vrrpd: configure minifirewall with blocks instead of lines
This commit is contained in:
parent
f8e92d2eeb
commit
42ad242aaf
3 changed files with 29 additions and 14 deletions
|
@ -23,7 +23,8 @@ The **patch** part is incremented if multiple releases happen the same month
|
|||
* nrpe: !disk1 exclude filesystem type overlay
|
||||
* postfix/amavis: max servers is now 3 (previously 2)
|
||||
* roundcube: Use /var/log/roundcube directly
|
||||
* vrrpd : configure and restart minifirewall before starting VRRP
|
||||
* vrrpd: configure and restart minifirewall before starting VRRP
|
||||
* vrrpd: configure minifirewall with blocks instead of lines
|
||||
|
||||
### Fixed
|
||||
|
||||
|
|
|
@ -9,9 +9,12 @@ vrrp_addresses: []
|
|||
# priority: Null # the priority of this host in the virtual server (default: 100)
|
||||
# authentication: Null # authentification type: auth=(none|pw/hexkey|ah/hexkey) hexkey=0x[0-9a-fA-F]+
|
||||
# label: Null # use this name is syslog messages (helps when several vrid are running)
|
||||
# ip: Null # the ip address(es) (and optionnaly subnet mask) of the virtual server
|
||||
# ip: Null # the IP address(es) (and optionnaly subnet mask) of the virtual server
|
||||
# peers: [IP1, IP2] # list of peers (IP), for minifirewall rules
|
||||
# state: Null # 'started' or 'stopped'
|
||||
# }
|
||||
|
||||
vrrp_manage_minifirewall: true
|
||||
|
||||
minifirewall_restart_if_needed: True
|
||||
minifirewall_restart_force: False
|
||||
|
|
|
@ -11,35 +11,46 @@
|
|||
minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
|
||||
|
||||
- name: VRRP output is authorized in minifirewall
|
||||
lineinfile:
|
||||
ansible.builtin.blockinfile:
|
||||
path: /etc/minifirewall.d/vrrpd
|
||||
line: "/sbin/iptables -A OUTPUT -o {{ vrrp_address.interface }} -p 112 -j ACCEPT # Allow VRRP output on {{ vrrp_address.interface }}"
|
||||
regexp: "# Allow VRRP output on {{ vrrp_address.interface }}$"
|
||||
marker: "## {mark} ANSIBLE MANAGED OUTPUT RULES FOR VRID {{ vrrp_address.id }}"
|
||||
block: |
|
||||
/sbin/iptables -A OUTPUT -o {{ vrrp_address.interface }} -p 112 -j ACCEPT # Allow VRRP output on {{ vrrp_address.interface }}
|
||||
create: yes
|
||||
mode: "0600"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
notify: "{{ minifirewall_restart_handler_name }}"
|
||||
when: _minifirewall_dir.stat.exists
|
||||
when:
|
||||
- vrrp_manage_minifirewall | bool
|
||||
- _minifirewall_dir.stat.exists
|
||||
|
||||
- name: VRRP input is authorized in minifirewall
|
||||
lineinfile:
|
||||
ansible.builtin.blockinfile:
|
||||
path: /etc/minifirewall.d/vrrpd
|
||||
line: "/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}"
|
||||
regexp: "# Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}"
|
||||
marker: "## {mark} ANSIBLE MANAGED INPUT RULES FOR VRID {{ vrrp_address.id }}"
|
||||
block: |
|
||||
{% if vrrp_address.peers | default([]) | length <= 0 %}
|
||||
/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} for VRID {{ vrrp_address.id }}
|
||||
{% else %}
|
||||
{% for peer in vrrp_address.peers %}
|
||||
/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
create: yes
|
||||
mode: "0600"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
loop: "{{ vrrp_address.peers | default([]) }}"
|
||||
loop_control:
|
||||
loop_var: peer
|
||||
notify: "{{ minifirewall_restart_handler_name }}"
|
||||
when: _minifirewall_dir.stat.exists
|
||||
when:
|
||||
- vrrp_manage_minifirewall | bool
|
||||
- _minifirewall_dir.stat.exists
|
||||
|
||||
- name: Flush handlers to restart minifirewall
|
||||
ansible.builtin.meta: flush_handlers
|
||||
when: _minifirewall_dir.stat.exists
|
||||
when:
|
||||
- vrrp_manage_minifirewall | bool
|
||||
- _minifirewall_dir.stat.exists
|
||||
|
||||
|
||||
# Configure VRRP service
|
||||
|
|
Loading…
Reference in a new issue