- name: Test the persistent-firewall role hosts: all roles: # We're including multi-node-bridge a second time with the toggle for # enabling firewall rules for the bridge network subnet # By this time, multi-node-firewall has already ran, we don't need to run # it again -- we're testing here that both are persisted properly. - { role: multi-node-bridge, bridge_authorize_internal_traffic: true } post_tasks: # NOTE (dmsimard): Using with_first_found and include_vars can yield # unexpected results, see multinode_firewall_persistence_vars/README.rst - name: Include OS-specific variables include_vars: "{{ item }}" with_first_found: - "multinode_firewall_persistence_vars/{{ ansible_distribution }}_{{ ansible_distribution_release }}.yaml" - "multinode_firewall_persistence_vars/{{ ansible_distribution }}.yaml" - "multinode_firewall_persistence_vars/{{ ansible_os_family }}.yaml" - "multinode_firewall_persistence_vars/default.yaml" - name: Flush iptables rules become: yes command: "{{ item }}" with_items: - iptables --flush - ip6tables --flush # NOTE (dmsimard): We're using with_items here because RedHat and Gentoo # need to restart both iptables and ip6tables. - name: Restart iptables become: yes service: name: "{{ item }}" state: restarted when: iptables_service is defined with_items: "{{ iptables_service }}" # If there is no iptables service (ie on opensuse), run the rc file to apply the rules - name: Check for boot.local stat: path: /etc/init.d/boot.local register: boot_local_file when: ansible_os_family == "Suse" - name: Restore iptables become: yes command: "/etc/init.d/boot.local" when: ansible_os_family == "Suse" and iptables_service is not defined and boot_local_file.stat.exists == True - name: switch and peer nodes should be in the ipv4 firewall become: yes command: iptables-save changed_when: false failed_when: false register: iptables_rules - name: Validate ipv4 private firewall configuration assert: that: - "'-A INPUT -s {{ hostvars[item]['nodepool']['private_ipv4'] }}/32 -j ACCEPT' in iptables_rules.stdout" with_items: "{{ groups['all'] }}" when: - hostvars[item]['nodepool']['private_ipv4'] - name: Validate ipv4 public firewall configuration assert: that: - "'-A INPUT -s {{ hostvars[item]['nodepool']['public_ipv4'] }}/32 -j ACCEPT' in iptables_rules.stdout" with_items: "{{ groups['all'] }}" when: - hostvars[item]['nodepool']['public_ipv4'] - name: Validate ipv4 bridge firewall configuration assert: that: - "'-A INPUT -s {{ bridge_address_prefix }}.0/{{ bridge_address_subnet }} -d {{ bridge_address_prefix }}.0/{{ bridge_address_subnet }} -j ACCEPT' in iptables_rules.stdout" with_items: "{{ groups['all'] }}" # ipv6_addresses is set by the multi-node-firewall role - when: ipv6_addresses | length > 0 block: - name: switch and peer nodes should be in the ipv6 firewall become: yes command: ip6tables-save changed_when: false failed_when: false register: ip6tables_rules - name: Validate ipv6 firewall configuration assert: that: - "'-A INPUT -s {{ hostvars[item]['nodepool']['public_ipv6'] }}/128 -j ACCEPT' in ip6tables_rules.stdout" with_items: "{{ groups['all'] }}"