sjat
d1941c987e
Adds a nftables drop-in (10-libvirt-boma.nft) to base's drop-in dir that allows traffic on iifname "virbr-boma" in the inet filter input chain. Fixes DHCP/DNS being dropped by base's default-deny INPUT policy for VMs on the libvirt integration bridge. Mirrors docker_host's drop-in pattern. Molecule scenario updated to exercise only the firewall tasks (package install unavailable in the no-internet Docker container) via include_role tasks_from; verify asserts the drop-in renders the virbr-boma accept rule. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
12 lines
494 B
Django/Jinja
12 lines
494 B
Django/Jinja
# {{ ansible_managed }}
|
|
# Allow DHCP/DNS traffic arriving on the libvirt integration bridge to pass base's
|
|
# inet filter input default-deny chain (ADR-025). nftables multi-table semantics mean
|
|
# libvirt's own `ip filter` table accept is not enough — base's `inet filter` input
|
|
# policy drop kills bridge traffic first without this drop-in.
|
|
#
|
|
# Bridge name "virbr-boma" must match NET_XML in scripts/integration-vm.py.
|
|
table inet filter {
|
|
chain input {
|
|
iifname "virbr-boma" accept
|
|
}
|
|
}
|