From d23857146e8f9c41c0c825b33d81761b1e897e8e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kasi=C4=8D?= <src@lksc.sk>
Date: Fri, 21 Oct 2022 03:11:53 +0200
Subject: [PATCH 1/2] feat: defining custom chains

---
 defaults/main.yml                             | 10 +++++++++
 tasks/main.yml                                | 12 +++++++++++
 templates/etc/nftables.conf.j2                |  3 +++
 templates/etc/nftables.d/filter-custom.nft.j2 | 21 +++++++++++++++++++
 4 files changed, 46 insertions(+)
 create mode 100644 templates/etc/nftables.d/filter-custom.nft.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index 9891ebc..c4b3191 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -309,6 +309,16 @@ nft_input_conf_path: '{{ nft_conf_dir_path }}/filter-input.nft'
 nft_input_conf_content: 'etc/nftables.d/filter-input.nft.j2'
                                                                    # ]]]
 
+nft_custom_conf_path: '{{ nft_conf_dir_path }}/filter-custom.nft'
+nft_custom_conf_content: 'etc/nftables.d/filter-custom.nft.j2'
+
+nft_define_custom_chains: {}
+#  docker:
+#    - nft_docker_rules
+#    - nft_docker_group_rules
+#    - nft_docker_host_rules
+
+
 # .. envvar:: nft_output_default_rules [[[
 #
 # List of output rules to configure for all hosts inherited from this role.
diff --git a/tasks/main.yml b/tasks/main.yml
index 91c722f..8ab7aa3 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -154,6 +154,18 @@
   when: (nft_enabled|bool and
          nft__forward_table_manage|bool)
 
+- name: Filter table - generate custom rules file
+  template:
+    src: "{{ nft_custom_conf_content }}"
+    dest: "{{ nft_custom_conf_path }}"
+    owner: root
+    group: root
+    mode: 0755
+    backup: yes
+  notify: ['Reload nftables service']
+  when: (nft_enabled|bool and
+         nft_define_custom_chains.keys()|length > 0)
+
 # Nat table content [[[1
 - name: Nat table - generate prerouting rules file
   template:
diff --git a/templates/etc/nftables.conf.j2 b/templates/etc/nftables.conf.j2
index c385709..a6a60e0 100755
--- a/templates/etc/nftables.conf.j2
+++ b/templates/etc/nftables.conf.j2
@@ -32,6 +32,9 @@ table inet filter {
 {% if nft__forward_table_manage %}
 	include "{{ nft_forward_conf_path }}"
 {% endif %}
+{% if nft_define_custom_chains %}
+	include "{{ nft_custom_conf_path }}"
+{% endif %}
 {% if nft_custom_includes | default() %}
   {% if nft_custom_includes is string %}
 	include "{{ nft_custom_includes }}"
diff --git a/templates/etc/nftables.d/filter-custom.nft.j2 b/templates/etc/nftables.d/filter-custom.nft.j2
new file mode 100644
index 0000000..17be1f2
--- /dev/null
+++ b/templates/etc/nftables.d/filter-custom.nft.j2
@@ -0,0 +1,21 @@
+#jinja2: lstrip_blocks: "True", trim_blocks: "True"
+# {{ ansible_managed }}
+
+{% for chain,sections in nft_define_custom_chains.items() %}
+  {% set custommerged = hostvars[inventory_hostname][sections[0]].copy() %}
+  {% for section in sections[1:] %}
+    {% set _ = custommerged.update(hostvars[inventory_hostname][section].copy()) %}
+  {% endfor %}
+
+chain {{ chain }} {
+{% for group, rules in custommerged|dictsort  %}
+  # {{ group }}
+  {% if not rules %}
+  # (none)
+  {% endif %}
+  {% for rule in rules %}
+  {{ rule }}
+  {% endfor %}
+{% endfor %}
+}
+{% endfor %}

From 78fb47d14b260a5d6c62760f413c57bf10b9c461 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kasi=C4=8D?= <src@lksc.sk>
Date: Fri, 21 Oct 2022 21:58:46 +0200
Subject: [PATCH 2/2] doc: add custom chains variables and example playbook to
 readme

