From 8e5c279f7cecf29589835e74602155b9afc430d8 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Wed, 15 Jun 2022 19:35:36 +0200
Subject: add simple handling for nftable rulesets in base role

---
 chaos-at-home/ch-gw-lan.yml | 27 ---------------------------
 1 file changed, 27 deletions(-)

(limited to 'chaos-at-home/ch-gw-lan.yml')

diff --git a/chaos-at-home/ch-gw-lan.yml b/chaos-at-home/ch-gw-lan.yml
index 11d65b17..37ed17fa 100644
--- a/chaos-at-home/ch-gw-lan.yml
+++ b/chaos-at-home/ch-gw-lan.yml
@@ -10,33 +10,6 @@
   - role: network/dhcp-server
   - role: network/nftables/base
   post_tasks:
-  - name: install public service nftable rules
-    copy:
-      content: |
-        # Ansible managed
-
-        define nic_lan = lan0
-        define public_ipv4 = {{ network_zones.magenta.prefix | ipaddr(network_zones.magenta.offsets['ch-router']) | ipaddr('address') }}
-
-        table ip nat {
-          chain public-services-prerouting {
-            type nat hook prerouting priority -100; policy accept;
-            iif $nic_lan ip daddr $public_ipv4 tcp dport { 222 } dnat to {{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-router']) | ipaddr('address') }} comment "ssh-router"
-        {% for name, svc in network_services.items() %}
-            iif $nic_lan ip daddr $public_ipv4 tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "{{ name }}"
-        {% endfor %}
-          }
-          chain public-services-output {
-            type nat hook output priority -100; policy accept;
-            ip daddr $public_ipv4 tcp dport { 222 } dnat to {{ network_zones.svc.prefix | ipaddr(network_zones.svc.offsets['ch-router']) | ipaddr('address') }} comment "ssh-router"
-        {% for name, svc in network_services.items() %}
-            ip daddr $public_ipv4 tcp dport { {{ svc.ports | join(', ') }} } dnat to {{ svc.addr }} comment "{{ name }}"
-        {% endfor %}
-          }
-        }
-      dest: /etc/nftables.d/public-services.nft
-    notify: reload nftables
-
   - name: install etherwake
     apt:
       name: etherwake
-- 
cgit v1.2.3