From bff77c7fb34e9ba0ae1f42ba920ff09f9faca30d Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 30 Jan 2022 16:05:53 +0100
Subject: wireguard/gateway: switch to nftables

---
 roles/network/wireguard/gateway/tasks/main.yml | 18 ++++--------------
 1 file changed, 4 insertions(+), 14 deletions(-)

(limited to 'roles/network/wireguard/gateway/tasks')

diff --git a/roles/network/wireguard/gateway/tasks/main.yml b/roles/network/wireguard/gateway/tasks/main.yml
index bc14db1b..0234fc6c 100644
--- a/roles/network/wireguard/gateway/tasks/main.yml
+++ b/roles/network/wireguard/gateway/tasks/main.yml
@@ -26,25 +26,15 @@
     state: started
 
 
-- name: create iptables service unit
+- name: install nftables rules
   loop: "{{ wireguard_gateway_tunnels | dict2items }}"
   loop_control:
     label: "{{ item.key }}"
   when: "'ip_snat' in item.value or 'port_forwardings' in item.value"
   template:
-    src: systemd-iptables.service.j2
-    dest: "/etc/systemd/system/wireguard-gateway-{{ item.key }}-iptables.service"
-
-- name: enable/start iptables service unit
-  loop: "{{ wireguard_gateway_tunnels | dict2items }}"
-  loop_control:
-    label: "{{ item.key }}"
-  when: "'ip_snat' in item.value or 'port_forwardings' in item.value"
-  systemd:
-    daemon_reload: yes
-    name: "wireguard-gateway-{{ item.key }}-iptables.service"
-    enabled: yes
-    state: started
+    src: nftables.rules.j2
+    dest: "/etc/nftables.d/wireguard-gateway-{{ item.key }}.nft"
+  notify: reload nftables
 
 
 - name: install workaround for default-gateway handling
-- 
cgit v1.2.3