Merge branch 'fix-var-prefix' into 'main'

Fix firewall log rejected packets variable should have role prefix See merge request xebis/xebis-ansible-collection!12
old-xebis · Jan 11, 2024 · 5a6b889 · 5a6b889
2 parents 778e7b3 + 959e1b5
commit 5a6b889
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 9 deletions.
diff --git a/roles/firewall/README.md b/roles/firewall/README.md
@@ -13,7 +13,7 @@ Current nftables hooks used:
 _Inspired by the image [nftables wiki: Netfilter hooks](https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks)._
 
 - Each rule has counter set
-- When `nftables_log_rejected` is defined and true, all rejected packets are logged in the syslog prefixed `nftables` _`chain`_ `rejected`, default is false, see [Rejected Packets Logging](#rejected-packets-logging)
+- When `firewall_log_rejected` is defined and true, all rejected packets are logged in the syslog prefixed `nftables` _`chain`_ `rejected`, default is false, see [Rejected Packets Logging](#rejected-packets-logging)
 - `inet-pre`
   - Drops invalid packets and packets for localhost originating out of the loopback interface
   - Accepts the rest
@@ -23,13 +23,13 @@ _Inspired by the image [nftables wiki: Netfilter hooks](https://wiki.nftables.or
   - Accepts TCP SSH
   - Includes `/etc/nftables/inet-in-*.conf` extension rules, see [Extending The Firewall](#extending-the-firewall)
   - Rejects the rest
-  - Sets rejected packets logging to syslog when Ansible variable `nftables_log_rejected` is defined and true with prefix `nftables inet-in rejected`
+  - Sets rejected packets logging to syslog when Ansible variable `firewall_log_rejected` is defined and true with prefix `nftables inet-in rejected`
 - `inet-fwd`
   - Accepts established, related traffic
   - Accepts icmp, igmp, and icmpv6 packets
   - Includes `/etc/nftables/inet-fwd-*.conf` extension rules, see [Extending The Firewall](#extending-the-firewall)
   - Rejects the rest
-  - Sets rejected packets logging to syslog when Ansible variable `nftables_log_rejected` is defined and true with prefix `nftables inet-fwd rejected`
+  - Sets rejected packets logging to syslog when Ansible variable `firewall_log_rejected` is defined and true with prefix `nftables inet-fwd rejected`
 - `inet-out`
   - Accepts established, related, and loopback traffic
   - Accepts icmp, igmp, and icmpv6 packets
@@ -38,23 +38,23 @@ _Inspired by the image [nftables wiki: Netfilter hooks](https://wiki.nftables.or
   - Accepts TCP SSH, HTTP, HTTPS
   - Includes `/etc/nftables/inet-out-*.conf` extension rules, see [Extending The Firewall](#extending-the-firewall)
   - Rejects the rest
-  - Sets rejected packets logging to syslog when Ansible variable `nftables_log_rejected` is defined and true with prefix `nftables inet-out rejected`
+  - Sets rejected packets logging to syslog when Ansible variable `firewall_log_rejected` is defined and true with prefix `nftables inet-out rejected`
 - `inet-post`
   - Drops invalid packets and packets for localhost ending out of the loopback interface
   - Accepts the rest
 - Includes `/etc/nftables/inet-chain-*.conf` extension chains, see [Extending The Firewall](#extending-the-firewall)
 
 ### Rejected Packets Logging
 
-Example of `inventory.yml` defining `nftables_log_rejected` and setting it true:
+Example of `inventory.yml` defining `firewall_log_rejected` and setting it true:
 
 ```yaml
 all:
 # ...
 
 # In an inventory group or for a machine:
   vars:
-    nftables_log_rejected: true
+    firewall_log_rejected: true
 ```
 
 Example of using live tail:

diff --git a/roles/firewall/templates/nftables.conf.j2 b/roles/firewall/templates/nftables.conf.j2
@@ -20,7 +20,7 @@ table inet filter {
         ip6 nexthdr icmpv6 counter limit rate 10/second accept
         tcp dport 22 counter accept # Allow SSH traffic
         include "/etc/nftables/inet-in-*.conf" # Include roles rules
-        counter {% if nftables_log_rejected is defined and nftables_log_rejected %}log prefix "nftables inet-in rejected " {% endif %}reject with icmpx type port-unreachable # Reject
+        counter {% if firewall_log_rejected is defined and firewall_log_rejected %}log prefix "nftables inet-in rejected " {% endif %}reject with icmpx type port-unreachable # Reject
     }
 
     chain inet-fwd {
@@ -30,7 +30,7 @@ table inet filter {
         ip protocol igmp counter accept
         ip6 nexthdr icmpv6 counter accept
         include "/etc/nftables/inet-fwd-*.conf" # Include roles rules
-        counter {% if nftables_log_rejected is defined and nftables_log_rejected %}log prefix "nftables inet-fwd rejected " {% endif %}reject with icmpx type host-unreachable # Reject
+        counter {% if firewall_log_rejected is defined and firewall_log_rejected %}log prefix "nftables inet-fwd rejected " {% endif %}reject with icmpx type host-unreachable # Reject
     }
 
     chain inet-out {
@@ -47,7 +47,7 @@ table inet filter {
         tcp dport 443 counter accept # Allow HTTPS traffic
         tcp dport 22 counter accept # Allow SSH traffic
         include "/etc/nftables/inet-out-*.conf" # Include roles rules
-        counter {% if nftables_log_rejected is defined and nftables_log_rejected %}log prefix "nftables inet-out rejected " {% endif %}reject with icmpx type admin-prohibited # Reject
+        counter {% if firewall_log_rejected is defined and firewall_log_rejected %}log prefix "nftables inet-out rejected " {% endif %}reject with icmpx type admin-prohibited # Reject
     }
 
     chain inet-post {