arillso Documentation

arillso.system.firewall role – Configure nftables firewall with intuitive YAML structure

Note

This role is part of the arillso.system collection (version 1.0.5).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it use: ansible-galaxy collection install arillso.system.

To use it in a playbook, specify: arillso.system.firewall.

Entry point `main` – Configure nftables firewall with intuitive YAML structure 

Synopsis 

Manages nftables firewall using your elegant YAML table/chain/rule structure
Supports hierarchical Global → Group → Host inheritance and merging
Direct mapping from YAML to nftables configuration

Parameters 

Parameter	Comments
firewall list / elements=dictionary	Main nftables configuration (defaults/main.yml) Default: `[]`
table dictionary / required	nftables table configuration
chains list / elements=dictionary	List of chains in this table
hook string / required	Netfilter hook Choices: `"prerouting"` `"input"` `"forward"` `"output"` `"postrouting"`
name string / required	Chain name
policy string / required	Default chain policy Choices: `"accept"` `"drop"`
priority integer / required	Chain priority
rules list / elements=dictionary	List of rules in this chain
action string	Rule action Choices: `"accept"` ← (default) `"drop"` `"reject"` `"dnat"` `"masquerade"` `"queue"` `"jump"` `"goto"`
comment string	Rule comment/description
ct_direction string	Connection tracking direction Choices: `"original"` `"reply"`
ct_mark string	Connection tracking mark
ct_state any	Connection tracking state
ct_status string	Connection tracking status
goto_chain string	Target chain for goto action
icmp_code integer	ICMP code
icmp_type string	ICMP type
icmpv6_type string	ICMPv6 type
iifname string	Input interface name
ip6_daddr string	IPv6 destination address/network
ip6_daddr_set string	Reference to IPv6 destination address set
ip6_nexthdr string	IPv6 next header
ip6_saddr string	IPv6 source address/network
ip6_saddr_set string	Reference to IPv6 source address set
ip_daddr string	Destination IP address/network
ip_daddr_set string	Reference to IPv4 destination address set
ip_protocol string	IP protocol
ip_saddr string	Source IP address/network
ip_saddr_set string	Reference to IPv4 source address set (e.g., “@trusted_networks”)
log_group integer	NFLOG group number
log_level string	Log level Choices: `"emerg"` `"alert"` `"crit"` `"err"` `"warn"` `"notice"` `"info"` `"debug"`
log_prefix string	Log prefix for logging rules
log_queue_threshold integer	Queue threshold for logging
log_snaplen integer	Snapshot length for logging
meta_length string	Packet length condition (e.g., “> 1000”)
meta_mark string	Packet mark value
meta_nfproto string	Network protocol family Choices: `"ipv4"` `"ipv6"` `"arp"` `"bridge"`
meta_protocol string	Protocol type
oifname string	Output interface name
queue_num integer	Queue number for userspace processing
reject_with string	Reject with specific reason Choices: `"icmp-admin-prohibited"` `"icmp-port-unreachable"` `"icmp-net-unreachable"` `"icmp-host-unreachable"`
target_chain string	Target chain for jump action
tcp_dport any	TCP destination port(s)
tcp_dport_set string	Reference to TCP destination port set (e.g., “@web_ports”)
tcp_sport any	TCP source port(s)
tcp_sport_set string	Reference to TCP source port set
to string	Target for DNAT action
udp_dport any	UDP destination port(s)
udp_dport_set string	Reference to UDP destination port set
udp_sport any	UDP source port(s)
udp_sport_set string	Reference to UDP source port set
type string / required	Chain type Choices: `"filter"` `"nat"` `"route"`
family string	Address family Choices: `"inet"` ← (default) `"ip"` `"ip6"` `"arp"` `"bridge"` `"netdev"`
name string / required	Table name (filter, nat, etc.)
firewall_global list / elements=dictionary	Global nftables configuration (from group_vars/all.yml)
table dictionary / required	nftables table configuration
chains list / elements=dictionary	List of chains in this table
hook string / required	Netfilter hook Choices: `"prerouting"` `"input"` `"forward"` `"output"` `"postrouting"`
name string / required	Chain name
policy string / required	Default chain policy Choices: `"accept"` `"drop"`
priority integer / required	Chain priority
rules list / elements=dictionary	List of rules in this chain
