Actually move to nftables for any host with nftables: true (nothing atm).
Signed-off-by: James Antill <jantill@redhat.com>
This commit is contained in:
James Antill
parent
c9b9086535
commit
31d65aa439
3 changed files with 56 additions and 8 deletions
|
|
@ -87,8 +87,6 @@ createrepo: True
|
|||
# Groups and individual hosts should override them with specific info.
|
||||
custom6_rules: []
|
||||
custom_rules: []
|
||||
nft_custom6_rules: []
|
||||
nft_custom_rules: []
|
||||
# most of our systems are in IAD2
|
||||
datacenter: iad2
|
||||
|
||||
|
|
@ -151,6 +149,11 @@ nagios_Check_Services:
|
|||
sshd: true
|
||||
swap: true
|
||||
nat_rules: []
|
||||
# Do we want to use nftables instead of iptables
|
||||
nftables: false
|
||||
# nftables variants of custom*_rules
|
||||
nft_custom6_rules: []
|
||||
nft_custom_rules: []
|
||||
# default network block device encryption settings for linux-system-roles/nbde_client
|
||||
nbde: true
|
||||
nbde_device: /dev/md2
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# tags defined: [check], services, updates, restart, fileverify, iptables, selinux
|
||||
# for the fix part, I guess its better to include the role(s) for particular host that brings the system
|
||||
# to the desired state in terms of: services, updates, file verification, iptables, and selinux
|
||||
# to the desired state in terms of: services, updates, file verification, iptables, nftables, and selinux
|
||||
---
|
||||
- hosts: "{{ target }}"
|
||||
user: root
|
||||
|
|
@ -185,6 +185,14 @@
|
|||
- check
|
||||
- iptables
|
||||
|
||||
- name: Check if using nftables
|
||||
ansible.builtin.shell: /sbin/nft list ruleset
|
||||
register: nftablesn
|
||||
changed_when: false
|
||||
tags:
|
||||
- check
|
||||
- iptables
|
||||
|
||||
- name: Show iptables rules
|
||||
ansible.builtin.shell: echo "{{iptablesn.stdout_lines}}" >> {{ temp_dir.stdout }}/iptables
|
||||
changed_when: false
|
||||
|
|
@ -192,6 +200,13 @@
|
|||
- check
|
||||
- iptables
|
||||
|
||||
- name: Show nftables rules
|
||||
ansible.builtin.shell: echo "{{nftablesn.stdout_lines}}" >> {{ temp_dir.stdout }}/nftables
|
||||
changed_when: false
|
||||
tags:
|
||||
- check
|
||||
- iptables
|
||||
|
||||
- name: Show current SELinux status
|
||||
ansible.builtin.shell: echo "SELinux is {{ ansible_selinux.status }} for this System" >> {{temp_dir.stdout}}/selinux
|
||||
changed_when: false
|
||||
|
|
|
|||
|
|
@ -141,22 +141,34 @@
|
|||
tags:
|
||||
- packages
|
||||
- base
|
||||
when: not nftables
|
||||
|
||||
- name: Ensure nftables is installed
|
||||
ansible.builtin.package: state=present name=nftables
|
||||
tags:
|
||||
- packages
|
||||
- base
|
||||
when: nftables
|
||||
|
||||
- name: Ensure ipset is installed
|
||||
ansible.builtin.package: state=present name=ipset
|
||||
tags:
|
||||
- packages
|
||||
- base
|
||||
when: not nftables
|
||||
|
||||
- name: Setup builder ipset if this is a new install
|
||||
ansible.builtin.shell: "/usr/sbin/ipset create osbuildapi hash:ip; touch /etc/sysconfig/ipset-osbuildapi"
|
||||
args:
|
||||
creates: /etc/sysconfig/ipset-osbuildapi
|
||||
when: "'osbuild' in group_names"
|
||||
when:
|
||||
- "'osbuild' in group_names"
|
||||
- not nftables
|
||||
tags:
|
||||
- base
|
||||
- iptables
|
||||
|
||||
# Note that these should do both iptables/ipset and nftables...
|
||||
- name: Install blocklist update script
|
||||
ansible.builtin.copy:
|
||||
src: "{{ private }}/files/blocklist/blocklist-update.sh"
|
||||
|
|
@ -195,7 +207,9 @@
|
|||
- iptables/iptables.{{ host_group }}
|
||||
- iptables/iptables.{{ env }}
|
||||
- iptables/iptables
|
||||
when: baseiptables|bool
|
||||
when:
|
||||
- baseiptables|bool
|
||||
- not nftables
|
||||
notify:
|
||||
- Restart iptables
|
||||
- Reload libvirtd
|
||||
|
|
@ -210,7 +224,19 @@
|
|||
- iptables
|
||||
- service
|
||||
- base
|
||||
when: baseiptables|bool
|
||||
when:
|
||||
- baseiptables|bool
|
||||
- not nftables
|
||||
|
||||
- name: Nftables service enabled
|
||||
service: name=nftables state=started enabled=true
|
||||
tags:
|
||||
- iptables
|
||||
- service
|
||||
- base
|
||||
when:
|
||||
- baseiptables|bool
|
||||
- nftables
|
||||
|
||||
- name: Ip6tables
|
||||
ansible.builtin.template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=0600 backup=yes
|
||||
|
|
@ -220,7 +246,9 @@
|
|||
- iptables/ip6tables.{{ host_group }}
|
||||
- iptables/ip6tables.{{ env }}
|
||||
- iptables/ip6tables
|
||||
when: baseiptables|bool
|
||||
when:
|
||||
- baseiptables|bool
|
||||
- not nftables
|
||||
notify:
|
||||
- Restart ip6tables
|
||||
- Reload libvirtd
|
||||
|
|
@ -235,7 +263,9 @@
|
|||
- ip6tables
|
||||
- service
|
||||
- base
|
||||
when: baseiptables|bool
|
||||
when:
|
||||
- baseiptables|bool
|
||||
- not nftables
|
||||
|
||||
- name: Enable journald persistence
|
||||
ansible.builtin.file: path=/var/log/journal state=directory
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue