[ferm] Redesign iptables backend configuration

(cherry picked from commit 75780c9) (cherry picked from commit 5ffeea6) (cherry picked from commit 74f711f)
debops · Nov 29, 2021 · 7797f6e · 7797f6e
1 parent cbd84da
commit 7797f6e
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 8 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -63,6 +63,16 @@ Continuous Integration
   Bionic and Focal releases by default, in addition to already defined OS
   releases.
 
+- The backend configuration will now manage all relevant alternatives for
+  :command:`arptables`, :command:`ebtables`, :command:`iptables` and
+  :command:`ip6tables` commands to keep various parts of the firewall
+  synchronized.
+
+  .. warning:: The variable which controls what backend is used has been
+               renamed to :envvar:`ferm__iptables_backend_type` due to value
+               change. You might need to update your Ansible inventory to select
+               the correct backend.
+
 :ref:`debops.pki` role
 ''''''''''''''''''''''
 

diff --git a/ansible/roles/ferm/defaults/main.yml b/ansible/roles/ferm/defaults/main.yml
@@ -52,17 +52,17 @@ ferm__iptables_backend_enabled: '{{ False
                                     else True }}'
 
                                                                    # ]]]
-# .. envvar:: ferm__iptables_backend_path [[[
+# .. envvar:: ferm__iptables_backend_type [[[
 #
 # Select which iptables backend should be used on the host. Known backends:
 #
-# - ``/usr/sbin/iptables-legacy``
+# - ``legacy`` - old arptables, ebtables, iptables, ip6tables
 #
-# - ``/usr/sbin/iptables-nft``
+# - ``nft`` - new, nftables-based firewall
 #
-# Newer OS releases might need to use the legacy variant to be compatible with
-# :command:`ferm` manager.
-ferm__iptables_backend_path: '/usr/sbin/iptables-nft'
+# Ferm does not support nftables backend, therefore the legacy variant is
+# enabled by default.
+ferm__iptables_backend_type: 'nft'
 
                                                                    # ]]]
 # .. envvar:: ferm__base_packages [[[

diff --git a/ansible/roles/ferm/tasks/main.yml b/ansible/roles/ferm/tasks/main.yml
@@ -24,8 +24,13 @@
 
 - name: Manage iptables backend using alternatives
   alternatives:
-    name: 'iptables'
-    path: '{{ ferm__iptables_backend_path }}'
+    name: '{{ item.name }}'
+    path: '{{ item.path }}'
+  loop:
+    - { 'name': 'arptables', 'path': '/usr/sbin/arptables-{{ ferm__iptables_backend_type }}' }
+    - { 'name': 'ebtables', 'path': '/usr/sbin/ebtables-{{ ferm__iptables_backend_type }}' }
+    - { 'name': 'iptables', 'path': '/usr/sbin/iptables-{{ ferm__iptables_backend_type }}' }
+    - { 'name': 'ip6tables', 'path': '/usr/sbin/ip6tables-{{ ferm__iptables_backend_type }}' }
   when: ferm__enabled | bool and ferm__iptables_backend_enabled|bool
 
 - name: Make sure required directories exist