specified destination IP address | `optional` | `string` | `192.168.1.10` |
|  `dest_port` | Match incoming traffic directed at the given destination port or port range, if relevant `proto` is specified | `optional` | `list` | `["22", "80", "3000-3010"]` |
|  `target` | Firewall action (`ACCEPT`, `REJECT`, `DROP`, `MARK`, `NOTRACK`) for matched traffic | `mandatory` | `string` | `DROP` |
|  `proto` | Match incoming traffic using the given protocol (`tcp`, `udp`, `udplite`, `icmp`, `esp`, `ah`, `sctp`, or `all`) | `optional` | `list` | `["tcp", "udp"]` |
|  `family` | Protocol family used by iptables rule (`ipv4`, `ipv6` or `any`) | `optional` | `string` | `any` |
|  `ipset` | Match traffic against the given ipset | `optional` | `string` | `ipset_example` |
|  `mark` | Match traffic against the given firewall mark | `optional` | `string` | `prohibit` |
|  `set_mark` | Zeroes out the bits given by mask and ORs value into the packet mark | `optional` | `string` | `0xFFFFFFFF` |
|  `enabled` | Enable rule | `optional` | `boolean` | `0` |
| `firewall_redirects` | List of [port forwardings](https://openwrt.org/docs/guide-user/firewall/firewall_configuration#redirects) | | (`list of dictionaries`) | |
|  `id` | Unique redirect ID | `mandatory` | `string` | `redirect_example` |
|  `name` | Redirect description | `mandatory` | `string` | `Example redirection` |
|  `state` | Redirect status (`present` or `absent`) | `required` | `string` | `present` |
|  `src` | Traffic source zone (one of the defined `zone names`) | `required` | `string` | `wan` |
|  `src_ip` | Match incoming traffic from the specified source IP address | `optional` | `string` | `172.16.0.10` |
|  `src_port` | Match incoming traffic originating from the given source port or port range on the client host | `optional` | `string` | `22` |
|  `src_mac` | Match incoming traffic from the specified MAC address | `optional` | `string` | `00:11:22:33:44:55` |
|  `src_dip` | Match incoming traffic directed at the given destination IP address (for DNAT), or rewrite the source address to the given address (for SNAT) | `optional` | `string` | `172.16.0.10` |
|  `src_dport` | Match incoming traffic directed at the given destination port or port range (for DNAT), or rewrite the source ports to the given value (for SNAT) | `optional` | `string` | `22` |
|  `dest` | Traffic destination zone (one of the defined `zone names`) | `required` | `string` | `lan` |
|  `dest_ip` | Redirect matches incoming traffic to the specified internal host (for DNAT), or match traffic directed at the given address (for SNAT) | `optional` | `string` | `192.168.1.1` |
|  `dest_port` | Redirect matched incoming traffic to the given port or port range (for DNAT), or match traffic directed at the given port or port range (for SNAT) | `optional` | `string` | `22` |
|  `target` | NAT target for the rule (`DNAT` or `SNAT`) | `optional` | `string` | `DNAT` |
|  `proto` | Match incoming traffic using the given protocol (`tcp`, `udp`, `udplite`, `icmp`, `esp`, `ah`, `sctp`, or `all`) | `optional` | `list` | `["tcp", "udp"]` |
|  `family` | Protocol family used by iptables rule (`ipv4`, `ipv6` or `any`) | `optional` | `string` | `any` |
|  `ipset` | Match traffic against the given ipset | `optional` | `string` | `ipset_example` |
|  `mark` | Match traffic against the given firewall mark | `optional` | `string` | `0xFFFFFFFF` |
|  `enabled` | Enable redirect | `optional` | `boolean` | `1` |
| `firewall_ipsets` | List of [IP sets](https://openwrt.org/docs/guide-user/firewall/firewall_configuration#options_fw4) | | (`list of dictionaries`) | |
|  `id` | Unique ipset ID | `mandatory` | `string` | `ipset_example` |
|  `name` | Unique ipset name | `mandatory` | `string` | `Example IPset` |
|  `state` | Forwarding status (`present` or `absent`) | `required` | `string` | `present` |
|  `comment` | Comment for the ipset | `optional` | `string` | `Example IP set` |
