Is there an official or defacto nftables module or collection?

Get Help
,
1

Regarding nftables, I’m not seeing anything official ie. built-in or ansible.community collection for the use of nftables. I see there are a few collections out in the wild of limited or mixed popularity.
Perhaps I’m not looking correctly.

I’m a little hesitant to use something like that in production without some community feedback. Is there some collection that is the go-to for most users?

We have some issues with using with simply using iptables (with nft support) since we have some other software that makes changes to nftables.

Any advice is welcome.

1 Like
2

I’m not seeing any nftables specific support, in the official or community collections. I did find @Ansibleguy apparently has his own collection, but I don’t know him or his work, so this isn’t a recommendation by me.

1 Like
3

Thanks, there is that one and one from a French University that seem the highest google hits.
I’m surprised given that netfilter/nftables has been popular for a few years now.

1 Like
4

You’re the first person I’ve met that uses nftables.

Red Hat leans heavily into using firewalld, and debian (or Ubuntu at least) is using ufw.

In turn, Ansible supports firewalld of course, but has some support for iptables and even ufw (in the community.general collection anyways).

Personally, I prefer firewalld, but I’m also pretty newschool to linux vs some of my peers who are very oldschool.

1 Like
5

They are both now front ends for nftables.
Iptables and Firewalld that is. Not sure about UFW

1 Like
6

UFW is also a front end for nftables.

There is some ability to use JSON with nft, for example you can list the rulesets as JSON:

nft --json --stateless list ruleset | jq

And import JSON:

nft --json --file /tmp/nft.json

What I haven’t found is a way to convert JSON to nftables config and back again (but of course I might just have missed something obvious!) — if this could be done then I think it would be fairly straight forward to use existing Ansible filters like from_json and to_json and a template /slurp to convert a YAML representation of the nftables rules to nftables format and back and read and write them to disk.

Perhaps a pair of Ansible filters are required, these could prehape be called nftables_to_json and json_to_nftables – if these filters were written it would then make managing nftables using Ansible a lot more straightforward.

I found these RedHat slides from a 2019 talk with the title Firewalld, libnftables, and json, oh my which is worth a scan and this tutorial has some nftables / Python / JSON example code.

7

I’ve written a simple nftables role for Debian and Ubuntu that replaces the default /etc/nftables.conf config file with a JSON version, /etc/nftables.json, that by default implements the same rules, the point being to enable nftables to be configured, in whatever way is required, using a list of YAML (that is templated to JSON).

The loading of /etc/nftables.json rather than /etc/nftables.conf is achieved via the creation of a /etc/systemd/system/nftables.service.d/override.conf file containing:

[Service]
ExecStart=
ExecStart=/usr/sbin/nft -j -f /etc/nftables.json
ExecReload=
ExecReload=/usr/sbin/nft -j -f /etc/nftables.json

By default /usr/lib/systemd/system/nftables.service (which is symlinked from /etc/systemd/system/sysinit.target.wants/nftables.service when nftables.service is enabled) contains these lines which are overridden by the above:

[Service]
ExecStart=/usr/sbin/nft -f /etc/nftables.conf
ExecReload=/usr/sbin/nft -f /etc/nftables.conf