firewall: create empty ipsets for known networks

So we don’t crash and burn before config is set up.
2024-01-30 12:37:14 +01:00 · 2024-01-30 12:37:14 +01:00 · 544aa0a088
parent 161ce73be7
commit 544aa0a088
2 changed files with 3 additions and 0 deletions
--- a/roles/firewall/tasks/nftables.yml
+++ b/roles/firewall/tasks/nftables.yml
@ -16,6 +16,7 @@
    mode: 0644
  loop:
    - interfaces.nft
+    - networks.nft
  notify: reload nftables

 - name: Enable nftables service
--- a/roles/firewall/templates/nftables.nft.j2
+++ b/roles/firewall/templates/nftables.nft.j2
@ -5,6 +5,7 @@ flush ruleset

 table inet filter {
    include "/etc/nftables.d/interfaces.nft"
+    include "/etc/nftables.d/networks.nft"
    include "/etc/nftables.d/sets.nft*"

    set link {
@ -92,6 +93,7 @@ table inet filter {

 table ip nat {
    include "/etc/nftables.d/interfaces.nft"
+    include "/etc/nftables.d/networks.nft"
    include "/etc/nftables.d/sets.nft*"
    include "/etc/nftables.d/netmap.nft*"