Reload nftables service to apply new rules

Fix #3 Github
2020-04-21 09:53:57 +02:00 · 2020-04-21 09:53:57 +02:00 · 221de0cc89
parent 72551575df
commit 221de0cc89
4 changed files with 21 additions and 8 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -7,6 +7,7 @@
 ### Enhancements
 * Clean tasks name and comments in tasks/main.yml file.
 * Order and clean comments in defaults/main.yml file.
+* Reload rules instead of restart to avoid to loose rulebase due to invalid syntax (#3 Github).

 ### Fix
 * Fix deprecation warning with ansible 2.7: Invoking "apt" only once while
--- a/README.md
+++ b/README.md
@ -276,7 +276,8 @@ This role will :
 * Generate a default configuration file which include all following files and loaded by systemd unit.
 * Generate input and output rules files include called by the main configuration file.
 * Generate vars in a file and sets and maps in another file.
-* Restart `nftables` service.
+* (re)Start `nftables` service at first run.
+* Reload `nftables` service at next runs to avoid to let the host without firewall rules due to invalid syntax.

 ## Development

--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -1,5 +1,7 @@
 ---
 # handlers file for nftables
+
+# (re)Start will be called at first run
 - name: Restart nftables service
  systemd:
    daemon_reload: '{{ nftables__register_systemd_service.changed | default(False) }}'
@ -7,3 +9,12 @@
    name: '{{ nft_service_name }}'
    enabled: '{{ nft_service_enabled }}'
  when: ansible_service_mgr == 'systemd' and nft_service_manage
+
+# Reload will avoid to loose Nftables rulebase if an invalid syntax is added
+- name: Reload nftables service
+  systemd:
+    state: 'reloaded'
+    name: '{{ nft_service_name }}'
+  when: ansible_service_mgr == 'systemd' and
+        nft_service_manage and
+        not nftables__register_systemd_service.changed
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -44,7 +44,7 @@
    group: root
    mode: 0755
    backup: yes
-  notify: ['Restart nftables service']
+  notify: ['Reload nftables service']
  when: nft_enabled|bool

 - name: CONFIG generate vars definition file
@ -55,7 +55,7 @@
    group: root
    mode: 0755
    backup: yes
-  notify: ['Restart nftables service']
+  notify: ['Reload nftables service']
  when: nft_enabled|bool

 - name: CONFIG generate sets file
@ -66,7 +66,7 @@
    group: root
    mode: 0755
    backup: yes
-  notify: ['Restart nftables service']
+  notify: ['Reload nftables service']
  when: nft_enabled|bool

 # Filter table content [[[1
@ -78,7 +78,7 @@
    group: root
    mode: 0755
    backup: yes
-  notify: ['Restart nftables service']
+  notify: ['Reload nftables service']
  when: nft_enabled|bool

 - name: Filter table - generate output rules file
@ -89,7 +89,7 @@
    group: root
    mode: 0755
    backup: yes
-  notify: ['Restart nftables service']
+  notify: ['Reload nftables service']
  when: nft_enabled|bool

 # Nat table content [[[1
@ -101,7 +101,7 @@
    group: root
    mode: 0755
    backup: yes
-  notify: ['Restart nftables service']
+  notify: ['Reload nftables service']
  when: (nft_enabled|bool and
         nft__nat_table_manage|bool)

@ -113,7 +113,7 @@
    group: root
    mode: 0755
    backup: yes
-  notify: ['Restart nftables service']
+  notify: ['Reload nftables service']
  when: (nft_enabled|bool and
         nft__nat_table_manage|bool)