action string	Rule action Choices: `"accept"` ← (default) `"drop"` `"reject"` `"dnat"` `"masquerade"` `"queue"` `"jump"` `"goto"`
comment string	Rule comment/description
ct_direction string	Connection tracking direction Choices: `"original"` `"reply"`
ct_mark string	Connection tracking mark
ct_state any	Connection tracking state
ct_status string	Connection tracking status
goto_chain string	Target chain for goto action
icmp_code integer	ICMP code
icmp_type string	ICMP type
icmpv6_type string	ICMPv6 type
iifname string	Input interface name
ip6_daddr string	IPv6 destination address/network
ip6_daddr_set string	Reference to IPv6 destination address set
ip6_nexthdr string	IPv6 next header
ip6_saddr string	IPv6 source address/network
ip6_saddr_set string	Reference to IPv6 source address set
ip_daddr string	Destination IP address/network
ip_daddr_set string	Reference to IPv4 destination address set
ip_protocol string	IP protocol
ip_saddr string	Source IP address/network
ip_saddr_set string	Reference to IPv4 source address set (e.g., “@trusted_networks”)
log_group integer	NFLOG group number
log_level string	Log level Choices: `"emerg"` `"alert"` `"crit"` `"err"` `"warn"` `"notice"` `"info"` `"debug"`
log_prefix string	Log prefix for logging rules
log_queue_threshold integer	Queue threshold for logging
log_snaplen integer	Snapshot length for logging
meta_length string	Packet length condition (e.g., “> 1000”)
meta_mark string	Packet mark value
meta_nfproto string	Network protocol family Choices: `"ipv4"` `"ipv6"` `"arp"` `"bridge"`
meta_protocol string	Protocol type
oifname string	Output interface name
queue_num integer	Queue number for userspace processing
reject_with string	Reject with specific reason Choices: `"icmp-admin-prohibited"` `"icmp-port-unreachable"` `"icmp-net-unreachable"` `"icmp-host-unreachable"`
target_chain string	Target chain for jump action
tcp_dport any	TCP destination port(s)
tcp_dport_set string	Reference to TCP destination port set (e.g., “@web_ports”)
tcp_sport any	TCP source port(s)
tcp_sport_set string	Reference to TCP source port set
to string	Target for DNAT action
udp_dport any	UDP destination port(s)
udp_dport_set string	Reference to UDP destination port set
udp_sport any	UDP source port(s)
udp_sport_set string	Reference to UDP source port set
type string / required	Chain type Choices: `"filter"` `"nat"` `"route"`
family string	Address family Choices: `"inet"` ← (default) `"ip"` `"ip6"` `"arp"` `"bridge"` `"netdev"`
name string / required	Table name (filter, nat, etc.)
firewall_group list / elements=dictionary	Group-specific nftables configuration (from group_vars)
table dictionary / required	nftables table configuration
chains list / elements=dictionary	List of chains in this table
hook string / required	Netfilter hook Choices: `"prerouting"` `"input"` `"forward"` `"output"` `"postrouting"`
name string / required	Chain name
policy string / required	Default chain policy Choices: `"accept"` `"drop"`
priority integer / required	Chain priority
rules list / elements=dictionary	List of rules in this chain
action string	Rule action Choices: `"accept"` ← (default) `"drop"` `"reject"` `"dnat"` `"masquerade"` `"queue"` `"jump"` `"goto"`
comment string	Rule comment/description
ct_direction string	Connection tracking direction Choices: `"original"` `"reply"`
ct_mark string	Connection tracking mark
ct_state any	Connection tracking state
ct_status string	Connection tracking status
goto_chain string	Target chain for goto action
icmp_code integer	ICMP code
icmp_type string	ICMP type
icmpv6_type string	ICMPv6 type
iifname string	Input interface name
ip6_daddr string	IPv6 destination address/network
ip6_daddr_set string	Reference to IPv6 destination address set
ip6_nexthdr string	IPv6 next header
ip6_saddr string	IPv6 source address/network
ip6_saddr_set string	Reference to IPv6 source address set
ip_daddr string	Destination IP address/network
ip_daddr_set string	Reference to IPv4 destination address set
ip_protocol string	IP protocol
ip_saddr string	Source IP address/network
ip_saddr_set string	Reference to IPv4 source address set (e.g., “@trusted_networks”)
log_group integer	NFLOG group number
log_level string	Log level Choices: `"emerg"` `"alert"` `"crit"` `"err"` `"warn"` `"notice"` `"info"` `"debug"`
log_prefix string	Log prefix for logging rules
log_queue_threshold integer	Queue threshold for logging
