diff options
| author | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-09 00:51:16 +0200 |
|---|---|---|
| committer | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-09 00:55:36 +0200 |
| commit | 98fe4a333bd76af7eef8e10e3635edd6f40e86a0 (patch) | |
| tree | b321f292e3a0578709939523d4286e539a83b1e4 /roles/firewall/tasks | |
| parent | journald: set default level to warning (diff) | |
| download | infra-ansible-98fe4a333bd76af7eef8e10e3635edd6f40e86a0.tar.gz infra-ansible-98fe4a333bd76af7eef8e10e3635edd6f40e86a0.zip | |
firewall: fail on malformed rule files
Diffstat (limited to 'roles/firewall/tasks')
| -rw-r--r-- | roles/firewall/tasks/main.yml | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml index 345f6a6..787701c 100644 --- a/roles/firewall/tasks/main.yml +++ b/roles/firewall/tasks/main.yml @@ -5,7 +5,7 @@ name: iptables-persistent state: present -- name: 'Configure rules' +- name: Configure rules become: true ansible.builtin.template: src: '{{ item.src }}' @@ -18,5 +18,20 @@ - {src: rules.v6, dest: /etc/iptables/rules.v6} notify: Reboot +# If I simply restart the netfilter-persistent service, it happily restarts, +# effectively ignoring errors in files. That way the operator doesn't get +# feedback if the rules file is malformed. +- name: Check that the rule files are valid + become: true + ansible.builtin.command: + argv: + - '/usr/sbin/{{ item.iptables }}-restore' + - --test + - '{{ item.dest }}' + changed_when: false + loop: + - {iptables: iptables, dest: /etc/iptables/rules.v4} + - {iptables: ip6tables, dest: /etc/iptables/rules.v6} + - name: Reboot if necessary ansible.builtin.meta: flush_handlers |