From 96f62a17d1ca886c976b283971fa5dae24b20e4b Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Sat, 25 Apr 2020 14:21:17 +0300
Subject: [PATCH] roles/common: Use nftables backend in firewalld on Ubuntu
 20.04

The nftables backend should be more performant and flexible. I had
been planning to use it on Ubuntu 18.04 and Debian 10 as well, but
there were issues with the specific versions used in those distros.

See: https://firewalld.org/2018/07/nftables-backend
---
 roles/common/tasks/firewall_Ubuntu.yml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/roles/common/tasks/firewall_Ubuntu.yml b/roles/common/tasks/firewall_Ubuntu.yml
index 2946eb8..33ca7b4 100644
--- a/roles/common/tasks/firewall_Ubuntu.yml
+++ b/roles/common/tasks/firewall_Ubuntu.yml
@@ -17,6 +17,27 @@
     when: ansible_distribution_version is version('16.04', '>=')
     apt: pkg=ufw state=absent
 
+  # I'm not sure why, but you can use firewalld with the nftables backend even
+  # if nftables itself is not installed. In that case the only way to see the
+  # currently active rules is with firewall-cmd. I prefer installing nftables
+  # so that we can have somewhat of a parallel with iptables:
+  #
+  #   nft list ruleset
+  #
+  # See: https://firewalld.org/2018/07/nftables-backend
+  - name: Install nftables
+    when: ansible_distribution_version is version('20.04', '==')
+    apt: pkg=nftables state=present
+
+  - name: Use nftables backend in firewalld
+    when: ansible_distribution_version is version('20.04', '==')
+    lineinfile:
+      dest: /etc/firewalld/firewalld.conf
+      regexp: '^FirewallBackend=iptables$'
+      line: 'FirewallBackend=nftables'
+    notify:
+      - restart firewalld
+
   - name: Copy firewalld public zone file
     when: ansible_distribution_version is version('16.04', '>=')
     template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600