|  `match` | List of matched data types (`ip`, `port`, `mac`, `net` or `set`) and their direction (`src` or `dest`) joined by an underscore | `mandatory` | `list` | `["src_ip", "port"]` |
|  `entry` | The IP address, CIDR, or MAC | `optional` | `list` | `["00:11:22:33:44:55", "172.16.0.0/24"]` |
|  `family` | Protocol family used by ipset (`ipv4`, `ipv6` or `any`) | `optional` | `string` | `ipv4` |
|  `maxelem` | Limits of items that can be added to the ipset | `optional` | `integer` | `65536` |
|  `loadfile` | Path to file containing a list of CIDRs, subnets, host IPs | `optional` | `string` | `/tmp/ipset.list` |
|  `enabled` | Enable ipset | `optional` | `boolean` | `1` |
| `firewall_nats` | List of [NAT rules](https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_nat#selective_nat) | | (`list of dictionaries`) | |
|  `id` | Unique nat ID | `mandatory` | `string` | `nat_example` |
|  `name` | Unique rule name | `mandatory` | `string` | `Example NAT` |
|  `state` | Redirect status (`present` or `absent`) | `required` | `string` | `present` |
|  `src` | Traffic source zone (one of the defined `zone names`) | `required` | `string` | `wan` |
|  `src_ip` | Match forwarded traffic from the specified source IP address or range | `optional` | `string` | `172.16.0.10` |
|  `src_port` | Match forwarded traffic originating from the given source port or port range | `optional` | `string` | `22` |
|  `dest_ip` | Match forwarded traffic directed at the given IP address | `optional` | `string` | `192.168.1.1` |
|  `dest_port` | Match forwarded traffic directed at the given destination port or port range | `optional` | `string` | `22` |
|  `snat_ip` | Rewrite matched traffic to the specified source IP address (for `SNAT`) | `optional` | `string` | `172.16.0.10` |
|  `snat_port` | Rewrite matched traffic to the specified source port or port range | `optional` | `string` | `22` |
|  `target` | NAT target for the rule (`ACCEPT`, `MASQUERADE` or `SNAT`) | `mandatory` | `string` | `ACCEPT` |
|  `proto` | Match incoming traffic using the given protocol (`tcp`, `udp`, `udplite`, `icmp`, `esp`, `ah`, `sctp`, or `all`) | `optional` | `list` | `["tcp", "udp"]` |
|  `family` | Protocol family used by ipset (`ipv4`, `ipv6` or `any`) | `optional` | `string` | `ipv4` |
|  `mark` | Match traffic against the given firewall mark | `optional` | `string` | `0xFFFFFFFF` |
|  `enabled` | Enable NAT rule | `optional` | `boolean` | `0` |
## Dependencies
| Name | Description |
| :--- | :--- |
| `Ansible Role: openwrt` | [Ansible role by gekmihesg](https://github.com/gekmihesg/ansible-openwrt) for managing OpenWRT and derivatives |
## Example Playbook
```yaml
- hosts: openwrt
roles:
- role: flyoverhead.openwrt.firewall
```
## Example Vars
```yaml
firewall_defaults:
input: "ACCEPT"
forward: "REJECT"
output: "ACCEPT"
drop_invalid: "1"
synflood_protect: "1"
firewall_zones:
- id: "iot"
name: "iot"
state: "present"
network: ["iot"]
input: "DROP"
forward: "DROP"
output: "ACCEPT"
family: "ipv4"
firewall_forwardings:
- id: "lan_iot"
state: "present"
src: "lan"
dest: "iot"
family: "ipv4"
- id: "iot_wan"
state: "present"
src: "iot"
dest: "wan"
family: "ipv4"
firewall_rules:
- id: "allow_iot_dhcp_dns"
name: "Allow DHCP and DNS for IoT"
state: "present"
src: "iot"
src_port: ["53", "67", "68"]
dest: "lan"
dest_port: ["53", "67", "68"]
target: "ACCEPT"
family: "ipv4"
firewall_redirects:
- id: "force_dns_lan"
name: "Force lan DNS"
state: "present"
src: "lan"
src_dport: "53"
target: "DNAT"
family: "ipv4"
- id: "force_dns_iot"
name: "Force iot DNS"
state: "present"
src: "iot"
src_dport: "53"
target: "DNAT"
family: "ipv4"
```
## License
[GNU General Public License v3.0](https://www.gnu.org/licenses/gpl-3.0.txt)
## Author Information
fly0v3rH34D
## References
- https://openwrt.org/docs/guide-user/firewall/firewall_configuration
- https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_nat#nat_examples

