Fixes #5776 adds iptables-persistent dependency on Focal

On Ubuntu Focal, we can use iptables-persistent package, and also uses updated rules filepath based on distribution version.
freedomofpress · Feb 9, 2021 · 0db6ebc · 0db6ebc
1 parent 2de09b4
commit 0db6ebc
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 3 deletions.
diff --git a/install_files/ansible-base/roles/app/handlers/main.yml b/install_files/ansible-base/roles/app/handlers/main.yml
@@ -5,8 +5,15 @@
     name: tor
     state: restarted
 
-- name: reload iptables rules
+- name: reload iptables rules for xenial
   shell: iptables-restore < /etc/network/iptables/rules_v4
+  when:
+    - ansible_distribution_release == 'xenial'
+
+- name: reload iptables rules for focal
+  shell: iptables-restore < /etc/iptables/rules.v4
+  when:
+    - ansible_distribution_release == 'focal'
 
 ## App/securedrop section
 - name: restart apache2

diff --git a/install_files/ansible-base/roles/restrict-direct-access/files/load_iptables b/install_files/ansible-base/roles/restrict-direct-access/files/load_iptables
@@ -2,13 +2,17 @@
 # Description: apply the securedrop iptable rules
 if [ -f /etc/network/iptables/rules_v4 ]; then
   iptables-restore < /etc/network/iptables/rules_v4
+elif [ -f /etc/iptables/rules.v4 ]; then
+  iptables-restore < /etc/iptables/rules.v4
 else
   echo "Iptables rules file does not exist"
   exit 1
 fi
 
 if [ -f /etc/network/iptables/rules_v6 ]; then
   ip6tables-restore < /etc/network/iptables/rules_v6
+elif [ -f /etc/iptables/rules.v6 ]; then
+  ip6tables-restore < /etc/iptables/rules.v6
 else
   echo "Ip6tables rules file does not exist"
   exit 1

diff --git a/install_files/ansible-base/roles/restrict-direct-access/tasks/iptables.yml b/install_files/ansible-base/roles/restrict-direct-access/tasks/iptables.yml
@@ -21,6 +21,18 @@
   delegate_to: localhost
   delegate_facts: True
 
+- name: Install iptables-persistent package
+  apt:
+    pkg: iptables-persistent
+    state: latest
+    update_cache: yes
+    cache_valid_time: 3600
+  when:
+    - ansible_distribution_release == 'focal'
+  tags:
+    - apt
+    - iptables
+
 - name: Copy load_iptables if-up script.
   copy:
     src: load_iptables
@@ -35,6 +47,8 @@
     owner: root
     group: root
     dest: /etc/network/iptables
+  when:
+    - ansible_distribution_release == 'xenial'
 
 - name: Determine local platform specific routing info
   set_fact:
@@ -59,14 +73,14 @@
 - name: Copy IPv4 iptables rules.
   template:
     src: rules_v4
-    dest: /etc/network/iptables/rules_v4
+    dest: "{{ '/etc/iptables/rules.v4' if ansible_distribution_release == 'focal' else  '/etc/network/iptables/rules_v4' }}"
     owner: root
     mode: "0644"
   notify: drop flag for reboot
 
 - name: Copy IPv6 iptables rules.
   copy:
     src: iptables_rules_v6
-    dest: /etc/network/iptables/rules_v6
+    dest: "{{ '/etc/iptables/rules.v6' if ansible_distribution_release == 'focal' else  '/etc/network/iptables/rules_v6' }}"
     owner: root
     mode: "0644"