########################################################################
# File managed by Salt at <{{ source }}>.
# Your changes will be overwritten.
########################################################################
{%- set ipv6 = "yes" if ufw_settings.get('ipv6', True) else "no" %}
{%- set default_input_policy = ufw_settings.get('default_input_policy', 'DROP') %}
{%- set default_output_policy = ufw_settings.get('default_output_policy', 'ACCEPT') %}
{%- set default_forward_policy = ufw_settings.get('default_forward_policy', 'DROP') %}
{%- set default_application_policy = ufw_settings.get('default_application_policy', 'SKIP') %}
{%- set manage_builtins = "yes" if ufw_settings.get('manage_builtins', False) else "no" %}
{%- set ipt_sysctl = ufw_settings.get('ipt_sysctl', '/etc/ufw/sysctl.conf') %}
{%- set ipt_modules = ufw_settings.get('ipt_modules', ['nf_conntrack_ftp', 'nf_nat_ftp', 'nf_conntrack_netbios_ns'])|join(" ") %}

# Set to yes to apply rules to support IPv6 (no means only IPv6 on loopback
# accepted). You will need to 'disable' and then 'enable' the firewall for
# the changes to take affect.
IPV6={{ ipv6 }}

# Set the default input policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_INPUT_POLICY="{{ default_input_policy }}"

# Set the default output policy to ACCEPT, DROP, or REJECT. Please note that if
# you change this you will most likely want to adjust your rules.
DEFAULT_OUTPUT_POLICY="{{ default_output_policy }}"

# Set the default forward policy to ACCEPT, DROP or REJECT.  Please note that
# if you change this you will most likely want to adjust your rules
DEFAULT_FORWARD_POLICY="{{ default_forward_policy }}"

# Set the default application policy to ACCEPT, DROP, REJECT or SKIP. Please
# note that setting this to ACCEPT may be a security risk. See 'man ufw' for
# details
DEFAULT_APPLICATION_POLICY="{{ default_application_policy }}"

# By default, ufw only touches its own chains. Set this to 'yes' to have ufw
# manage the built-in chains too. Warning: setting this to 'yes' will break
# non-ufw managed firewall rules
MANAGE_BUILTINS={{ manage_builtins }}

#
# IPT backend
#
# only enable if using iptables backend
IPT_SYSCTL={{ ipt_sysctl }}

# Extra connection tracking modules to load. Complete list can be found in
# net/netfilter/Kconfig of your kernel source. Some common modules:
# nf_conntrack_irc, nf_nat_irc: DCC (Direct Client to Client) support
# nf_conntrack_netbios_ns: NetBIOS (samba) client support
# nf_conntrack_pptp, nf_nat_pptp: PPTP over stateful firewall/NAT
# nf_conntrack_ftp, nf_nat_ftp: active FTP support
# nf_conntrack_tftp, nf_nat_tftp: TFTP support (server side)
IPT_MODULES="{{ ipt_modules }}"