---
 README.md | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)

diff --git a/README.md b/README.md
index 454af6a..22fda92 100644
--- a/README.md
+++ b/README.md
@@ -37,6 +37,8 @@ complexify his philosophy… (I'm pretty sure, i now did complexify it :D) ^^
 * **nft_output_conf_content** : Template used to generate the previous output configuration file [default : `etc/nftables.d/filter-output.nft.j2`].
 * **nft_forward_conf_path** : forward configuration file include in main configuration file [default : `{{ nft_conf_dir_path }}/filter-forward.nft`].
 * **nft_forward_conf_content** : Template used to generate the previous forward configuration file [default : `etc/nftables.d/filter-forward.nft.j2`].
+* **nft_custom_conf_path** : Custom chains configuration file include in main configuration file [default : `{{ nft_conf_dir_path }}/filter-custom.nft`].
+* **nft_custom_conf_content** : Template used to generate custom chains configuration file [default : `etc/nftables.d/filter-custom.nft.j2`].
 * **nft_define_conf_path** : Vars definition file include in main configuration file [default : `{{ nft_conf_dir_path }}/defines.nft`].
 * **nft_define_conf_content** : Template used to generate the previous vars definition file [default : `etc/nftables.d/defines.nft.j2`].
 * **nft_sets_conf_path** : Sets and maps definition file include in main configuration file [default : `{{ nft_conf_dir_path }}/sets.nft`].
@@ -46,6 +48,7 @@ complexify his philosophy… (I'm pretty sure, i now did complexify it :D) ^^
 * **nft_global_group_rules** : You can add `global` rules or override those defined by **nft_global_default_rules** and **nft_global_rules** for a group.
 * **nft_global_host_rules** : Hosts can also add or override all previours rules.
 * **nft__custom_content** : Custom content (tables, include,…) to add in Nftables configuration [default : `''`].
+* **nft_define_custom_chains** : Custom chains. Mapping of lists, where key is chain name, and list values are variables names with rules.
 * **nft_input_default_rules** : Set default rules for `input` chain.
 * **nft_input_rules** : You can add `input` rules or override those defined by **nft_input_default_rules** for all hosts.
 * **nft_input_group_rules** : You can add `input` rules or override those defined by **nft_input_default_rules** and **nft_input_rules** for a group.
@@ -557,6 +560,69 @@ nft_input_group_rules:
    of these groups.
 </details>
 
+### With custom chains
+
+<details>
+  <summary>Define custom chain for usage with docker (<i>click to expand</i>)</summary>
+
+Group vars (e.g. `docker_server.yml`)
+
+```yaml
+nft_old_pkg_manage: false
+nft__forward_table_manage: true
+
+# specify chains and which variables contains rules that should be used for building chain rule set
+nft_define_custom_chains:
+  docker:
+    - nft_docker_group_rules
+    - nft_docker_tenant_rules
+    - nft_docker_host_rules
+
+nft_docker_group_rules:
+  '100 allow internal vpn':
+    - 'ip saddr 10.254.0.0/16 counter accept'
+    - 'ip6 saddr 2001:db8:deaf:beaf::/64 counter accept'
+
+nft_docker_tenant_rules:
+  '200 allow ssh connection for tenant vpn':
+    - 'ip saddr 198.51.100.18 tcp dport { 22 } counter accept'
+
+nft_docker_host_rules: {}
+
+nft_forward_default_rules:
+  '000 policy':
+    - 'type filter hook forward priority -200; policy drop;'
+  '005 global':
+    - 'jump global'
+
+nft_forward_group_rules:
+  '050 docker - allow connection from containers to internet':
+    - 'iifname "docker0" counter accept'
+  '099 jump docker':
+    - 'jump docker'
+
+nft_input_group_rules:
+  '099 jump docker':
+    - 'jump docker'
+
+```
+
+Playbook and host vars
+
+``` yaml
+- hosts: docker_server
+  vars:
+    nft_docker_host_rules:
+      '300 allow http/s':
+        - 'tcp dport { 80, 443 } counter accept'
+
+  roles:
+    - role: ipr-cnrs.nftables
+```
+
+</details>
+
+
 ## Configuration
 
 This role will :