From 12993a8d7cb85dd382d8c1aa40f6ca700cb7e1a5 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Tue, 6 Feb 2024 08:40:55 +0100 Subject: [PATCH] vrrpd: configure minifirewall --- CHANGELOG.md | 1 + vrrpd/defaults/main.yml | 5 ++++- vrrpd/handlers/main.yml | 15 +++++++++++++++ vrrpd/tasks/ip.yml | 39 +++++++++++++++++++++++++++++++++++++-- vrrpd/tasks/main.yml | 3 ++- 5 files changed, 59 insertions(+), 4 deletions(-) create mode 100644 vrrpd/handlers/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index c22a6afa..bd3a156e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -33,6 +33,7 @@ The **patch** part changes is incremented if multiple releases happen the same m * check_free_space: added role * nagios-nrpe: new check_pressure_{cpu,io,mem} * generateldif: new Services for check_pressure_{cpu,io,mem} +* vrrpd: configure minifirewall ### Changed diff --git a/vrrpd/defaults/main.yml b/vrrpd/defaults/main.yml index d5b5b3b4..1c7abb10 100644 --- a/vrrpd/defaults/main.yml +++ b/vrrpd/defaults/main.yml @@ -11,4 +11,7 @@ vrrp_addresses: [] # label: Null # use this name is syslog messages (helps when several vrid are running) # ip: Null # the ip address(es) (and optionnaly subnet mask) of the virtual server # state: Null # 'started' or 'stopped' -# } \ No newline at end of file +# } + +minifirewall_restart_if_needed: True +minifirewall_restart_force: False diff --git a/vrrpd/handlers/main.yml b/vrrpd/handlers/main.yml new file mode 100644 index 00000000..63cfcd86 --- /dev/null +++ b/vrrpd/handlers/main.yml @@ -0,0 +1,15 @@ +--- + +- name: restart minifirewall + ansible.builtin.command: + cmd: /etc/init.d/minifirewall restart + register: minifirewall_init_restart + failed_when: + - "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" + - "'minifirewall started' not in minifirewall_init_restart.stdout" + +- name: restart minifirewall (noop) + ansible.builtin.meta: noop + register: minifirewall_init_restart + failed_when: False + changed_when: False diff --git a/vrrpd/tasks/ip.yml b/vrrpd/tasks/ip.yml index b46a8954..81c9f08f 100644 --- a/vrrpd/tasks/ip.yml +++ b/vrrpd/tasks/ip.yml @@ -18,5 +18,40 @@ enabled: yes state: "{{ vrrp_address.state }}" when: - - vrrp_systemd_unit is changed - - not ansible_check_mode \ No newline at end of file + - vrrp_systemd_unit is changed + - not ansible_check_mode + +- name: Check if a recent minifirewall is present + ansible.builtin.stat: + path: /etc/minifirewall.d/ + register: _minifirewall_dir + +- ansible.builtin.set_fact: + minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}" + +- name: VRRP output is authorized in minifirewall + lineinfile: + path: /etc/minifirewall.d/vrrpd + line: "/sbin/iptables -A OUTPUT -o {{ vrrp_address.interface }} -p 112 -j ACCEPT # Allow VRRP output on {{ vrrp_address.interface }}" + regexp: "# Allow VRRP output on {{ vrrp_address.interface }}$" + create: yes + mode: "0600" + owner: "root" + group: "root" + notify: "{{ minifirewall_restart_handler_name }}" + when: _minifirewall_dir.stat.exists + +- name: VRRP input is authorized in minifirewall + lineinfile: + path: /etc/minifirewall.d/vrrpd + line: "/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}" + regexp: "# Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}" + create: yes + mode: "0600" + owner: "root" + group: "root" + loop: "{{ vrrp_address.peers | default([]) }}" + loop_control: + loop_var: peer + notify: "{{ minifirewall_restart_handler_name }}" + when: _minifirewall_dir.stat.exists diff --git a/vrrpd/tasks/main.yml b/vrrpd/tasks/main.yml index 86390a2f..78b0ee3b 100644 --- a/vrrpd/tasks/main.yml +++ b/vrrpd/tasks/main.yml @@ -1,4 +1,5 @@ --- + - name: Install Evolix public repositry ansible.builtin.include_role: name: evolix/apt @@ -71,4 +72,4 @@ ansible.builtin.include: ip.yml loop: "{{ vrrp_addresses }}" loop_control: - loop_var: "vrrp_address" \ No newline at end of file + loop_var: "vrrp_address"