- Fix Ansible Galaxy namespace, ipr_cnrs ➡️ ipr-cnrs (Issue #67).
- Fix variables names for
mangletable (thanks to @kravietz - PR #66).
- Add suppor for
nft_templates(thanks to @kravietz). - Add support for connection tracker (thanks to @chrisvanmeer - PR #62).
- Add support for
mangletable (thanks to @kravietz - PR #65). - Use
commentjinja filter (thanks to @ghost - PR #29). - Move to
inetfor NAT table (thanks to @kravietz - PR #58). - Various Molecule fix (thanks to @kravietz).
- Possibility to disable repository update (thanks to @nikosch86 - PR #55 - Issue #54).
- Fix icmpv6 redirects rules (thanks to @rissson - PR #59).
- Continue on SigStore errors.
- Handle output ICMP default rule (thanks to @rdbisme - PR #50).
- Automatically upload new release to Ansible Galaxy (thanks to @kravietz - PR #45).
- Asynchronous polling of nftables service and enable unit from task (thanks to @mjourdan - PR #36).
- Put nftables.service at systemd.unit (5) path (thanks to @stejoo - PR #40).
- More strict permissions on configuration files (thanks to @stejoo - PR #42).
- Allow skipping of Fail2ban integration (thanks to @stejoo - PR #41).
- Allow user to prefer distro provided service file (thanks to @stejoo - PR #42).
- Use FQCN (ansible.builtin.…) to call Ansible's modules (thanks to @kravietz - PR #47).
- Tell Linguist to treat .yml as code (thanks to @stejoo - PR #37).
- Do not remove iptables on Arch Linux (thanks to @kravietz - PR #46).
- Define vars for Red Hat distro (thanks to @stejoo - PR #42).
- Execute nftables service task when not running in check mode (thanks to @stejoo - PR #48).
Many thanks to @kravietz for all the work on this project and to all other contributors (@stejoo, @mjourdan,…) and those with pending PRs….
- Molecule tests for Gentoo (many thanks to @VTimofeenko ! − PR #25).
- Separate repositories update from installation task (fix #24).
- New examples usecases (mostly for playbooks) in README.md.
- New rules (disable by default) can be define in forward chain (thanks to @p-rintz − PR #14).
- Possibility to toggle file's backup (thanks to @p-rintz − PR #15).
- Gentoo-specific variables (thanks to @VTimofeenko − PR #22).
- Ability to specify nft binary path through nft__bin_location (thanks to @VTimofeenko − PR #22).
- Manage Fail2ban in the "systemd way" (thanks to @FinweVI − PR #16).
- Molecule tests (on Archlinux, Ubuntu, CentOS, Debian and Fedora) (many thanks to @kravietz ! − PR #23).
- Support for Debian Bullseye (everything should now works fine).
- Remove everything related to in_udp_accept (see conversation in Github PR #13). Cause it was empty by default and the role currently doesn't manage it very well. Take a look to new examples in README.md to find your preferred solution (re-adding it, new simple/multi-ports filter rule,…).
- Ansible-lint: Fix line longer than 160 chars.
- Start nftables systemd unit earlier (thanks to @kravietz − PR #19).
- Ensure to disable nftables systemd unit from old target (PR #20).
- Move systemd "Protect" options for nftables to specific override.conf file (PR #20).
- Allow to merge group variables with nft_merged_groups (#11 #12).
- Debug var with nft_debug (useful to set up merging group variables).
- Extra example to override default variables.
- Add missing ICMPv6 rule.
- Able to manage a new NAT table (with prerouting and postrouting chains).
- Block ipv6 multicast by default.
- Clean tasks name and comments in tasks/main.yml file.
- Order and clean comments in defaults/main.yml file.
- Reload rules instead of restart to avoid to loose rulebase due to invalid syntax (#3 Github).
- Fix deprecation warning with ansible 2.7: Invoking "apt" only once while using a loop via squash_actions is deprecated.
- Turn nft_old_pkg_list into a list.
- Add libiptc0 (iptables dependency) to the list of old package to remove.
- The 10 minutes delay at first run (#1)!
- Add a variable to disable "Protect" instructions in systemd unit.
- Improve vars description/comments in default/main.yml.
- Add a variable to manage custom content (table, include,…).
- Set empty dependencies line to fix Galaxy warning.
- Add possibility to restart Fail2ban service.
- Use to_nice_json to manage packages list.
- Fix E405 Remote package tasks should have a retry.
- Set a variable to enable/disable the support of Nftables.
- Move two tasks in systemd handler (try to fix #1).
- Add a additionnal level for all vars for all hosts (group_vars/all).
- Deprecation warning for state "installed".
- The role now might require Ansible 2.5 (available in Debian Stable backports).
- Reload systemd daemons only if unit file change.
- Provide the systemd unit.
- Rename firewall table to filter table (most use on Debian).
- Set's name can't exceed 15 characters !
- Allow icmpv6 outgoing traffic.
- Ensure to remove old packages (iptables,…).
- Ensure to create the the directory to store the differents configuration files (/etc/nftables.d).
- Manage nftables service at startup.
- Rollback to inet family to manage both ipv4 and ipv6.
- To allow multiple ports/range ports, it's possible to redifine vars or add a rule in a dict.
- Use more sets and vars definitions for input/output to avoid multiple rules.
- Allow outgoing icmp.
- Remove DHCP incoming packets. The connection is started by the host, don't need incoming rule.
- Allow outgoing OpenPGP HTTP requests.
- Install
nftablespackage for Debian based distros. - Generate
nftablesmain configuration file. - Manage global, input and output chains with three dicts.
- Manage vars, sets and maps definition file.
- Restart
nftablesservice.
- Drop blackhole set input packets.
- Allow localhost traffic.
- Allow DHCP traffic.
- Allow SSH input (otherwise Ansible won't work).
- Allow DNS request.