109
roles/firewall/defaults/main.yml Normal file
View File

@@ -0,0 +1,109 @@
---
# defaults section
firewall_defaults:
input: ""
forward: ""
output: ""
drop_invalid: ""
synflood_protect: ""
synflood_rate: ""
synflood_burst: ""
flow_offloading: ""
flow_offloading_hw: ""
# zones section
firewall_zones:
- id: ""
name: ""
state: ""
network: []
masq: ""
mtu_fix: ""
input: ""
forward: ""
output: ""
family: ""
enabled: ""
# forwardings section
firewall_forwardings:
- id: ""
state: ""
src: ""
dest: ""
family: ""
ipset: ""
enabled: ""
# rules section
firewall_rules:
- id: ""
name: ""
desc: ""
state: ""
src: ""
src_ip: ""
src_port: []
src_mac: ""
dest: ""
dest_ip: ""
dest_port: []
target: ""
proto: []
family: ""
ipset: ""
mark: ""
set_mark: ""
enabled: ""
# redirects section
firewall_redirects:
- id: ""
name: ""
state: ""
src: ""
src_ip: ""
src_port: ""
src_mac: ""
src_dip: ""
src_dport: ""
dest: ""
dest_ip: ""
dest_port: ""
target: ""
proto: []
family: ""
ipset: ""
mark: ""
enabled: ""
# ip sets section
firewall_ipsets:
- id: ""
name: ""
state: ""
comment: ""
match: []
entry: []
family: ""
maxelem: ""
loadfile: ""
enabled: ""
# nat section
firewall_nats:
- id: ""
name: ""
state: ""
src: ""
src_ip: ""
src_port: ""
dest_ip: ""
dest_port: ""
snat_ip: ""
snat_port: ""
target: ""
proto: []
family: ""
mark: ""
enabled: ""

6
roles/firewall/handlers/main.yml Normal file
View File

@@ -0,0 +1,6 @@
---
# Reload firewall service
- name: Reload firewall
ansible.builtin.service:
name: firewall
state: restarted

12
roles/firewall/meta/main.yml Normal file
View File

@@ -0,0 +1,12 @@
---
galaxy_info:
author: flyoverhead
description: Configure firewall settings
license: GPL-3.0
min_ansible_version: "2.13"
platforms:
- name: OpenWrt
versions: ["22.03"]
galaxy_tags: ["openwrt", "firewall"]
dependencies:
- role: gekmihesg.openwrt

18
roles/firewall/tasks/defaults.yml Normal file
View File

@@ -0,0 +1,18 @@
---
# Configure defaults settings
- name: Configure defaults settings
uci:
command: "set"
config: "firewall"
section: "@defaults[0]"
type: "defaults"
value:
input: "{{ firewall_defaults.input | default(omit) }}"
forward: "{{ firewall_defaults.forward | default(omit) }}"
output: "{{ firewall_defaults.output | default(omit) }}"
drop_invalid: "{{ firewall_defaults.drop_invalid | default(omit) }}"
synflood_protect: "{{ firewall_defaults.synflood_protect | default(omit) }}"
synflood_rate: "{{ firewall_defaults.synflood_rate | default(omit) }}"
synflood_burst: "{{ firewall_defaults.synflood_burst | default(omit) }}"
flow_offloading: "{{ firewall_defaults.flow_offloading | default(omit) }}"
flow_offloading_hw: "{{ firewall_defaults.flow_offloading_hw | default(omit) }}"

