From 98fe4a333bd76af7eef8e10e3635edd6f40e86a0 Mon Sep 17 00:00:00 2001
From: Egor Tensin <Egor.Tensin@gmail.com>
Date: Wed, 9 Aug 2023 00:51:16 +0200
Subject: firewall: fail on malformed rule files

---
 roles/firewall/tasks/main.yml | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml
index 345f6a6..787701c 100644
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@@ -5,7 +5,7 @@
     name: iptables-persistent
     state: present
 
-- name: 'Configure rules'
+- name: Configure rules
   become: true
   ansible.builtin.template:
     src: '{{ item.src }}'
@@ -18,5 +18,20 @@
     - {src: rules.v6, dest: /etc/iptables/rules.v6}
   notify: Reboot
 
+# If I simply restart the netfilter-persistent service, it happily restarts,
+# effectively ignoring errors in files. That way the operator doesn't get
+# feedback if the rules file is malformed.
+- name: Check that the rule files are valid
+  become: true
+  ansible.builtin.command:
+    argv:
+      - '/usr/sbin/{{ item.iptables }}-restore'
+      - --test
+      - '{{ item.dest }}'
+  changed_when: false
+  loop:
+    - {iptables: iptables,  dest: /etc/iptables/rules.v4}
+    - {iptables: ip6tables, dest: /etc/iptables/rules.v6}
+
 - name: Reboot if necessary
   ansible.builtin.meta: flush_handlers
-- 
cgit v1.2.3