aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/roles/firewall/tasks/main.yml
diff options
context:
space:
mode:
authorEgor Tensin <Egor.Tensin@gmail.com>2023-08-09 00:51:16 +0200
committerEgor Tensin <Egor.Tensin@gmail.com>2023-08-09 00:55:36 +0200
commit98fe4a333bd76af7eef8e10e3635edd6f40e86a0 (patch)
treeb321f292e3a0578709939523d4286e539a83b1e4 /roles/firewall/tasks/main.yml
parentjournald: set default level to warning (diff)
downloadinfra-ansible-98fe4a333bd76af7eef8e10e3635edd6f40e86a0.tar.gz
infra-ansible-98fe4a333bd76af7eef8e10e3635edd6f40e86a0.zip
firewall: fail on malformed rule files
Diffstat (limited to 'roles/firewall/tasks/main.yml')
-rw-r--r--roles/firewall/tasks/main.yml17
1 files changed, 16 insertions, 1 deletions
diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml
index 345f6a6..787701c 100644
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@@ -5,7 +5,7 @@
name: iptables-persistent
state: present
-- name: 'Configure rules'
+- name: Configure rules
become: true
ansible.builtin.template:
src: '{{ item.src }}'
@@ -18,5 +18,20 @@
- {src: rules.v6, dest: /etc/iptables/rules.v6}
notify: Reboot
+# If I simply restart the netfilter-persistent service, it happily restarts,
+# effectively ignoring errors in files. That way the operator doesn't get
+# feedback if the rules file is malformed.
+- name: Check that the rule files are valid
+ become: true
+ ansible.builtin.command:
+ argv:
+ - '/usr/sbin/{{ item.iptables }}-restore'
+ - --test
+ - '{{ item.dest }}'
+ changed_when: false
+ loop:
+ - {iptables: iptables, dest: /etc/iptables/rules.v4}
+ - {iptables: ip6tables, dest: /etc/iptables/rules.v6}
+
- name: Reboot if necessary
ansible.builtin.meta: flush_handlers