From a789bf7c9ab069e429712049e1be896bc55192ab Mon Sep 17 00:00:00 2001
From: Nils <nils@krash.be>
Date: Wed, 17 Aug 2022 22:47:20 +0200
Subject: [PATCH] Allow for adding extra tcp ports in nfttables

---
 defaults/main.yml          | 2 ++
 templates/nftables.conf.j2 | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index a5c2cc1..2cda92e 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -5,3 +5,5 @@ wireguard_listenport: 51820
 wireguard_peers: []
 wireguard_ipv4_forward: true
 wireguard_ipv6_forward: true
+wireguard_nftables_services_allow:
+  - ssh
diff --git a/templates/nftables.conf.j2 b/templates/nftables.conf.j2
index 36ba357..4071c44 100644
--- a/templates/nftables.conf.j2
+++ b/templates/nftables.conf.j2
@@ -11,7 +11,7 @@ table inet filter {
     ct state established,related accept
     ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
     ip protocol icmp icmp type echo-request accept
-    tcp dport { ssh } ct state new accept
+    tcp dport { {{ wireguard_nftables_services_allow_tcp | join(', ')}} } ct state new accept
     udp dport { {{ wireguard_listenport }} } ct state new accept
     counter drop
   }