41
roles/firewall/tasks/forwarding.yml Normal file
View File

@@ -0,0 +1,41 @@
---
# Set state status for firewall forwarding
- name: Set state status for firewall forwarding {{ item.id | default('@forwarding[-1]') }}
ansible.builtin.set_fact:
firewall_forwarding_state: "{{ item.state | default('present') }}"
# Delete firewall forwarding
- name: Delete firewall forwarding {{ item.id }}
when: "'absent' in firewall_forwarding_state"
uci:
command: "absent"
config: "firewall"
section: "{{ item.id }}"
type: "forwarding"
# Create and configure firewall forwarding
- name: Create and configure firewall forwarding
when: "'present' in firewall_forwarding_state"
block:
# Create firewall forwarding
- name: Create firewall forwarding {{ item.id | default('@forwarding[-1]') }}
uci:
command: "add"
config: "firewall"
section: "{{ item.id | default('@forwarding[-1]') }}"
type: "forwarding"
# Configure firewall forwarding
- name: Configure firewall forwarding {{ item.id | default('@forwarding[-1]') }}
uci:
command: "set"
config: "firewall"
section: "{{ item.id | default('@forwarding[-1]') }}"
type: "forwarding"
value:
name: "{{ item.id | default(omit) }}"
src: "{{ item.src | default(omit) }}"
dest: "{{ item.dest | default(omit) }}"
family: "{{ item.family | default(omit) }}"
ipset: "{{ item.ipset | default(omit) }}"
enabled: "{{ item.enabled | default(omit) }}"

43
roles/firewall/tasks/ipset.yml Normal file
View File

@@ -0,0 +1,43 @@
---
# Set state status for firewall ipset
- name: Set state status for firewall ipset {{ item.id | default('@ipset[-1]') }}
ansible.builtin.set_fact:
firewall_ipset_state: "{{ item.state | default('present') }}"
# Delete firewall ipset
- name: Delete firewall ipset {{ item.id }}
when: "'absent' in firewall_ipset_state"
uci:
command: "absent"
config: "firewall"
section: "{{ item.id }}"
type: "ipset"
# Create and configure firewall ipset
- name: Create and configure firewall ipset
when: "'present' in firewall_ipset_state"
block:
# Create firewall ipset
- name: Create firewall ipset {{ item.id | default('@ipset[-1]') }}
uci:
command: "add"
config: "firewall"
section: "{{ item.id | default('@ipset[-1]') }}"
type: "ipset"
# Configure firewall ipset
- name: Configure firewall ipset {{ item.id | default('@ipset[-1]') }}
uci:
command: "set"
config: "firewall"
section: "{{ item.id | default('@ipset[-1]') }}"
type: "ipset"
value:
name: "{{ item.name | default(omit) }}"
comment: "{{ item.comment | default(omit) }}"
match: "{{ item.match | default([]) | join(' ') }}"
entry: "{{ item.entry | default([]) | join(' ') }}"
family: "{{ item.family | default(omit) }}"
maxelem: "{{ item.maxelem | default(omit) }}"
loadfile: "{{ item.loadfile | default(omit) }}"
enabled: "{{ item.enabled | default(omit) }}"

40
roles/firewall/tasks/main.yml Normal file
View File

@@ -0,0 +1,40 @@
---
# Configure deaults section
- name: Configure defaults section
ansible.builtin.include_tasks: defaults.yml
# Configure zone section
- name: Configure zone section
ansible.builtin.include_tasks: zone.yml
loop: "{{ firewall_zones | default([]) }}"
# Configure forwarding section
- name: Configure forwarding section
ansible.builtin.include_tasks: forwarding.yml
loop: "{{ firewall_forwardings | default([]) }}"
# Configure rule section
- name: Configure rule section
ansible.builtin.include_tasks: rule.yml
loop: "{{ firewall_rules | default([]) }}"
# Configure redirect section
- name: Configure redirect section
ansible.builtin.include_tasks: redirect.yml
loop: "{{ firewall_redirects | default([]) }}"
# Configure ipset section
- name: Configure ipset section
ansible.builtin.include_tasks: ipset.yml
loop: "{{ firewall_ipsets | default([]) }}"
# Configure nat section
- name: Configure nat section
ansible.builtin.include_tasks: nat.yml
loop: "{{ firewall_nats | default([]) }}"
# Apply changes and reload firewall service
- name: Apply changes and reload firewall
uci:
command: commit
notify: Reload firewall

