aboutsummaryrefslogtreecommitdiffstats
path: root/roles/pf
diff options
context:
space:
mode:
authorbinary <me@rgoncalves.se>2020-11-08 20:58:16 +0100
committerbinary <me@rgoncalves.se>2020-11-08 20:58:16 +0100
commit94846acc8c39debfa0597ae9e8b17e20dc385dc5 (patch)
tree5b0188a71c79440bce2bb7ad891f759248fbe630 /roles/pf
parentcd428140eea27e7c02ebb123bd4e4208efeb33be (diff)
downloadinfrastructure-94846acc8c39debfa0597ae9e8b17e20dc385dc5.tar.gz
Fix bridge skip for vmm
Diffstat (limited to 'roles/pf')
-rw-r--r--roles/pf/templates/pf.conf.j220
1 files changed, 13 insertions, 7 deletions
diff --git a/roles/pf/templates/pf.conf.j2 b/roles/pf/templates/pf.conf.j2
index d39694d..6d67f4f 100644
--- a/roles/pf/templates/pf.conf.j2
+++ b/roles/pf/templates/pf.conf.j2
@@ -1,11 +1,10 @@
{# pf ~~ templates/pf.conf.j2 #}
-
# pf ~~ /etc/pf.conf
-# ========================= #
+# *
# common config. by Ansible
-# ========================= #
+# *
set block-policy drop
set loginterface egress
@@ -17,15 +16,22 @@ block all
pass in quick on egress proto {{ service["proto"] }} to port {{ service["port"] }}
{% endfor %}
-# ====================== #
+# *
# sub-config. by Ansible
-# ====================== #
+# *
+
+{% if hypervisor is defined and vms is defined %}
+# hypervisor network passthrough
+{% for i in range(vms | length + 5) %}
+set skip on tap{{ i }}
+{% endfor %}
+{% endif %}
{% include "templates/" + inventory_hostname + "/etc/pf.conf.j2" ignore missing %}
-# ========================= #
+# *
# out. interface by Ansible
-# ========================= #
+# *
pass out quick inet
pass in proto { icmp, icmp6 } all
remember that computers suck.