Fixes #5776 adds iptables-persistent dependency on Focal

On Ubuntu Focal, we can use iptables-persistent package, and also uses updated rules filepath based on distribution version.
freedomofpress · Feb 11, 2021 · ac1ca03 · ac1ca03
1 parent 65799c0
commit ac1ca03
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 3 deletions.
diff --git a/install_files/ansible-base/roles/app/handlers/main.yml b/install_files/ansible-base/roles/app/handlers/main.yml
@@ -5,8 +5,15 @@
     name: tor
     state: restarted
 
-- name: reload iptables rules
+- name: reload iptables rules for xenial
   shell: iptables-restore < /etc/network/iptables/rules_v4
+  when:
+    - ansible_distribution_release == 'xenial'
+
+- name: reload iptables rules for focal
+  shell: iptables-restore < /etc/iptables/rules.v4
+  when:
+    - ansible_distribution_release == 'focal'
 
 ## App/securedrop section
 - name: restart apache2

diff --git a/install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml b/install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml
@@ -9,6 +9,7 @@ resolvconf_target_filepath: /etc/resolv.conf
 securedrop_common_packages:
   - apt-transport-https
   - aptitude
+  - iptables-persistent
   - unattended-upgrades
   - ntp
   - ntpdate

diff --git a/install_files/ansible-base/roles/restrict-direct-access/files/load_iptables b/install_files/ansible-base/roles/restrict-direct-access/files/load_iptables
@@ -2,13 +2,17 @@
 # Description: apply the securedrop iptable rules
 if [ -f /etc/network/iptables/rules_v4 ]; then
   iptables-restore < /etc/network/iptables/rules_v4
+elif [ -f /etc/iptables/rules.v4 ]; then
+  iptables-restore < /etc/iptables/rules.v4
 else
   echo "Iptables rules file does not exist"
   exit 1
 fi
 
 if [ -f /etc/network/iptables/rules_v6 ]; then
   ip6tables-restore < /etc/network/iptables/rules_v6
+elif [ -f /etc/iptables/rules.v6 ]; then
+  ip6tables-restore < /etc/iptables/rules.v6
 else
   echo "Ip6tables rules file does not exist"
   exit 1

diff --git a/install_files/ansible-base/roles/restrict-direct-access/tasks/iptables.yml b/install_files/ansible-base/roles/restrict-direct-access/tasks/iptables.yml
@@ -35,6 +35,8 @@
     owner: root
     group: root
     dest: /etc/network/iptables
+  when:
+    - ansible_distribution_release == 'xenial'
 
 - name: Determine local platform specific routing info
   set_fact:
@@ -59,14 +61,14 @@
 - name: Copy IPv4 iptables rules.
   template:
     src: rules_v4
-    dest: /etc/network/iptables/rules_v4
+    dest: "{{ '/etc/iptables/rules.v4' if ansible_distribution_release == 'focal' else  '/etc/network/iptables/rules_v4' }}"
     owner: root
     mode: "0644"
   notify: drop flag for reboot
 
 - name: Copy IPv6 iptables rules.
   copy:
     src: iptables_rules_v6
-    dest: /etc/network/iptables/rules_v6
+    dest: "{{ '/etc/iptables/rules.v6' if ansible_distribution_release == 'focal' else  '/etc/network/iptables/rules_v6' }}"
     owner: root
     mode: "0644"