From 42ad242aaf1c5914972a88cde13e15c95cbe1fce Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Thu, 18 Apr 2024 15:18:42 +0200
Subject: [PATCH] vrrpd: configure minifirewall with blocks instead of lines

---
 CHANGELOG.md            |  3 ++-
 vrrpd/defaults/main.yml |  5 ++++-
 vrrpd/tasks/ip.yml      | 35 +++++++++++++++++++++++------------
 3 files changed, 29 insertions(+), 14 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a54666fb..719424ec 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,7 +23,8 @@ The **patch** part is incremented if multiple releases happen the same month
 * nrpe: !disk1 exclude filesystem type overlay
 * postfix/amavis: max servers is now 3 (previously 2)
 * roundcube: Use /var/log/roundcube directly
-* vrrpd : configure and restart minifirewall before starting VRRP
+* vrrpd: configure and restart minifirewall before starting VRRP
+* vrrpd: configure minifirewall with blocks instead of lines
 
 ### Fixed
 
diff --git a/vrrpd/defaults/main.yml b/vrrpd/defaults/main.yml
index 1c7abb10..f55b54c6 100644
--- a/vrrpd/defaults/main.yml
+++ b/vrrpd/defaults/main.yml
@@ -9,9 +9,12 @@ vrrp_addresses: []
 #     priority: Null          # the priority of this host in the virtual server (default: 100)
 #     authentication: Null    # authentification type: auth=(none|pw/hexkey|ah/hexkey) hexkey=0x[0-9a-fA-F]+
 #     label: Null             # use this name is syslog messages (helps when several vrid are running)
-#     ip: Null                # the ip address(es) (and optionnaly subnet mask) of the virtual server
+#     ip: Null                # the IP address(es) (and optionnaly subnet mask) of the virtual server
+#     peers: [IP1, IP2]       # list of peers (IP), for minifirewall rules
 #     state: Null             # 'started' or 'stopped'
 #   }
 
+vrrp_manage_minifirewall: true
+
 minifirewall_restart_if_needed: True
 minifirewall_restart_force: False
diff --git a/vrrpd/tasks/ip.yml b/vrrpd/tasks/ip.yml
index 4f951928..a7b645cb 100644
--- a/vrrpd/tasks/ip.yml
+++ b/vrrpd/tasks/ip.yml
@@ -11,35 +11,46 @@
     minifirewall_restart_handler_name: "{{ minifirewall_restart_if_needed | bool | ternary('restart minifirewall', 'restart minifirewall (noop)') }}"
 
 - name: VRRP output is authorized in minifirewall
-  lineinfile:
+  ansible.builtin.blockinfile:
     path: /etc/minifirewall.d/vrrpd
-    line: "/sbin/iptables -A OUTPUT -o {{ vrrp_address.interface }} -p 112 -j ACCEPT # Allow VRRP output on {{ vrrp_address.interface }}"
-    regexp: "# Allow VRRP output on {{ vrrp_address.interface }}$"
+    marker: "## {mark} ANSIBLE MANAGED OUTPUT RULES FOR VRID {{ vrrp_address.id }}"
+    block: |
+      /sbin/iptables -A OUTPUT -o {{ vrrp_address.interface }} -p 112 -j ACCEPT # Allow VRRP output on {{ vrrp_address.interface }}
     create: yes
     mode: "0600"
     owner: "root"
     group: "root"
   notify: "{{ minifirewall_restart_handler_name }}"
-  when: _minifirewall_dir.stat.exists
+  when:
+    - vrrp_manage_minifirewall | bool
+    - _minifirewall_dir.stat.exists
 
 - name: VRRP input is authorized in minifirewall
-  lineinfile:
+  ansible.builtin.blockinfile:
     path: /etc/minifirewall.d/vrrpd
-    line: "/sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}"
-    regexp: "# Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}"
+    marker: "## {mark} ANSIBLE MANAGED INPUT RULES FOR VRID {{ vrrp_address.id }}"
+    block: |
+      {% if vrrp_address.peers | default([]) | length <= 0 %}
+        /sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} for VRID {{ vrrp_address.id }}
+      {% else %}
+        {% for peer in vrrp_address.peers %}
+          /sbin/iptables -A INPUT -i {{ vrrp_address.interface }} -s {{ peer }} -d 224.0.0.0/8 -j ACCEPT # Allow VRRP input on {{ vrrp_address.interface }} from {{ peer }} for VRID {{ vrrp_address.id }}
+        {% endfor %}
+      {% endif %}
     create: yes
     mode: "0600"
     owner: "root"
     group: "root"
-  loop: "{{ vrrp_address.peers | default([]) }}"
-  loop_control:
-    loop_var: peer
   notify: "{{ minifirewall_restart_handler_name }}"
-  when: _minifirewall_dir.stat.exists
+  when:
+    - vrrp_manage_minifirewall | bool
+    - _minifirewall_dir.stat.exists
 
 - name: Flush handlers to restart minifirewall
   ansible.builtin.meta: flush_handlers
-  when: _minifirewall_dir.stat.exists
+  when:
+    - vrrp_manage_minifirewall | bool
+    - _minifirewall_dir.stat.exists
 
 
 # Configure VRRP service