diff --git a/plugins/filter/helpers.py b/plugins/filter/helpers.py index 3563e2547..01fa8f106 100644 --- a/plugins/filter/helpers.py +++ b/plugins/filter/helpers.py @@ -25,6 +25,7 @@ def filters(self): 'needs_delete': self.needs_delete, 'haskey': self.haskey, 'dict_to_list': self.dict_to_list, + 'jump_chain_targets': self.jump_chain_targets } def needs_delete(self, container_infos, config, config_id, @@ -172,3 +173,20 @@ def dict_to_list(self, data): for k, v in data.items(): return_list.append({k: v}) return return_list + + def jump_chain_targets(self, data: list, rule: dict) -> list: + """Filters valid chain target rules satisfying conditions based on + `table`, `family` and `chain` attributes. + Used by the osp.edpm.nftables role. + """ + def _filter(item): + return ( + item.get('table', 'NOTABLE') == rule.get('table', 'filter') + and item.get('family', 'NOFAMILY') == 'inet' + and item.get('chain', 'NOCHAIN') == rule.get('chain', 'INPUT')) + targets = [] + for existing_rule in list(filter(_filter, data)): + for target in existing_rule.get('expr', []): + if 'target' in target.get('jump', {}).keys(): + targets.append(target['jump']['target']) + return targets diff --git a/plugins/filter/jump_chain_targets.yml b/plugins/filter/jump_chain_targets.yml new file mode 100644 index 000000000..50aedaed4 --- /dev/null +++ b/plugins/filter/jump_chain_targets.yml @@ -0,0 +1,16 @@ +DOCUMENTATION: + name: jump_chain_targets + author: "EDPM team" + version_added: 2.9 + short_description: Retrieve existing jump chain targets + description: | + Filters valid chain target rules satisfying conditions based on + `table`, `family` and `chain` attributes. + Used by the osp.edpm.nftables role. +EXAMPLES: | + '{{ edpm_nftables_chains_prefix }}_'~rule.get('chain', 'INPUT') + not in ( existing | osp.edpm.jump_chain_targets(rule=rule) ) +RETURN: + _value: + description: list of jump chain targets + type: list diff --git a/roles/edpm_nftables/templates/jump-chain.j2 b/roles/edpm_nftables/templates/jump-chain.j2 index 0bd2f4b99..74fd78068 100644 --- a/roles/edpm_nftables/templates/jump-chain.j2 +++ b/roles/edpm_nftables/templates/jump-chain.j2 @@ -6,10 +6,9 @@ {% set existing = (current_nft['stdout']|from_json)['nftables']|map(attribute='rule', default={})|list %} {% for ruleset in edpm_nftables_rules %} {% set rule=ruleset['rule'] %} -{% set query="[? table==`"~rule.get('table', 'filter')~"` && family==`inet` && chain==`"~rule.get('chain', 'INPUT')~"`].expr[*].jump.target" %} {% set chain_key = rule.get('chain', 'INPUT') ~ rule.get('table', 'filter') %} {% if chain_key not in chains.chains %} -{% if '{{ edpm_nftables_chains_prefix }}_'~rule.get('chain', 'INPUT') not in (existing|json_query(query)|flatten) %} +{% if '{{ edpm_nftables_chains_prefix }}_'~rule.get('chain', 'INPUT') not in ( existing | osp.edpm.jump_chain_targets(rule=rule) ) %} insert rule inet {{ rule.get('table', 'filter') }} {{ rule.get('chain', 'INPUT') }} position 0 jump {{ edpm_nftables_chains_prefix }}_{{ rule.get('chain', 'INPUT') }} {% endif %} {% set _ = chains.chains.append(chain_key) %} diff --git a/roles/edpm_podman/templates/podman_network_config.j2 b/roles/edpm_podman/templates/podman_network_config.j2 index 64c3ad97f..26b4a5058 100644 --- a/roles/edpm_podman/templates/podman_network_config.j2 +++ b/roles/edpm_podman/templates/podman_network_config.j2 @@ -1,9 +1,9 @@ { - "name": "{{ podman_network_inspect.stdout | from_json | first | json_query('name') }}", - "id": "{{ podman_network_inspect.stdout | from_json | first | json_query('id') }}", - "driver": "{{ podman_network_inspect.stdout | from_json | first | json_query('driver') }}", - "network_interface": "{{ podman_network_inspect.stdout | from_json | first | json_query('network_interface') }}", - "created": "{{ podman_network_inspect.stdout | from_json | first | json_query('created') }}", + "name": "{{ (podman_network_inspect.stdout | from_json | first)['name'] }}", + "id": "{{ (podman_network_inspect.stdout | from_json | first)['id'] }}", + "driver": "{{ (podman_network_inspect.stdout | from_json | first)['driver'] }}", + "network_interface": "{{ (podman_network_inspect.stdout | from_json | first)['network_interface'] }}", + "created": "{{ (podman_network_inspect.stdout | from_json | first)['created'] }}", "subnets": [ { "subnet": "10.255.255.0/24", @@ -15,7 +15,7 @@ } ], "ipv6_enabled": true, - "internal": {{ podman_network_inspect.stdout | from_json | first | json_query('internal') | to_json }}, - "dns_enabled": {{ podman_network_inspect.stdout | from_json | first | json_query('dns_enabled') | to_json }}, - "ipam_options": {{ podman_network_inspect.stdout | from_json | first | json_query('ipam_options') | to_json }} + "internal": {{ (podman_network_inspect.stdout | from_json | first)['internal'] | to_json }}, + "dns_enabled": {{ (podman_network_inspect.stdout | from_json | first)['dns_enabled'] | to_json }}, + "ipam_options": {{ (podman_network_inspect.stdout | from_json | first)['ipam_options'] | to_json }} } diff --git a/roles/env_data/tasks/main.yml b/roles/env_data/tasks/main.yml index b091f1b0b..db2b7a92f 100644 --- a/roles/env_data/tasks/main.yml +++ b/roles/env_data/tasks/main.yml @@ -24,7 +24,7 @@ - name: Output installed packages ansible.builtin.debug: - msg: "{{ ansible_facts.packages | community.general.json_query('*') | flatten | join('\n') }}" + msg: "{{ ansible_facts.packages | flatten }}" - name: Output installed repositories ansible.builtin.debug: