From 7797f6e90b78100bb9fe9340574394cea5ca88cc Mon Sep 17 00:00:00 2001 From: Maciej Delmanowski Date: Mon, 29 Nov 2021 13:02:36 +0100 Subject: [PATCH] [ferm] Redesign iptables backend configuration (cherry picked from commit 75780c9d9c1a23f77f53fec926da612834411ef8) (cherry picked from commit 5ffeea6518f23e725fe38e997fe48b567b7a31ef) (cherry picked from commit 74f711fce681e03f5c671f8486e6978663b510c1) --- CHANGELOG.rst | 10 ++++++++++ ansible/roles/ferm/defaults/main.yml | 12 ++++++------ ansible/roles/ferm/tasks/main.yml | 9 +++++++-- 3 files changed, 23 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 45cf766e36..61cb9f85bf 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -63,6 +63,16 @@ Continuous Integration Bionic and Focal releases by default, in addition to already defined OS releases. +- The backend configuration will now manage all relevant alternatives for + :command:`arptables`, :command:`ebtables`, :command:`iptables` and + :command:`ip6tables` commands to keep various parts of the firewall + synchronized. + + .. warning:: The variable which controls what backend is used has been + renamed to :envvar:`ferm__iptables_backend_type` due to value + change. You might need to update your Ansible inventory to select + the correct backend. + :ref:`debops.pki` role '''''''''''''''''''''' diff --git a/ansible/roles/ferm/defaults/main.yml b/ansible/roles/ferm/defaults/main.yml index c195438d22..d36be131bf 100644 --- a/ansible/roles/ferm/defaults/main.yml +++ b/ansible/roles/ferm/defaults/main.yml @@ -52,17 +52,17 @@ ferm__iptables_backend_enabled: '{{ False else True }}' # ]]] -# .. envvar:: ferm__iptables_backend_path [[[ +# .. envvar:: ferm__iptables_backend_type [[[ # # Select which iptables backend should be used on the host. Known backends: # -# - ``/usr/sbin/iptables-legacy`` +# - ``legacy`` - old arptables, ebtables, iptables, ip6tables # -# - ``/usr/sbin/iptables-nft`` +# - ``nft`` - new, nftables-based firewall # -# Newer OS releases might need to use the legacy variant to be compatible with -# :command:`ferm` manager. -ferm__iptables_backend_path: '/usr/sbin/iptables-nft' +# Ferm does not support nftables backend, therefore the legacy variant is +# enabled by default. +ferm__iptables_backend_type: 'nft' # ]]] # .. envvar:: ferm__base_packages [[[ diff --git a/ansible/roles/ferm/tasks/main.yml b/ansible/roles/ferm/tasks/main.yml index 53b885d504..ecacf948e5 100644 --- a/ansible/roles/ferm/tasks/main.yml +++ b/ansible/roles/ferm/tasks/main.yml @@ -24,8 +24,13 @@ - name: Manage iptables backend using alternatives alternatives: - name: 'iptables' - path: '{{ ferm__iptables_backend_path }}' + name: '{{ item.name }}' + path: '{{ item.path }}' + loop: + - { 'name': 'arptables', 'path': '/usr/sbin/arptables-{{ ferm__iptables_backend_type }}' } + - { 'name': 'ebtables', 'path': '/usr/sbin/ebtables-{{ ferm__iptables_backend_type }}' } + - { 'name': 'iptables', 'path': '/usr/sbin/iptables-{{ ferm__iptables_backend_type }}' } + - { 'name': 'ip6tables', 'path': '/usr/sbin/ip6tables-{{ ferm__iptables_backend_type }}' } when: ferm__enabled | bool and ferm__iptables_backend_enabled|bool - name: Make sure required directories exist