* Add support for capturing ipset and iptables configuration files

* Add support for generating ipset and iptables configuration files from runtime, if the former weren't present (`firewall_runtime` role) * Dependency updates
2026-05-14 15:16:36 +10:00 · 2026-05-14 15:16:36 +10:00 · b25dd1e314
commit b25dd1e314
parent 3fcfefe644
13 changed files with 856 additions and 11 deletions
--- a/tests/test_harvest_helpers.py
+++ b/tests/test_harvest_helpers.py
@ -168,3 +168,121 @@ def test_iter_system_capture_paths_dedupes_first_reason(monkeypatch):
    )
    out = h._iter_system_capture_paths()
    assert out == [("/dup", "r1")]
+
+
+def test_ipset_and_iptables_state_helpers(tmp_path: Path):
+    ipset_save = """create blocklist hash:ip family inet hashsize 1024 maxelem 65536
+add blocklist 203.0.113.10
+create nets hash:net family inet
+"""
+    assert h._ipset_save_has_state(ipset_save)
+    assert h._parse_ipset_set_names(ipset_save) == ["blocklist", "nets"]
+    assert not h._ipset_save_has_state("# empty\n")
+
+    empty_iptables = """*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+"""
+    assert not h._iptables_save_has_state(empty_iptables)
+
+    native_rule = empty_iptables.replace(
+        "COMMIT", "-A INPUT -p tcp --dport 22 -j ACCEPT\nCOMMIT"
+    )
+    assert h._iptables_save_has_state(native_rule)
+
+    changed_policy = empty_iptables.replace(":INPUT ACCEPT", ":INPUT DROP")
+    assert h._iptables_save_has_state(changed_policy)
+
+
+def test_collect_firewall_runtime_snapshot_writes_generated_artifacts(
+    monkeypatch, tmp_path: Path
+):
+    outputs = {
+        "ipset_save": (
+            "create blocklist hash:ip family inet\nadd blocklist 203.0.113.10\n",
+            None,
+        ),
+        "iptables_v4_save": (
+            "*filter\n:INPUT DROP [0:0]\n-A INPUT -m set --match-set blocklist src -j DROP\nCOMMIT\n",
+            None,
+        ),
+        "iptables_v6_save": ("*filter\n:INPUT ACCEPT [0:0]\nCOMMIT\n", None),
+    }
+
+    def fake_run(command_key, *, timeout=10):
+        return outputs[command_key]
+
+    monkeypatch.setattr(h, "_run_capture_command", fake_run)
+
+    snap = h._collect_firewall_runtime_snapshot(str(tmp_path))
+    assert snap.role_name == "firewall_runtime"
+    assert snap.packages == ["ipset", "iptables"]
+    assert snap.ipset_save == "firewall/ipset.save"
+    assert snap.ipset_sets == ["blocklist"]
+    assert snap.iptables_v4_save == "firewall/iptables.v4"
+    assert snap.iptables_v6_save is None
+
+    assert (
+        (tmp_path / "artifacts" / "firewall_runtime" / "firewall" / "ipset.save")
+        .read_text(encoding="utf-8")
+        .startswith("create blocklist")
+    )
+    assert (
+        (tmp_path / "artifacts" / "firewall_runtime" / "firewall" / "iptables.v4")
+        .read_text(encoding="utf-8")
+        .startswith("*filter")
+    )
+
+
+def test_collect_firewall_runtime_snapshot_is_per_family_fallback(
+    monkeypatch, tmp_path: Path
+):
+    calls = []
+    outputs = {
+        "ipset_save": (
+            "create blocklist hash:ip family inet\nadd blocklist 203.0.113.10\n",
+            None,
+        ),
+        "iptables_v4_save": (
+            "*filter\n:INPUT DROP [0:0]\n-A INPUT -p tcp --dport 22 -j ACCEPT\nCOMMIT\n",
+            None,
+        ),
+        "iptables_v6_save": (
+            "*filter\n:INPUT DROP [0:0]\n-A INPUT -p tcp --dport 22 -j ACCEPT\nCOMMIT\n",
+            None,
+        ),
+    }
+
+    def fake_run(command_key, *, timeout=10):
+        calls.append(command_key)
+        return outputs[command_key]
+
+    monkeypatch.setattr(h, "_run_capture_command", fake_run)
+
+    snap = h._collect_firewall_runtime_snapshot(
+        str(tmp_path),
+        persistent_ipset_files=["/etc/ipset.conf"],
+        persistent_iptables_v4_files=["/etc/iptables/rules.v4"],
+        persistent_iptables_v6_files=[],
+    )
+
+    assert "ipset_save" not in calls
+    assert "iptables_v4_save" not in calls
+    assert "iptables_v6_save" in calls
