diff options
author | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-10 20:21:18 +0200 |
---|---|---|
committer | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-10 20:46:16 +0200 |
commit | 2886694a77ad37d64b2ef5b2d181fa046dab4055 (patch) | |
tree | c3d21c680b70a80f5eea0b94f51e8cf26b2e1ee5 /roles | |
parent | v0.0.8 (diff) | |
download | infra-ansible-2886694a77ad37d64b2ef5b2d181fa046dab4055.tar.gz infra-ansible-2886694a77ad37d64b2ef5b2d181fa046dab4055.zip |
firewall: don't put invalid rules in /etc/iptables/
Diffstat (limited to 'roles')
-rw-r--r-- | roles/firewall/tasks/file.yml | 45 | ||||
-rw-r--r-- | roles/firewall/tasks/main.yml | 30 |
2 files changed, 49 insertions, 26 deletions
diff --git a/roles/firewall/tasks/file.yml b/roles/firewall/tasks/file.yml new file mode 100644 index 0000000..a703d3b --- /dev/null +++ b/roles/firewall/tasks/file.yml @@ -0,0 +1,45 @@ +- name: Create a temporary file + ansible.builtin.tempfile: + register: rules_file + +- name: Configure rules in a temporary file + become: true + ansible.builtin.template: + src: '{{ item.src }}' + dest: '{{ rules_file.path }}' + owner: root + group: root + mode: '640' + +- name: Print temporary file path + ansible.builtin.debug: + msg: 'Temporary rules file: {{ rules_file.path }}' + +# If I simply restart the netfilter-persistent service, it happily restarts, +# effectively ignoring errors in files. That way the operator doesn't get +# feedback if the rules file is malformed. +- name: Check that the rules are valid + become: true + ansible.builtin.command: + argv: + - '/usr/sbin/{{ item.tool }}-restore' + - --test + - '{{ rules_file.path }}' + changed_when: false + +- name: Copy rules to /etc/iptables + become: true + ansible.builtin.copy: + remote_src: true + src: '{{ rules_file.path }}' + dest: '{{ item.dest }}' + owner: root + group: root + mode: '640' + notify: Reboot + +- name: Remove temporary file + become: true + ansible.builtin.file: + path: '{{ rules_file.path }}' + state: absent diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml index 787701c..95d02d3 100644 --- a/roles/firewall/tasks/main.yml +++ b/roles/firewall/tasks/main.yml @@ -5,33 +5,11 @@ name: iptables-persistent state: present -- name: Configure rules - become: true - ansible.builtin.template: - src: '{{ item.src }}' - dest: '{{ item.dest }}' - owner: root - group: root - mode: '640' - loop: - - {src: rules.v4, dest: /etc/iptables/rules.v4} - - {src: rules.v6, dest: /etc/iptables/rules.v6} - notify: Reboot - -# If I simply restart the netfilter-persistent service, it happily restarts, -# effectively ignoring errors in files. That way the operator doesn't get -# feedback if the rules file is malformed. -- name: Check that the rule files are valid - become: true - ansible.builtin.command: - argv: - - '/usr/sbin/{{ item.iptables }}-restore' - - --test - - '{{ item.dest }}' - changed_when: false +- name: Configure rule files + ansible.builtin.include_tasks: file.yml loop: - - {iptables: iptables, dest: /etc/iptables/rules.v4} - - {iptables: ip6tables, dest: /etc/iptables/rules.v6} + - {src: rules.v4, dest: /etc/iptables/rules.v4, tool: iptables} + - {src: rules.v6, dest: /etc/iptables/rules.v6, tool: ip6tables} - name: Reboot if necessary ansible.builtin.meta: flush_handlers |