---

# ---------------
# ---------------
# NFTables is unsupported with this role. However I have the actions commented out as a guide
# ---------------
# ---------------
- name: "4.3.1 | AUDIT | Ensure nftables is installed"
  when:
    - ubtu24cis_rule_4_3_1
    - ubtu24cis_firewall_package == "nftables"
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_4.3.1
    - NIST800-53R5_CA-9
    - nftables
  vars:
    warn_control_id: '4.3.1'
  block:
    - name: "4.3.1 | AUDIT | Ensure nftables is installed | Message out warning"
      ansible.builtin.debug:
        msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables"

    - name: "4.3.1 | AUDIT | Ensure nftables is installed | Set warning count"
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "4.3.2 | AUDIT | Ensure ufw is not in use with nftables"
  when:
    - ubtu24cis_rule_4_3_2
    - ubtu24cis_firewall_package == "nftables"
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_4.3.2
    - NIST800-53R5_SC-7
    - nftables
  vars:
    warn_control_id: '4.3.2'
  block:
    - name: "4.3.2 | AUDIT | Ensure ufw is not in use with nftables | Message out warning"
      ansible.builtin.debug:
        msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables"
        # ansible.builtin.package:
        #     name: ufw
        #     state: absent

    - name: "4.3.2 | AUDIT | Ensure ufw is not in use with nftables | Set warning count"
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "4.3.3 | AUDIT | Ensure iptables are flushed with nftables"
  when:
    - ubtu24cis_rule_4_3_3
    - ubtu24cis_firewall_package == "nftables"
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_4.3.3
    - NIST800-53R5_CA-9
    - NIST800-53R5_SC-7
    - nftables
  vars:
    warn_control_id: '4.3.3'
  block:
    - name: "4.3.3 | AUDIT | Ensure iptables are flushed with nftables | Message out warning"
      ansible.builtin.debug:
        msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables"
        # ansible.builtin.iptables:
        #     flush: yes

    - name: "4.3.3 | AUDIT | Ensure iptables are flushed with nftables | Set warning count"
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "4.3.4 | AUDIT | Ensure a nftables table exists"
  when:
    - ubtu24cis_rule_4_3_4
    - ubtu24cis_firewall_package == "nftables"
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_4.3.4
    - NIST800-53R5_CA-9
    - NIST800-53R5_SC-7
    - nftables
  vars:
    warn_control_id: '4.3.4'
  block:
    - name: "4.3.4 | AUDIT | Ensure a nftables table exists"
      ansible.builtin.debug:
        msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables | Message out warning"
        # ansible.builtin.shell: "nft create table {{ ubtu24cis_nftables_table_name }}"
        # changed_when: discovered_new_nftable.rc == 0
        # failed_when: false
        # check_mode: false
        # register: discovered_new_nftable

    - name: "4.3.4 | AUDIT | Ensure a nftables table exists | Set warning count"
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "4.3.5 | AUDIT | Ensure nftables base chains exist"
  when:
    - ubtu24cis_rule_4_3_5
    - ubtu24cis_firewall_package == "nftables"
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_4.3.5
    - NIST800-53R5_NA
    - nftables
  vars:
    warn_control_id: '4.3.5'
  block:
    - name: "4.3.5 | AUDIT | Ensure nftables base chains exist"
      ansible.builtin.debug:
        msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables | Message out warning"

    - name: "4.3.5 | AUDIT | Ensure nftables base chains exist | Set warning count"
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "4.3.6 | AUDIT | Ensure nftables loopback traffic is configured"
  when:
    - ubtu24cis_rule_4_3_6
    - ubtu24cis_firewall_package == "nftables"
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_4.3.6
    - NIST800-53R5_CA-9
    - NIST800-53R5_SC-7
    - nftables
  vars:
    warn_control_id: '4.3.6'
  block:
    - name: "4.3.6 | AUDIT | Ensure nftables loopback traffic is configured | Message out warning"
      ansible.builtin.debug:
        msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables"

    - name: "4.3.6 | AUDIT | Ensure nftables loopback traffic is configured | Set warning count"
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "4.3.7 | AUDIT | Ensure nftables outbound and established connections are configured"
  when:
    - ubtu24cis_rule_4_3_7
    - ubtu24cis_firewall_package == "nftables"
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_4.3.7
    - NIST800-53R5_CA-9
    - NIST800-53R5_SC-7
    - nftables
  vars:
    warn_control_id: '4.3.7'
  block:
    - name: "4.3.7 | AUDIT | Ensure nftables outbound and established connections are configured | Message out warning"
      ansible.builtin.debug:
        msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables"

    - name: "4.3.7 | AUDIT | Ensure nftables outbound and established connections are configured | Set warning count"
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "4.3.8 | AUDIT | Ensure nftables default deny firewall policy"
  when:
    - ubtu24cis_rule_4_3_8
    - ubtu24cis_firewall_package == "nftables"
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_4.3.8
    - NIST800-53R5_CA-9
    - NIST800-53R5_SC-7
    - nftables
  vars:
    warn_control_id: '4.3.8'
  block:
    - name: "4.3.8 | AUDIT | Ensure nftables default deny firewall policy | Message out warning"
      ansible.builtin.debug:
        msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables"

    - name: "4.3.8 | AUDIT | Ensure nftables default deny firewall policy | Set warning count"
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "4.3.9 | AUDIT | Ensure nftables service is enabled"
  when:
    - ubtu24cis_rule_4_3_9
    - ubtu24cis_firewall_package == "nftables"
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_4.3.9
    - NIST800-53R5_CA-9
    - NIST800-53R5_SC-7
    - nftables
  vars:
    warn_control_id: '4.3.9'
  block:
    - name: "4.3.9 | AUDIT | Ensure nftables service is enabled | Message out warning"
      ansible.builtin.debug:
        msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables"
        # ansible.builtin.service:
        #     name: nftables
        #     state: started
        #     enabled: yes

    - name: "4.3.9 | AUDIT | Ensure nftables service is enabled | Set warning count"
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "4.3.10 | AUDIT | Ensure nftables rules are permanent"
  when:
    - ubtu24cis_rule_4_3_10
    - ubtu24cis_firewall_package == "nftables"
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_4.3.10
    - NIST800-53R5_CA-9
    - NIST800-53R5_SC-7
    - nftables
  vars:
    warn_control_id: '4.3.10'
  block:
    - name: "4.3.10 | AUDIT | Ensure nftables rules are permanent | Message out warning"
      ansible.builtin.debug:
        msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables"

    - name: "4.3.10 | AUDIT | Ensure nftables rules are permanent | Set warning count"
      ansible.builtin.import_tasks:
        file: warning_facts.yml