summaryrefslogtreecommitdiff
path: root/roles/network
diff options
context:
space:
mode:
Diffstat (limited to 'roles/network')
-rw-r--r--roles/network/wireguard/gateway/handlers/main.yml5
-rw-r--r--roles/network/wireguard/gateway/tasks/main.yml18
-rw-r--r--roles/network/wireguard/gateway/templates/nftables.rules.j226
-rw-r--r--roles/network/wireguard/gateway/templates/systemd-iptables.service.j242
-rw-r--r--roles/network/wireguard/gateway/templates/systemd.network.j25
5 files changed, 39 insertions, 57 deletions
diff --git a/roles/network/wireguard/gateway/handlers/main.yml b/roles/network/wireguard/gateway/handlers/main.yml
index 625032dc..4454e240 100644
--- a/roles/network/wireguard/gateway/handlers/main.yml
+++ b/roles/network/wireguard/gateway/handlers/main.yml
@@ -4,3 +4,8 @@
daemon_reload: yes
name: systemd-networkd
state: restarted
+
+- name: reload nftables
+ service:
+ name: nftables
+ state: reloaded
diff --git a/roles/network/wireguard/gateway/tasks/main.yml b/roles/network/wireguard/gateway/tasks/main.yml
index bc14db1b..0234fc6c 100644
--- a/roles/network/wireguard/gateway/tasks/main.yml
+++ b/roles/network/wireguard/gateway/tasks/main.yml
@@ -26,25 +26,15 @@
state: started
-- name: create iptables service unit
+- name: install nftables rules
loop: "{{ wireguard_gateway_tunnels | dict2items }}"
loop_control:
label: "{{ item.key }}"
when: "'ip_snat' in item.value or 'port_forwardings' in item.value"
template:
- src: systemd-iptables.service.j2
- dest: "/etc/systemd/system/wireguard-gateway-{{ item.key }}-iptables.service"
-
-- name: enable/start iptables service unit
- loop: "{{ wireguard_gateway_tunnels | dict2items }}"
- loop_control:
- label: "{{ item.key }}"
- when: "'ip_snat' in item.value or 'port_forwardings' in item.value"
- systemd:
- daemon_reload: yes
- name: "wireguard-gateway-{{ item.key }}-iptables.service"
- enabled: yes
- state: started
+ src: nftables.rules.j2
+ dest: "/etc/nftables.d/wireguard-gateway-{{ item.key }}.nft"
+ notify: reload nftables
- name: install workaround for default-gateway handling
diff --git a/roles/network/wireguard/gateway/templates/nftables.rules.j2 b/roles/network/wireguard/gateway/templates/nftables.rules.j2
new file mode 100644
index 00000000..fcf4a21b
--- /dev/null
+++ b/roles/network/wireguard/gateway/templates/nftables.rules.j2
@@ -0,0 +1,26 @@
+# {{ ansible_managed }}
+{% if 'ip_snat' in item.value %}
+
+table ip nat {
+ chain wireguard-gateway-{{ item.key }}-snat {
+ type nat hook postrouting priority 100; policy accept;
+ ip saddr { {{ item.value.addresses | map('ipaddr', 'network/prefix') | join(', ') }} } oifname {{ item.value.ip_snat.interface }} snat to {{ item.value.ip_snat.to }}
+ }
+}
+{% endif %}
+{% if 'port_forwardings' in item.value %}
+
+table ip nat {
+ chain wireguard-gateway-{{ item.key }}-port-forwardings {
+ type nat hook prerouting priority -100; policy accept;
+{% for forward in item.value.port_forwardings %}
+{% for port in forward.tcp_ports | default([]) %}
+ ip daddr {{ forward.dest }} tcp dport {{ port }} dnat to {{ forward.tcp_ports[port] }}
+{% endfor %}
+{% for port in forward.udp_ports | default([]) %}
+ ip daddr {{ forward.dest }} udp dport {{ port }} dnat to {{ forward.udp_ports[port] }}
+{% endfor %}
+{% endfor %}
+ }
+}
+{% endif %}
diff --git a/roles/network/wireguard/gateway/templates/systemd-iptables.service.j2 b/roles/network/wireguard/gateway/templates/systemd-iptables.service.j2
deleted file mode 100644
index 11cf4b8a..00000000
--- a/roles/network/wireguard/gateway/templates/systemd-iptables.service.j2
+++ /dev/null
@@ -1,42 +0,0 @@
-[Unit]
-Wants=network-online.target
-After=network-online.target
-
-
-[Service]
-Type=oneshot
-
-{% if 'ip_snat' in item.value %}
-ExecStart=/usr/sbin/sysctl net.ipv4.ip_forward=1
-{% for addr in item.value.addresses %}
-ExecStart=/sbin/iptables -t nat -A POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }}
-{% endfor %}
-{% endif %}
-{% for forward in item.value.port_forwardings | default([]) %}
-{% for port in forward.tcp_ports | default([]) %}
-ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }}
-{% endfor %}
-{% for port in forward.udp_ports | default([]) %}
-ExecStart=/sbin/iptables -t nat -A PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }}
-{% endfor %}
-{% endfor %}
-
-{% if 'ip_snat' in item.value %}
-{% for addr in item.value.addresses %}
-ExecStop=/sbin/iptables -t nat -D POSTROUTING -s {{ addr | ipaddr('network/prefix') }} -o {{ item.value.ip_snat.interface }} -j SNAT --to {{ item.value.ip_snat.to }}
-{% endfor %}
-{% endif %}
-{% for forward in item.value.port_forwardings | default([]) %}
-{% for port in forward.tcp_ports | default([]) %}
-ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p tcp --dport {{ port }} -j DNAT --to {{ forward.tcp_ports[port] }}
-{% endfor %}
-{% for port in forward.udp_ports | default([]) %}
-ExecStop=/sbin/iptables -t nat -D PREROUTING -d {{ forward.dest }} -p udp --dport {{ port }} -j DNAT --to {{ forward.udp_ports[port] }}
-{% endfor %}
-{% endfor %}
-
-RemainAfterExit=yes
-
-
-[Install]
-WantedBy=multi-user.target
diff --git a/roles/network/wireguard/gateway/templates/systemd.network.j2 b/roles/network/wireguard/gateway/templates/systemd.network.j2
index 6847aa6a..d1dd2139 100644
--- a/roles/network/wireguard/gateway/templates/systemd.network.j2
+++ b/roles/network/wireguard/gateway/templates/systemd.network.j2
@@ -6,7 +6,10 @@ Name={{ item.key }}
Address={{ addr }}
{% endfor %}
{% if 'ip_masq' in item.value and item.value.ip_masq %}
-IPMasquerade=yes
+IPMasquerade=ipv4
+{% endif %}
+{% if 'ip_snat' in item.value %}
+IPForward=ipv4
{% endif %}
{% if 'default_gateway' in item.value %}
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-01 06:57:23 +0000