138 lines
4.6 KiB
YAML
138 lines
4.6 KiB
YAML
---
|
|
# Copyright 2022 Red Hat, Inc.
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
|
|
# systemctl will return 0 if enabled, 3 if disabled
|
|
- name: Get nftables service state
|
|
ansible.builtin.command: systemctl status nftables
|
|
register: nftables_status
|
|
failed_when: nftables_status.rc not in [0, 3]
|
|
|
|
- name: Swith firewall management to nftables if needed
|
|
when:
|
|
- nftables_status.rc == 3
|
|
include_tasks: service.yaml
|
|
|
|
- name: IPtables compatibility layout
|
|
become: true
|
|
block:
|
|
- name: Push initial, empty ruleset
|
|
register: init_nftables
|
|
copy:
|
|
dest: /etc/nftables/iptables.nft
|
|
src: iptables.nft
|
|
|
|
- name: Load empty ruleset if needed
|
|
when:
|
|
- init_nftables is changed
|
|
ansible.builtin.command: nft -f /etc/nftables/iptables.nft
|
|
|
|
# Get current nft rules in JSON format, with our iptables compat content.
|
|
- name: Get current nftables content
|
|
become: true
|
|
ansible.builtin.command: nft -j list ruleset
|
|
register: nft_current_rules
|
|
|
|
- name: nftables files generation
|
|
become: true
|
|
block:
|
|
# Create a dedicated file for jumps - makes easier to manage afterward.
|
|
# That one will be loaded upon boot only.
|
|
- name: Generate chain jumps
|
|
ignore_errors: "{{ ansible_check_mode|bool }}"
|
|
vars:
|
|
current_nft: "{{ nft_current_rules }}"
|
|
nft_is_update: false
|
|
template:
|
|
dest: /etc/nftables/tripleo-jumps.nft
|
|
src: jump-chain.j2
|
|
|
|
# Create a special "update chain jumps" file, adding just the MISSING
|
|
# jumps in the main, default chains. This will avoid useless duplication
|
|
# upon update/day-2 operation, since we cannot really flush INPUT and other
|
|
# default chains.
|
|
- name: Generate chain jumps
|
|
ignore_errors: "{{ ansible_check_mode|bool }}"
|
|
vars:
|
|
current_nft: "{{ nft_current_rules }}"
|
|
nft_is_update: true
|
|
template:
|
|
dest: /etc/nftables/tripleo-update-jumps.nft
|
|
src: jump-chain.j2
|
|
|
|
# Note: we do NOT include this one for boot, since chains are
|
|
# already empty!
|
|
- name: Generate nft flushes
|
|
register: nft_flushes
|
|
template:
|
|
dest: /etc/nftables/tripleo-flushes.nft
|
|
src: flush-chain.j2
|
|
|
|
- name: Generate nft tripleo chains
|
|
register: nft_chains
|
|
template:
|
|
dest: /etc/nftables/tripleo-chains.nft
|
|
src: chains.j2
|
|
|
|
- name: Generate nft ruleset in static file
|
|
register: nft_ruleset
|
|
template:
|
|
dest: /etc/nftables/tripleo-rules.nft
|
|
src: ruleset.j2
|
|
|
|
# We cannot use the "validate" parameter from the "template" module, since
|
|
# we don't load the chains before. So let's validate now, with all the things.
|
|
# Remember, the "iptables" compat layout is already loaded at this point.
|
|
- name: Validate all of the generated content before loading
|
|
ansible.builtin.shell: >-
|
|
cat /etc/nftables/tripleo-chains.nft
|
|
/etc/nftables/tripleo-flushes.nft
|
|
/etc/nftables/tripleo-rules.nft
|
|
/etc/nftables/tripleo-update-jumps.nft
|
|
/etc/nftables/tripleo-jumps.nft | nft -c -f -
|
|
|
|
# Order is important here.
|
|
# Please keep that in mind in case you want to add some new ruleset in their
|
|
# dedicated file!
|
|
- name: Ensure we load our different nft rulesets on boot
|
|
become: true
|
|
ansible.builtin.blockinfile:
|
|
path: /etc/sysconfig/nftables.conf
|
|
backup: false
|
|
validate: nft -c -f %s
|
|
block: |
|
|
include "/etc/nftables/iptables.nft"
|
|
include "/etc/nftables/tripleo-chains.nft"
|
|
include "/etc/nftables/tripleo-rules.nft"
|
|
include "/etc/nftables/tripleo-jumps.nft"
|
|
|
|
- name: Create our custom chains
|
|
become: true
|
|
ansible.builtin.command: nft -f /etc/nftables/tripleo-chains.nft
|
|
|
|
# Here, we make different call in order to avoid jumps duplication.
|
|
# In both cases, we flush the custom chains. Doing things like that ensures
|
|
# we run all, from the flush to the rule creation, in a single transaction.
|
|
# This prevents accidental lock-outs.
|
|
- name: Reload custom nftables ruleset WITH jumps
|
|
become: true
|
|
ansible.builtin.shell: >-
|
|
cat /etc/nftables/tripleo-flushes.nft
|
|
/etc/nftables/tripleo-rules.nft
|
|
/etc/nftables/tripleo-update-jumps.nft | nft -f -
|
|
when:
|
|
- nft_ruleset is changed
|