vrrpd: configure minifirewall with blocks instead of lines

This commit is contained in:
Jérémy Lecour 2024-04-18 15:18:42 +02:00 committed by Jérémy Lecour
parent f8e92d2eeb
commit 42ad242aaf
Signed by: jlecour
SSH key fingerprint: SHA256:h+5LgHRKwN9lS0SsdVR5yZPeFlJE4Mt+8UtL4CcP8dY
3 changed files with 29 additions and 14 deletions

View file

@ -23,7 +23,8 @@ The **patch** part is incremented if multiple releases happen the same month
* nrpe: !disk1 exclude filesystem type overlay
* postfix/amavis: max servers is now 3 (previously 2)
* roundcube: Use /var/log/roundcube directly
* vrrpd : configure and restart minifirewall before starting VRRP
* vrrpd: configure and restart minifirewall before starting VRRP
* vrrpd: configure minifirewall with blocks instead of lines
### Fixed

View file

@ -9,9 +9,12 @@ vrrp_addresses: []
# priority: Null # the priority of this host in the virtual server (default: 100)
# authentication: Null # authentification type: auth=(none|pw/hexkey|ah/hexkey) hexkey=0x[0-9a-fA-F]+
# label: Null # use this name is syslog messages (helps when several vrid are running)
# ip: Null # the ip address(es) (and optionnaly subnet mask) of the virtual server
# ip: Null # the IP address(es) (and optionnaly subnet mask) of the virtual server
# peers: [IP1, IP2] # list of peers (IP), for minifirewall rules
# state: Null # 'started' or 'stopped'
# }
vrrp_manage_minifirewall: true
minifirewall_restart_if_needed: True
minifirewall_restart_force: False

View file

@ -11,35 +11,46 @@
minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
- name: VRRP output is authorized in minifirewall
lineinfile:
ansible.builtin.blockinfile:
path: /etc/minifirewall.d/vrrpd
line: "/sbin/iptables -A OUTPUT -o {{ vrrp_address.interface }} -p 112 -j ACCEPT # Allow VRRP output on {{ vrrp_address.interface }}"
regexp: "# Allow VRRP output on {{ vrrp_address.interface }}$"
marker: "## {mark} ANSIBLE MANAGED OUTPUT RULES FOR VRID {{ vrrp_address.id }}"
block: |
/sbin/iptables -A OUTPUT -o {{ vrrp_address.interface }} -p 112 -j ACCEPT # Allow VRRP output on {{ vrrp_address.interface }}
create: yes
mode: "0600"
owner: "root"
group: "root"
notify: "{{ minifirewall_restart_handler_name }}"
when: _minifirewall_dir.stat.exists
when:
- vrrp_manage_minifirewall | bool
- _minifirewall_dir.stat.exists
- name: VRRP input is authorized in minifirewall
lineinfile:
ansible.builtin.blockinfile:
path: /etc/minifirewall.d/vrrpd
line: "/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}"
regexp: "# Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}"
marker: "## {mark} ANSIBLE MANAGED INPUT RULES FOR VRID {{ vrrp_address.id }}"
block: |
{% if vrrp_address.peers | default([]) | length <= 0 %}
/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} for VRID {{ vrrp_address.id }}
{% else %}
{% for peer in vrrp_address.peers %}
/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}
{% endfor %}
{% endif %}
create: yes
mode: "0600"
owner: "root"
group: "root"
loop: "{{ vrrp_address.peers | default([]) }}"
loop_control:
loop_var: peer
notify: "{{ minifirewall_restart_handler_name }}"
when: _minifirewall_dir.stat.exists
when:
- vrrp_manage_minifirewall | bool
- _minifirewall_dir.stat.exists
- name: Flush handlers to restart minifirewall
ansible.builtin.meta: flush_handlers
when: _minifirewall_dir.stat.exists
when:
- vrrp_manage_minifirewall | bool
- _minifirewall_dir.stat.exists
# Configure VRRP service