48
roles/firewall/tasks/nat.yml Normal file
View File

@@ -0,0 +1,48 @@
---
# Set state status for firewall nat
- name: Set state status for firewall nat {{ item.id | default('@nat[-1]') }}
ansible.builtin.set_fact:
firewall_nat_state: "{{ item.state | default('present') }}"
# Delete firewall nat
- name: Delete firewall nat {{ item.id }}
when: "'absent' in firewall_nat_state"
uci:
command: "absent"
config: "firewall"
section: "{{ item.id }}"
type: "nat"
# Create and configure firewall nat
- name: Create and configure firewall nat
when: "'present' in firewall_nat_state"
block:
# Create firewall nat
- name: Create firewall nat {{ item.id | default('@nat[-1]') }}
uci:
command: "add"
config: "firewall"
section: "{{ item.id | default('@nat[-1]') }}"
type: "nat"
# Configure firewall nat
- name: Configure firewall nat {{ item.id | default('@nat[-1]') }}
uci:
command: "set"
config: "firewall"
section: "{{ item.id | default('@nat[-1]') }}"
type: "nat"
value:
name: "{{ item.name | default(omit) }}"
src: "{{ item.src | default(omit) }}"
src_ip: "{{ item.src_ip | default(omit) }}"
src_port: "{{ item.src_port | default(omit) }}"
dest_ip: "{{ item.dest_ip | default(omit) }}"
dest_port: "{{ item.dest_port | default(omit) }}"
snat_ip: "{{ item.snat_ip | default(omit) }}"
snat_port: "{{ item.snat_port | default(omit) }}"
target: "{{ item.target | default(omit) }}"
proto: "{{ item.proto | default([]) | join(' ') }}"
family: "{{ item.family | default(omit) }}"
mark: "{{ item.mark | default(omit) }}"
enabled: "{{ item.enabled | default(omit) }}"

51
roles/firewall/tasks/redirect.yml Normal file
View File

@@ -0,0 +1,51 @@
---
# Set state status for firewall redirect
- name: Set state status for firewall redirect {{ item.id | default('@redirect[-1]') }}
ansible.builtin.set_fact:
firewall_redirect_state: "{{ item.state | default('present') }}"
# Delete firewall redirect
- name: Delete firewall redirect {{ item.id }}
when: "'absent' in firewall_redirect_state"
uci:
command: "absent"
config: "firewall"
section: "{{ item.id }}"
type: "redirect"
# Create and configure firewall redirect
- name: Create and configure firewall redirect
when: "'present' in firewall_redirect_state"
block:
# Create firewall redirect
- name: Create firewall redirect {{ item.id | default('@redirect[-1]') }}
uci:
command: "add"
config: "firewall"
section: "{{ item.id | default('@redirect[-1]') }}"
type: "redirect"
# Configure firewall redirect
- name: Configure firewall redirect {{ item.id | default('@redirect[-1]') }}
uci:
command: "set"
config: "firewall"
section: "{{ item.id | default('@redirect[-1]') }}"
type: "redirect"
value:
name: "{{ item.name | default(omit) }}"
src: "{{ item.src | default(omit) }}"
src_ip: "{{ item.src_ip | default(omit) }}"
src_port: "{{ item.src_port | default(omit) }}"
src_mac: "{{ item.src_mac | default(omit) }}"
src_dip: "{{ item.src_dip | default(omit) }}"
src_dport: "{{ item.src_dport | default(omit) }}"
dest: "{{ item.dest | default(omit) }}"
dest_ip: "{{ item.dest_ip | default(omit) }}"
dest_port: "{{ item.dest_port | default(omit) }}"
target: "{{ item.target | default(omit) }}"
proto: "{{ item.proto | default([]) | join(' ') }}"
family: "{{ item.family | default(omit) }}"
ipset: "{{ item.ipset | default(omit) }}"
mark: "{{ item.mark | default(omit) }}"
enabled: "{{ item.enabled | default(omit) }}"

