From 5b59f49bd64aec53fe109bc62fe821f469f8d95b Mon Sep 17 00:00:00 2001
From: Trygve Laugstøl <trygvis@inamo.no>
Date: Sat, 29 Dec 2018 00:55:22 +0100
Subject: ufw: Adding reload and port forwardings (wip).

---
 ansible/roles/ufw/handlers/main.yml |  4 ++++
 ansible/roles/ufw/tasks/main.yml    | 24 ++++++++++++++++++------
 2 files changed, 22 insertions(+), 6 deletions(-)
 create mode 100644 ansible/roles/ufw/handlers/main.yml

(limited to 'ansible/roles/ufw')

diff --git a/ansible/roles/ufw/handlers/main.yml b/ansible/roles/ufw/handlers/main.yml
new file mode 100644
index 0000000..47f79ef
--- /dev/null
+++ b/ansible/roles/ufw/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: ufw reload
+  become: yes
+  ufw:
+    state: reloaded
diff --git a/ansible/roles/ufw/tasks/main.yml b/ansible/roles/ufw/tasks/main.yml
index b372eb7..0579f0a 100644
--- a/ansible/roles/ufw/tasks/main.yml
+++ b/ansible/roles/ufw/tasks/main.yml
@@ -2,20 +2,32 @@
     - ufw
   become: yes
   block:
-    - when: ufw__nat_address is defined
+    - when: 
+      notify: ufw reload
       blockinfile:
         path: /etc/ufw/before.rules
         insertbefore: "^# Don't delete these required lines"
+        marker: "# NAT config: {mark}"
+        state: "{{ 'present' if ufw__nat_address is defined else 'absent' }}"
         content: |
-          # NAT table rules
           *nat
           :POSTROUTING ACCEPT [0:0]
-
-          # Forward traffic through eth0 - Change to match you out-interface
           -A POSTROUTING -s {{ ufw__nat_address }}/{{ ufw__nat_prefix }} -o eth0 -j MASQUERADE
+          COMMIT
 
-          # don't delete the 'COMMIT' line or these nat table rules won't
-          # be processed
+    - notify: ufw reload
+      vars:
+        forwardings: "{{ ufw__port_forwardings if ufw__port_forwardings is defined else [] }}"
+      blockinfile:
+        path: /etc/ufw/before.rules
+        insertbefore: "^# Don't delete these required lines"
+        marker: "# Port forwarding: {mark}"
+        state: "{{ 'present' if ufw__port_forwardings is defined else 'absent' }}"
+        content: |
+          *nat
+          {% for pf in forwardings %}
+          -A PREROUTING -i eth0 {{ " -d" + pf.addr if pf.addr is defined else "" }} -p {{ pf.proto if pf.proto is defined else "tcp" }} --dport {{ pf.port }} -j DNAT --to-destination {{ pf.to }}:{{ pf.to_port if pf.to_port is defined else pf.port }}
+          {% endfor %}
           COMMIT
 
     - ufw:
-- 
cgit v1.2.3