Changeset - 3e6eaaff335e
Parent rev.
Child rev.
[Not reviewed]
0 2 0
Branko Majic (branko) - 17 days ago 2024-09-02 23:56:41
branko@majic.rs
MAR-218: Update filter syntax for checking IPv4/IPv6 addreses.
2 files changed with 3 insertions and 3 deletions:
roles/common/tasks/main.yml
1
1
roles/common/templates/00-base.conf.j2
2
2
0 comments (0 inline, 0 general)
roles/common/tasks/main.yml
Show inline comments
 
@@ -264,13 +264,13 @@
 
  notify:
 
    - Restart ferm
 

			




	
	
	
		
 
- name: Verify maintenance_allowed_sources parameter

			




	
	
	
		
 
  fail:

			




	
	
	
		
 
    msg: "Items in maintenance_allowed_sources must IPv4/IPv6 addresses or subnets: {{ item }}"

			




	
	
	
		
 
  when: "not (item | ipv4 or item | ipv6)"

			




	
	
	
		
 
  when: "not (item is ansible.utils.ipv4_address or item is ansible.utils.ipv6_address)"

			




	
	
	
		
 
  with_items: "{{ maintenance_allowed_sources }}"

			




	
	
	
		
 

			




	
	
	
		
 
- name: Deploy ferm base rules

			




	
	
	
		
 
  template:

			




	
	
	
		
 
    src: "00-base.conf.j2"

			




	
	
	
		
 
    dest: "/etc/ferm/conf.d/00-base.conf"

			




        

    


    
    

    

        

                

                    roles/common/templates/00-base.conf.j2
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -38,13 +38,13 @@ domain ip {

			




	
	
	
		
 
            }

			




	
	
	
		
 
        }

			




	
	
	
		
 
{% if maintenance %}

			




	
	
	
		
 
        # Resume processing for allowed source addresses, otherwise drop packets.

			




	
	
	
		
 
        chain allowed_sources {

			




	
	
	
		
 
            {% for source in maintenance_allowed_sources %}

			




	
	
	
		
 
                {% if source | ipv4 %}

			




	
	
	
		
 
                {% if source is ansible.utils.ipv4_address %}

			




	
	
	
		
 
            saddr {{ source }} RETURN;

			




	
	
	
		
 
                {% endif %}

			




	
	
	
		
 
            {% endfor %}

			




	
	
	
		
 
            DROP;

			




	
	
	
		
 
        }

			




	
	
	
		
 
{% endif %}

			




	
	
		
 
@@ -94,13 +94,13 @@ domain ip6 {

			




	
	
	
		
 
            }

			




	
	
	
		
 
        }

			




	
	
	
		
 
{% if maintenance %}

			




	
	
	
		
 
        # Resume processing for allowed source addresses, otherwise drop packets.

			




	
	
	
		
 
        chain allowed_sources {

			




	
	
	
		
 
            {% for source in maintenance_allowed_sources %}

			




	
	
	
		
 
                {% if source | ipv6 %}

			




	
	
	
		
 
                {% if source is ansible.utils.ipv4_address %}

			




	
	
	
		
 
            saddr {{ source }} RETURN;

			




	
	
	
		
 
                {% endif %}

			




	
	
	
		
 
            {% endfor %}

			




	
	
	
		
 
            DROP;

			




	
	
	
		
 
        }

			




	
	
	
		
 
{% endif %}

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2024 by various authors & licensed under GPLv3.