50
roles/firewall/tasks/rule.yml Normal file
View File

@@ -0,0 +1,50 @@
---
# Set state status for firewall rule
- name: Set state status for firewall rule {{ item.id | default('@rule[-1]') }}
ansible.builtin.set_fact:
firewall_rule_state: "{{ item.state | default('present') }}"
# Delete firewall rule
- name: Delete firewall rule {{ item.id }}
when: "'absent' in firewall_rule_state"
uci:
command: "absent"
config: "firewall"
section: "{{ item.id }}"
type: "rule"
# Create and configure firewall rule
- name: Create and configure firewall rule
when: "'present' in firewall_rule_state"
block:
# Create firewall rule
- name: Create firewall rule {{ item.id | default('@rule[-1]') }}
uci:
command: "add"
config: "firewall"
section: "{{ item.id | default('@rule[-1]') }}"
type: "rule"
# Configure firewall rule
- name: Configure firewall rule {{ item.id | default('@rule[-1]') }}
uci:
command: "set"
config: "firewall"
section: "{{ item.id | default('@rule[-1]') }}"
type: "rule"
value:
name: "{{ item.name | default(omit) }}"
src: "{{ item.src | default(omit) }}"
src_ip: "{{ item.src_ip | default(omit) }}"
src_port: "{{ item.src_port | default([]) | join(' ') }}"
src_mac: "{{ item.src_mac | default(omit) }}"
dest: "{{ item.dest | default(omit) }}"
dest_ip: "{{ item.dest_ip | default(omit) }}"
dest_port: "{{ item.dest_port | default([]) | join(' ') }}"
target: "{{ item.target | default(omit) }}"
proto: "{{ item.proto | default([]) | join(' ') }}"
family: "{{ item.family | default(omit) }}"
ipset: "{{ item.ipset | default(omit) }}"
mark: "{{ item.mark | default(omit) }}"
set_mark: "{{ item.set_mark | default(omit) }}"
enabled: "{{ item.enabled | default(omit) }}"

44
roles/firewall/tasks/zone.yml Normal file
View File

@@ -0,0 +1,44 @@
---
# Set state status for firewall zone
- name: Set state status for firewall zone {{ item.id | default('@zone[-1]') }}
ansible.builtin.set_fact:
firewall_zone_state: "{{ item.state | default('present') }}"
# Delete firewall zone
- name: Delete firewall zone {{ item.id }}
when: "'absent' in firewall_zone_state"
uci:
command: "absent"
config: "firewall"
section: "{{ item.id }}"
type: "zone"
# Create and configure firewall zone
- name: Create and configure firewall zone
when: "'present' in firewall_zone_state"
block:
# Create firewall zone
- name: Create firewall zone {{ item.id | default('@zone[-1]') }}
uci:
command: "add"
config: "firewall"
section: "{{ item.id | default('@zone[-1]') }}"
type: "zone"
# Configure firewall zone
- name: Configure firewall zone {{ item.id | default('@zone[-1]') }}
uci:
command: "set"
config: "firewall"
section: "{{ item.id | default('@zone[-1]') }}"
type: "zone"
value:
name: "{{ item.name | default(omit) }}"
network: "{{ item.network | default([]) | join(' ') }}"
masq: "{{ item.masq | default(omit) }}"
mtu_fix: "{{ item.mtu_fix | default(omit) }}"
input: "{{ item.input | default(omit) }}"
forward: "{{ item.forward | default(omit) }}"
output: "{{ item.output | default(omit) }}"
family: "{{ item.family | default(omit) }}"
enabled: "{{ item.enabled | default(omit) }}"