dch-gw: Initial commit

The *dch-gw* role, and the corresponding `dch-gw.yml` playbook, apply
all of the necessary configuration to the edge router on my home
network.

roles/dch-gw/defaults/main.yml

@@ -0,0 +1 @@
+nat_port_forwards: []

roles/dch-gw/files/ipv4-nat.nft

@@ -0,0 +1,8 @@
+#! /usr/sbin/nft -f
+
+table nat {
+	chain prerouting	{ type nat hook prerouting priority -100; }
+	chain input		{ type nat hook input priority 100; }
+	chain output		{ type nat hook output priority -100; }
+	chain postrouting	{ type nat hook postrouting priority 100; }
+}

roles/dch-gw/files/outside-address.dhcpcd-hook

@@ -0,0 +1,28 @@
+# vim: set ft=sh :
+
+(
+RULESET=/var/lib/dhcpcd/outside-address.ruleset
+
+
+reload_nftables() {
+	systemctl reload nftables
+}
+
+
+write_ruleset() {
+	install -d "${RULESET%/*}"
+	printf 'define outside_address = %s\n' "${new_ip_address}" \
+		> "${RULESET}"
+}
+
+
+if [ -n "${new_ip_address}" ]; then
+	if [ ! -f "${ruleset}" ]; then
+		write_ruleset
+		reload_nftables
+	elif [ "${new_ip_address}" != "${old_ip_address}" ]; then
+		write_ruleset
+		reload_nftables
+	fi
+fi
+)

roles/dch-gw/handlers/main.yml

@@ -0,0 +1,2 @@
+- name: rebind dhcp leases
+  command: dhcpcd -n

roles/dch-gw/tasks/main.yml

@@ -0,0 +1,39 @@
+- name: ensure outside-address dhcpcd hook is installed
+  copy:
+    src=outside-address.dhcpcd-hook
+    dest=/usr/libexec/dhcpcd-hooks/10-outside-address
+    mode=0444
+  notify: rebind dhcp leases
+- meta: flush_handlers
+
+- name: ensure ipv4 forwarding is enabled
+  sysctl:
+    name=net.ipv4.conf.all.forwarding
+    value=1
+    sysctl_file=/etc/sysctl.d/ip-forwarding.conf
+    state=present
+- name: ensure ipv6 forwarding is enabled
+  sysctl:
+    name=net.ipv6.conf.all.forwarding
+    value=1
+    sysctl_file=/etc/sysctl.d/ip-forwarding.conf
+    state=present
+
+- name: ensure ipv4 nat rules are configured
+  copy:
+    src=ipv4-nat.nft
+    dest=/etc/nftables/ruleset.d/10_ipv4-nat.nft
+    mode=0644
+  notify: reload nftables
+- name: ensure port forwards are configured
+  template:
+    src=port-forwards.nft.j2
+    dest=/etc/nftables/ruleset.d/70_port-forwards.nft
+    mode=0644
+  notify: reload nftables
+- name: ensure ip masquerading is configured
+  template:
+    src=masquerade.nft.j2
+    dest=/etc/nftables/ruleset.d/90_masquerade.nft
+    mode=0644
+  notify: reload nftables

roles/dch-gw/templates/masquerade.nft.j2

@@ -0,0 +1,5 @@
+table ip nat {
+    chain postrouting {
+        oif {{ ansible_default_ipv4.interface }} masquerade
+    }
+}

roles/dch-gw/templates/port-forwards.nft.j2

@@ -0,0 +1,45 @@
+{# vim: set sw=4 ts=4 sts=4 et : #}
+include "/var/lib/dhcpcd/outside-address.ruleset"
+
+table ip nat {
+    set inside_networks {
+        type ipv4_addr
+        flags interval
+        elements = {
+{% for name, network in dch_networks|dictsort if network.ipv4_address is defined %}
+            {{ network.ipv4_address }},
+{% endfor %}
+        }
+    }
+
+    map tcp_forward {
+        type inet_service: ipv4_addr
+        flags interval
+        elements = {
+{% for item in nat_port_forwards if item.protocol|d('tcp') == 'tcp' %}
+            {{ item.port }}: {{ item.destination }},
+{% endfor %}
+        }
+    }
+
+    map udp_forward {
+        type inet_service: ipv4_addr
+        flags interval
+        elements = {
+{% for item in nat_port_forwards if item.protocol|d('tcp') == 'udp' %}
+            {{ item.port }}: {{ item.destination }},
+{% endfor %}
+        }
+    }
+
+    chain prerouting {
+        ip daddr $outside_address dnat tcp dport map @tcp_forward
+        ip daddr $outside_address dnat udp dport map @udp_forward
+    }
+
+    chain postrouting {
+{% for item in nat_port_forwards %}
+        ip saddr @inside_networks ip daddr {{ item.destination }} {{ item.protocol|d('tcp') }} dport {{ item.port }} masquerade
+{% endfor %}
+    }
+}