Add MAC blacklisting

3 files changed, 10 insertions, 3 deletions

diff --git a/ansible/roles/router/defaults/main.yml b/ansible/roles/router/defaults/main.yml
new file mode 100644
index 0000000..0cb7619
--- /dev/null
+++ b/ansible/roles/router/defaults/main.yml
@@ -0,0 +1 @@
+mac_blacklist: []
diff --git a/ansible/roles/router/tasks/main.yml b/ansible/roles/router/tasks/main.yml
index bd28a11..f4432c4 100644
--- a/ansible/roles/router/tasks/main.yml
+++ b/ansible/roles/router/tasks/main.yml
@@ -2,8 +2,8 @@
   apt: name=ferm
 
 - name: copy ferm.conf
-  copy: >
-    src=ferm.conf dest=/etc/ferm/ferm.conf
+  template: >
+    src=ferm.conf.j2 dest=/etc/ferm/ferm.conf
     owner=root group=root mode=0640
   notify: restart ferm
 
diff --git a/ansible/roles/router/files/ferm.conf b/ansible/roles/router/templates/ferm.conf.j2
index 4cc1a24..adf0248 100644
--- a/ansible/roles/router/files/ferm.conf
+++ b/ansible/roles/router/templates/ferm.conf.j2
@@ -13,7 +13,13 @@
 @def $NET_PRIVATE = 10.0.0.0/16;
 
 table filter {
-    chain INPUT policy ACCEPT;
+    chain INPUT {
+        policy ACCEPT;
+{% for mac in mac_blacklist %}
+        mod mac mac-source {{ mac }} DROP;
+{% endfor %}
+    }
+
     chain OUTPUT policy ACCEPT;
     chain FORWARD policy ACCEPT;
 }