sjat
d1941c987e
Adds a nftables drop-in (10-libvirt-boma.nft) to base's drop-in dir that allows traffic on iifname "virbr-boma" in the inet filter input chain. Fixes DHCP/DNS being dropped by base's default-deny INPUT policy for VMs on the libvirt integration bridge. Mirrors docker_host's drop-in pattern. Molecule scenario updated to exercise only the firewall tasks (package install unavailable in the no-internet Docker container) via include_role tasks_from; verify asserts the drop-in renders the virbr-boma accept rule. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
15 lines
640 B
YAML
15 lines
640 B
YAML
---
|
|
- name: Reload nftables
|
|
ansible.builtin.service:
|
|
name: nftables
|
|
state: reloaded
|
|
listen: "integration_test | reload nftables"
|
|
register: _nft_reload
|
|
# nftables is absent from the Molecule Docker container; ignore "not found" errors there.
|
|
# On real hosts where base has applied nftables, failures propagate normally.
|
|
failed_when:
|
|
- _nft_reload.failed
|
|
- >-
|
|
'Could not find the requested service nftables' not in (_nft_reload.msg | default(''))
|
|
and 'nftables.service not found' not in (_nft_reload.msg | default(''))
|
|
and 'Unit nftables.service not found' not in (_nft_reload.msg | default(''))
|