From bca74458fb147f9b0caa6b3027500d1735b5334f Mon Sep 17 00:00:00 2001 From: sjat Date: Sat, 6 Jun 2026 19:02:50 +0200 Subject: [PATCH] fix(base): iifname for load-time safety; zone-source molecule fixture MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit nft -c rejects iif "wt0" when the interface is absent (container, or any host before NetBird); iifname matches by name and is robust to wt0 coming/going. Drop the ansible_host fixture override (the docker connection uses it as the container name) — molecule covers zone resolution, pytest covers service->IP. --- roles/base/molecule/default/converge.yml | 2 +- roles/base/molecule/default/molecule.yml | 1 - roles/base/templates/nftables.conf.j2 | 4 ++-- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/base/molecule/default/converge.yml b/roles/base/molecule/default/converge.yml index 980a153..c219885 100644 --- a/roles/base/molecule/default/converge.yml +++ b/roles/base/molecule/default/converge.yml @@ -17,6 +17,6 @@ photoprism: host: instance ingress: - - { from: reverse_proxy, port: 2342, proto: tcp } + - { from: srv, port: 2342, proto: tcp } roles: - role: base diff --git a/roles/base/molecule/default/molecule.yml b/roles/base/molecule/default/molecule.yml index 342f83a..b23d8da 100644 --- a/roles/base/molecule/default/molecule.yml +++ b/roles/base/molecule/default/molecule.yml @@ -26,7 +26,6 @@ provisioner: host_vars: instance: ansible_user: root - ansible_host: 10.20.0.50 verifier: name: ansible diff --git a/roles/base/templates/nftables.conf.j2 b/roles/base/templates/nftables.conf.j2 index f887ae5..99806f9 100644 --- a/roles/base/templates/nftables.conf.j2 +++ b/roles/base/templates/nftables.conf.j2 @@ -5,10 +5,10 @@ flush ruleset table inet filter { chain input { type filter hook input priority 0; policy drop; - iif "lo" accept + iifname "lo" accept ct state established,related accept ct state invalid drop - iif "{{ base__firewall_mgmt_interface }}" tcp dport {{ base__firewall_ssh_port }} accept + iifname "{{ base__firewall_mgmt_interface }}" tcp dport {{ base__firewall_ssh_port }} accept ip protocol icmp accept ip6 nexthdr ipv6-icmp accept {% for r in base__firewall_resolved %}