Commit f1f394a6 authored by Maciej Delmanowski's avatar Maciej Delmanowski

[debops.ferm] Fix Internet Protocol detection

parent cad532c7
......@@ -77,6 +77,10 @@ Changed
will need to update your inventory for the new changes to take effect, refer
to the :ref:`role documentation <sysctl__ref_parameters>` for details.
- [debops.ferm] The role should now correctly detect what Internet Protocols
are available on a host (IPv4, IPv6) and configure firewall only for the
protocols that are present.
.. __: https://github.com/diafygi/acme-tiny
Fixed
......
......@@ -58,7 +58,10 @@ ferm__packages: []
# ``ip6``
# Enables IPv6 support (:command:`ip6tables`).
#
ferm__domains: [ 'ip', 'ip6' ]
ferm__domains: '{{ lookup("flattened",
( ([ "ip" ] if (ansible_all_ipv4_addresses|d()) else [])
+ ([ "ip6" ] if (ansible_all_ipv6_addresses|d()) else []) )
, wantlist=True ) }}'
# ]]]
# .. envvar:: ferm__ansible_controllers [[[
......@@ -504,6 +507,7 @@ ferm__default_rules:
protocol: [ 'udp' ]
sport: [ 'dhcpv6-server' ]
dport: [ 'dhcpv6-client' ]
rule_state: '{{ "present" if ("ip6" in ferm__domains) else "absent" }}'
- name: 'jump_to_legacy_input_rules'
type: 'accept'
......
#!/bin/sh
#!/bin/bash
# {{ ansible_managed }}
{% if ferm__enabled | bool and ferm__forward | bool %}
{% set ferm__tpl_interfaces = (ferm__external_interfaces|d([]) | list) +
(ferm__internal_interfaces|d([]) | list) %}
{% for interface in ferm__tpl_interfaces | unique %}
{% if interface and hostvars[inventory_hostname]["ansible_" + interface] | d() %}
# Force Router Advertisement support on {{ interface }} interface
if [ "$IFACE" = "{{ interface }}" ] ; then
sysctl -w net/ipv6/conf/{{ interface }}/accept_ra=2
fi
ferm_enabled="{{ ferm__enabled | bool | lower }}"
ferm_forward="{{ ferm__forward | bool | lower }}"
ferm_ipv6_enabled="{{ 'true' if ('ip6' in ferm__domains) else 'false' }}"
readarray -t ferm_interfaces <<< "{{ (ferm__external_interfaces|d([])|list + ferm__internal_interfaces|d([])|list) | join(' ') }}"
{% endif %}
{% endfor %}
{% else %}
# ferm support is disabled
{% endif %}
if [ "${ferm_enabled}" = "true" ] && [ "${ferm_forward}" = "true" ] && [ "${ferm_ipv6_enabled}" = "true" ] ; then
for interface in "${ferm_interfaces[@]}" ; do
if [ "${IFACE}" = "${interface}" ] ; then
# Force Router Advertisement support on a given interface
sysctl -w "net.ipv6.conf.${IFACE}.accept_ra=2"
fi
done
fi
# {{ ansible_managed }}
{% if ferm__enabled | bool and ferm__forward|bool %}
{% if 'ip' in ferm__domains %}
# Enable IPv4 forwarding
net.ipv4.ip_forward = 1
{% endif %}
{% if 'ip6' in ferm__domains %}
# Enable IPv6 forwarding
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
......@@ -11,6 +14,7 @@ net.ipv6.conf.all.forwarding = 1
# Enable IPv6 autoconfiguration (SLAAC)
net.ipv6.conf.default.accept_ra = 1
net.ipv6.conf.all.accept_ra = 1
{% endif %}
{% else %}
# ferm support is disabled
{% endif %}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment