boma/roles/integration_test/tasks/firewall.yml at d1941c987e20b43159659950088dd9b4e67bff85 - sjat/boma - Forgejo: Beyond coding. We forge.

sjat/boma

sjat d1941c987e feat(integration_test): Ansible-manage virbr-boma nftables input allow

Adds a nftables drop-in (10-libvirt-boma.nft) to base's drop-in dir that
allows traffic on iifname "virbr-boma" in the inet filter input chain.
Fixes DHCP/DNS being dropped by base's default-deny INPUT policy for VMs
on the libvirt integration bridge. Mirrors docker_host's drop-in pattern.

Molecule scenario updated to exercise only the firewall tasks (package
install unavailable in the no-internet Docker container) via include_role
tasks_from; verify asserts the drop-in renders the virbr-boma accept rule.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-19 22:29:45 +02:00

8 lines

300 B

YAML

Raw Blame History

 ---
 - name: Install the libvirt bridge nftables drop-in (virbr-boma input allow)
   ansible.builtin.template:
     src: 10-libvirt-boma.nft.j2
     dest: "{{ integration_test__nftables_dropin_dir }}/10-libvirt-boma.nft"
     mode: "0644"
   notify: "integration_test | reload nftables"
   tags: [firewall]