summaryrefslogtreecommitdiffstats
path: root/roles/os_firewall/tasks
diff options
context:
space:
mode:
Diffstat (limited to 'roles/os_firewall/tasks')
-rw-r--r--roles/os_firewall/tasks/firewall/firewalld.yml65
-rw-r--r--roles/os_firewall/tasks/firewall/iptables.yml54
2 files changed, 20 insertions, 99 deletions
diff --git a/roles/os_firewall/tasks/firewall/firewalld.yml b/roles/os_firewall/tasks/firewall/firewalld.yml
index 5ddca1fc0..b6777c51f 100644
--- a/roles/os_firewall/tasks/firewall/firewalld.yml
+++ b/roles/os_firewall/tasks/firewall/firewalld.yml
@@ -2,87 +2,44 @@
- name: Install firewalld packages
action: "{{ ansible_pkg_mgr }} name=firewalld state=present"
when: not openshift.common.is_containerized | bool
- register: install_result
-
-- name: Check if iptables-services is installed
- command: rpm -q iptables-services
- register: pkg_check
- failed_when: pkg_check.rc > 1
- changed_when: no
- name: Ensure iptables services are not enabled
- service:
+ systemd:
name: "{{ item }}"
state: stopped
enabled: no
+ masked: yes
with_items:
- - iptables
- - ip6tables
- when: pkg_check.rc == 0
-
-- name: Reload systemd units
- command: systemctl daemon-reload
- when: install_result | changed
-
-- name: Determine if firewalld service masked
- command: >
- systemctl is-enabled firewalld
- register: os_firewall_firewalld_masked_output
- changed_when: false
- failed_when: false
-
-- name: Unmask firewalld service
- command: >
- systemctl unmask firewalld
- when: os_firewall_firewalld_masked_output.stdout == "masked"
+ - iptables
+ - ip6tables
+ register: task_result
+ failed_when: "task_result|failed and 'Could not find' not in task_result.msg"
- name: Start and enable firewalld service
- service:
+ systemd:
name: firewalld
state: started
enabled: yes
+ masked: no
+ daemon_reload: yes
register: result
- name: need to pause here, otherwise the firewalld service starting can sometimes cause ssh to fail
pause: seconds=10
when: result | changed
-- name: Mask iptables services
- command: systemctl mask "{{ item }}"
- register: result
- changed_when: "'iptables' in result.stdout"
- with_items:
- - iptables
- - ip6tables
- when: pkg_check.rc == 0
- ignore_errors: yes
-
-# TODO: Ansible 1.9 will eliminate the need for separate firewalld tasks for
-# enabling rules and making them permanent with the immediate flag
- name: Add firewalld allow rules
firewalld:
port: "{{ item.port }}"
- permanent: false
- state: enabled
- with_items: "{{ os_firewall_allow }}"
-
-- name: Persist firewalld allow rules
- firewalld:
- port: "{{ item.port }}"
permanent: true
+ immediate: true
state: enabled
with_items: "{{ os_firewall_allow }}"
- name: Remove firewalld allow rules
firewalld:
port: "{{ item.port }}"
- permanent: false
- state: disabled
- with_items: "{{ os_firewall_deny }}"
-
-- name: Persist removal of firewalld allow rules
- firewalld:
- port: "{{ item.port }}"
permanent: true
+ immediate: true
state: disabled
with_items: "{{ os_firewall_deny }}"
diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/firewall/iptables.yml
index 470d4f4f9..4c587495e 100644
--- a/roles/os_firewall/tasks/firewall/iptables.yml
+++ b/roles/os_firewall/tasks/firewall/iptables.yml
@@ -1,64 +1,28 @@
---
-- name: Check if firewalld is installed
- command: rpm -q firewalld
- args:
- # Disables the following warning:
- # Consider using yum, dnf or zypper module rather than running rpm
- warn: no
- register: pkg_check
- failed_when: pkg_check.rc > 1
- changed_when: no
- name: Ensure firewalld service is not enabled
- service:
+ systemd:
name: firewalld
state: stopped
enabled: no
- when: pkg_check.rc == 0
-
-# TODO: submit PR upstream to add mask/unmask to service module
-- name: Mask firewalld service
- command: systemctl mask firewalld
- register: result
- changed_when: "'firewalld' in result.stdout"
- when: pkg_check.rc == 0
- ignore_errors: yes
+ masked: yes
+ register: task_result
+ failed_when: "task_result|failed and 'Could not find' not in task_result.msg"
- name: Install iptables packages
action: "{{ ansible_pkg_mgr }} name={{ item }} state=present"
with_items:
- - iptables
- - iptables-services
- register: install_result
+ - iptables
+ - iptables-services
when: not openshift.common.is_atomic | bool
-- name: Reload systemd units
- command: systemctl daemon-reload
- when: install_result | changed
-
-- name: Determine if iptables service masked
- command: >
- systemctl is-enabled {{ item }}
- with_items:
- - iptables
- - ip6tables
- register: os_firewall_iptables_masked_output
- changed_when: false
- failed_when: false
-
-- name: Unmask iptables service
- command: >
- systemctl unmask {{ item }}
- with_items:
- - iptables
- - ip6tables
- when: "'masked' in os_firewall_iptables_masked_output.results | map(attribute='stdout')"
-
- name: Start and enable iptables service
- service:
+ systemd:
name: iptables
state: started
enabled: yes
+ masked: no
+ daemon_reload: yes
register: result
- name: need to pause here, otherwise the iptables service starting can sometimes cause ssh to fail
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-04 13:01:38 +0000