Chandan Kumar (raukadah) 6aa268834c Introduce iptables_package var
on RHEL-9 there is no iptables package, we need to install
iptables-nft package here.

In CentOS Stream-9 and Fedora-34 onwards iptables-nft package
is available.[1]

But we also need to support other distros, so we are introducing
iptables_packages var and distro specific var files (having different
name) for installing iptables package.

[1]. https://pkgs.org/download/iptables-nft

Signed-off-by: Chandan Kumar (raukadah) <chkumar@redhat.com>
Change-Id: I8d5d3182996fc1e83b7f4f7eb99cf4c347d6ef1f
2022-01-19 15:11:08 +05:30

66 lines
1.7 KiB
YAML

- name: Include operating system specific vars
include_vars: "{{ zj_distro_os }}"
with_first_found:
- "{{ ansible_distribution }}.yaml"
- "{{ ansible_os_family }}.yaml"
- "default.yaml"
loop_control:
loop_var: zj_distro_os
- name: 'Ensure {{ iptables_package }}'
become: true
package:
name: "{{ iptables_package }}"
- name: Set up the host ip addresses
set_fact:
ipv4_addresses: >
{% set hosts = [] -%}
{% for host, vars in hostvars.items() -%}
{% if vars['nodepool']['private_ipv4'] -%}
{% set _ = hosts.append(vars['nodepool']['private_ipv4']) -%}
{% endif -%}
{% if vars['nodepool']['public_ipv4'] -%}
{% set _ = hosts.append(vars['nodepool']['public_ipv4']) -%}
{% endif -%}
{% endfor -%}
{{- hosts | sort | unique -}}
ipv6_addresses: >
{% set hosts = [] -%}
{% for host, vars in hostvars.items() -%}
{% if vars['nodepool']['public_ipv6'] -%}
{% set _ = hosts.append(vars['nodepool']['public_ipv6']) -%}
{% endif -%}
{% endfor -%}
{{- hosts | sort | unique -}}
- name: Set up ipv4 iptables rules
become: yes
iptables:
state: present
action: insert
chain: INPUT
ip_version: ipv4
source: "{{ zj_ipv4 }}"
jump: ACCEPT
with_items: "{{ ipv4_addresses }}"
loop_control:
loop_var: zj_ipv4
- name: Set up ipv6 iptables rules
become: yes
iptables:
state: present
action: insert
chain: INPUT
ip_version: ipv6
source: "{{ zj_ipv6 }}"
jump: ACCEPT
with_items: "{{ ipv6_addresses }}"
loop_control:
loop_var: zj_ipv6
- name: Persist iptables rules
include_role:
name: persistent-firewall