From 221de0cc89352c0fc651b12bdcd2f86b6881a1e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?= Date: Tue, 21 Apr 2020 09:53:57 +0200 Subject: [PATCH] Reload nftables service to apply new rules Fix #3 Github --- CHANGELOG.md | 1 + README.md | 3 ++- handlers/main.yml | 11 +++++++++++ tasks/main.yml | 14 +++++++------- 4 files changed, 21 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc1a359..c2c398b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ ### Enhancements * Clean tasks name and comments in tasks/main.yml file. * Order and clean comments in defaults/main.yml file. +* Reload rules instead of restart to avoid to loose rulebase due to invalid syntax (#3 Github). ### Fix * Fix deprecation warning with ansible 2.7: Invoking "apt" only once while diff --git a/README.md b/README.md index a3778b9..d7b742c 100644 --- a/README.md +++ b/README.md @@ -276,7 +276,8 @@ This role will : * Generate a default configuration file which include all following files and loaded by systemd unit. * Generate input and output rules files include called by the main configuration file. * Generate vars in a file and sets and maps in another file. -* Restart `nftables` service. +* (re)Start `nftables` service at first run. +* Reload `nftables` service at next runs to avoid to let the host without firewall rules due to invalid syntax. ## Development diff --git a/handlers/main.yml b/handlers/main.yml index 4fac10e..cb7e015 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,5 +1,7 @@ --- # handlers file for nftables + +# (re)Start will be called at first run - name: Restart nftables service systemd: daemon_reload: '{{ nftables__register_systemd_service.changed | default(False) }}' @@ -7,3 +9,12 @@ name: '{{ nft_service_name }}' enabled: '{{ nft_service_enabled }}' when: ansible_service_mgr == 'systemd' and nft_service_manage + +# Reload will avoid to loose Nftables rulebase if an invalid syntax is added +- name: Reload nftables service + systemd: + state: 'reloaded' + name: '{{ nft_service_name }}' + when: ansible_service_mgr == 'systemd' and + nft_service_manage and + not nftables__register_systemd_service.changed diff --git a/tasks/main.yml b/tasks/main.yml index 0e76bfd..544725a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -44,7 +44,7 @@ group: root mode: 0755 backup: yes - notify: ['Restart nftables service'] + notify: ['Reload nftables service'] when: nft_enabled|bool - name: CONFIG generate vars definition file @@ -55,7 +55,7 @@ group: root mode: 0755 backup: yes - notify: ['Restart nftables service'] + notify: ['Reload nftables service'] when: nft_enabled|bool - name: CONFIG generate sets file @@ -66,7 +66,7 @@ group: root mode: 0755 backup: yes - notify: ['Restart nftables service'] + notify: ['Reload nftables service'] when: nft_enabled|bool # Filter table content [[[1 @@ -78,7 +78,7 @@ group: root mode: 0755 backup: yes - notify: ['Restart nftables service'] + notify: ['Reload nftables service'] when: nft_enabled|bool - name: Filter table - generate output rules file @@ -89,7 +89,7 @@ group: root mode: 0755 backup: yes - notify: ['Restart nftables service'] + notify: ['Reload nftables service'] when: nft_enabled|bool # Nat table content [[[1 @@ -101,7 +101,7 @@ group: root mode: 0755 backup: yes - notify: ['Restart nftables service'] + notify: ['Reload nftables service'] when: (nft_enabled|bool and nft__nat_table_manage|bool) @@ -113,7 +113,7 @@ group: root mode: 0755 backup: yes - notify: ['Restart nftables service'] + notify: ['Reload nftables service'] when: (nft_enabled|bool and nft__nat_table_manage|bool)