sjat
d1941c987e
Adds a nftables drop-in (10-libvirt-boma.nft) to base's drop-in dir that allows traffic on iifname "virbr-boma" in the inet filter input chain. Fixes DHCP/DNS being dropped by base's default-deny INPUT policy for VMs on the libvirt integration bridge. Mirrors docker_host's drop-in pattern. Molecule scenario updated to exercise only the firewall tasks (package install unavailable in the no-internet Docker container) via include_role tasks_from; verify asserts the drop-in renders the virbr-boma accept rule. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
14 lines
512 B
YAML
14 lines
512 B
YAML
---
|
|
# The Molecule Docker image ships with /var/lib/apt/lists/ cleared to minimise size.
|
|
# KVM/libvirt packages cannot be installed in a container; converge only runs the
|
|
# `firewall` tag. Pre-create /etc/nftables.d so the drop-in template task succeeds.
|
|
- name: Prepare
|
|
hosts: all
|
|
become: true
|
|
gather_facts: false
|
|
tasks:
|
|
- name: Create nftables drop-in dir (normally created by the config task)
|
|
ansible.builtin.file:
|
|
path: /etc/nftables.d
|
|
state: directory
|
|
mode: "0755"
|