log_snaplen integer	Snapshot length for logging
meta_length string	Packet length condition (e.g., “> 1000”)
meta_mark string	Packet mark value
meta_nfproto string	Network protocol family Choices: `"ipv4"` `"ipv6"` `"arp"` `"bridge"`
meta_protocol string	Protocol type
oifname string	Output interface name
queue_num integer	Queue number for userspace processing
reject_with string	Reject with specific reason Choices: `"icmp-admin-prohibited"` `"icmp-port-unreachable"` `"icmp-net-unreachable"` `"icmp-host-unreachable"`
target_chain string	Target chain for jump action
tcp_dport any	TCP destination port(s)
tcp_dport_set string	Reference to TCP destination port set (e.g., “@web_ports”)
tcp_sport any	TCP source port(s)
tcp_sport_set string	Reference to TCP source port set
to string	Target for DNAT action
udp_dport any	UDP destination port(s)
udp_dport_set string	Reference to UDP destination port set
udp_sport any	UDP source port(s)
udp_sport_set string	Reference to UDP source port set
type string / required	Chain type Choices: `"filter"` `"nat"` `"route"`
family string	Address family Choices: `"inet"` ← (default) `"ip"` `"ip6"` `"arp"` `"bridge"` `"netdev"`
name string / required	Table name (filter, nat, etc.)
firewall_host list / elements=dictionary	Host-specific nftables configuration (from host_vars)
table dictionary / required	nftables table configuration
chains list / elements=dictionary	List of chains in this table
hook string / required	Netfilter hook Choices: `"prerouting"` `"input"` `"forward"` `"output"` `"postrouting"`
name string / required	Chain name
policy string / required	Default chain policy Choices: `"accept"` `"drop"`
priority integer / required	Chain priority
rules list / elements=dictionary	List of rules in this chain
action string	Rule action Choices: `"accept"` ← (default) `"drop"` `"reject"` `"dnat"` `"masquerade"` `"queue"` `"jump"` `"goto"`
comment string	Rule comment/description
ct_direction string	Connection tracking direction Choices: `"original"` `"reply"`
ct_mark string	Connection tracking mark
ct_state any	Connection tracking state
ct_status string	Connection tracking status
goto_chain string	Target chain for goto action
icmp_code integer	ICMP code
icmp_type string	ICMP type
icmpv6_type string	ICMPv6 type
iifname string	Input interface name
ip6_daddr string	IPv6 destination address/network
ip6_daddr_set string	Reference to IPv6 destination address set
ip6_nexthdr string	IPv6 next header
ip6_saddr string	IPv6 source address/network
ip6_saddr_set string	Reference to IPv6 source address set
ip_daddr string	Destination IP address/network
ip_daddr_set string	Reference to IPv4 destination address set
ip_protocol string	IP protocol
ip_saddr string	Source IP address/network
ip_saddr_set string	Reference to IPv4 source address set (e.g., “@trusted_networks”)
log_group integer	NFLOG group number
log_level string	Log level Choices: `"emerg"` `"alert"` `"crit"` `"err"` `"warn"` `"notice"` `"info"` `"debug"`
log_prefix string	Log prefix for logging rules
log_queue_threshold integer	Queue threshold for logging
log_snaplen integer	Snapshot length for logging
meta_length string	Packet length condition (e.g., “> 1000”)
meta_mark string	Packet mark value
meta_nfproto string	Network protocol family Choices: `"ipv4"` `"ipv6"` `"arp"` `"bridge"`
meta_protocol string	Protocol type
oifname string	Output interface name
queue_num integer	Queue number for userspace processing
reject_with string	Reject with specific reason Choices: `"icmp-admin-prohibited"` `"icmp-port-unreachable"` `"icmp-net-unreachable"` `"icmp-host-unreachable"`
target_chain string	Target chain for jump action
tcp_dport any	TCP destination port(s)
tcp_dport_set string	Reference to TCP destination port set (e.g., “@web_ports”)
tcp_sport any	TCP source port(s)
tcp_sport_set string	Reference to TCP source port set
to string	Target for DNAT action
udp_dport any	UDP destination port(s)
udp_dport_set string	Reference to UDP destination port set
udp_sport any	UDP source port(s)
udp_sport_set string	Reference to UDP source port set
type string / required	Chain type Choices: `"filter"` `"nat"` `"route"`
family string	Address family Choices: `"inet"` ← (default) `"ip"` `"ip6"` `"arp"` `"bridge"` `"netdev"`
name string / required	Table name (filter, nat, etc.)

Collection links