+    assert snap.ipset_save is None
+    assert snap.iptables_v4_save is None
+    assert snap.iptables_v6_save == "firewall/iptables.v6"
+    assert snap.packages == ["iptables"]
+    assert any("persistent ipset configuration" in note for note in snap.notes)
+    assert any("persistent IPv4 iptables configuration" in note for note in snap.notes)
+    assert not (
+        tmp_path / "artifacts" / "firewall_runtime" / "firewall" / "ipset.save"
+    ).exists()
+    assert not (
+        tmp_path / "artifacts" / "firewall_runtime" / "firewall" / "iptables.v4"
+    ).exists()
+    assert (
+        tmp_path / "artifacts" / "firewall_runtime" / "firewall" / "iptables.v6"
+    ).exists()
--- a/tests/test_manifest.py
+++ b/tests/test_manifest.py
@ -795,3 +795,100 @@ def test_manifest_applies_jinjaturtle_to_jinjifyable_managed_file(
    assert not (
        out_dir / "roles" / "apt_config" / "files" / "etc" / "apt" / "foo.ini"
    ).exists()
+
+
+def test_manifest_writes_firewall_runtime_role(tmp_path: Path):
+    bundle = tmp_path / "bundle"
+    out = tmp_path / "ansible"
+    (bundle / "artifacts" / "firewall_runtime" / "firewall").mkdir(
+        parents=True, exist_ok=True
+    )
+    (bundle / "artifacts" / "firewall_runtime" / "firewall" / "ipset.save").write_text(
+        "create blocklist hash:ip family inet\nadd blocklist 203.0.113.10\n",
+        encoding="utf-8",
+    )
+    (bundle / "artifacts" / "firewall_runtime" / "firewall" / "iptables.v4").write_text(
+        "*filter\n:INPUT DROP [0:0]\n-A INPUT -m set --match-set blocklist src -j DROP\nCOMMIT\n",
+        encoding="utf-8",
+    )
+
+    state = {
+        "schema_version": 3,
+        "host": {"hostname": "test", "os": "debian", "pkg_backend": "dpkg"},
+        "inventory": {"packages": {}},
+        "roles": {
+            "users": {
+                "role_name": "users",
+                "users": [],
+                "managed_files": [],
+                "excluded": [],
+                "notes": [],
+            },
+            "services": [],
+            "packages": [],
+            "apt_config": {
+                "role_name": "apt_config",
+                "managed_files": [],
+                "excluded": [],
+                "notes": [],
+            },
+            "dnf_config": {
+                "role_name": "dnf_config",
+                "managed_files": [],
+                "excluded": [],
+                "notes": [],
+            },
+            "firewall_runtime": {
+                "role_name": "firewall_runtime",
+                "packages": ["ipset", "iptables"],
+                "ipset_save": "firewall/ipset.save",
+                "ipset_sets": ["blocklist"],
+                "iptables_v4_save": "firewall/iptables.v4",
+                "iptables_v6_save": None,
+                "notes": [],
+            },
+            "etc_custom": {
+                "role_name": "etc_custom",
+                "managed_files": [],
+                "excluded": [],
+                "notes": [],
+            },
+            "usr_local_custom": {
+                "role_name": "usr_local_custom",
+                "managed_files": [],
+                "excluded": [],
+                "notes": [],
+            },
+            "extra_paths": {
+                "role_name": "extra_paths",
+                "include_patterns": [],
+                "exclude_patterns": [],
+                "managed_files": [],
+                "excluded": [],
+                "notes": [],
+            },
+        },
+    }
+    (bundle / "state.json").write_text(json.dumps(state, indent=2), encoding="utf-8")
+
+    manifest.manifest(str(bundle), str(out))
+
+    tasks = (out / "roles" / "firewall_runtime" / "tasks" / "main.yml").read_text(
+        encoding="utf-8"
+    )
+    assert "ipset restore -exist" in tasks
+    assert "iptables-restore /etc/enroll/firewall/iptables.v4" in tasks
+    assert "ipset flush {{ item }}" in tasks
+
+    defaults = (out / "roles" / "firewall_runtime" / "defaults" / "main.yml").read_text(
+        encoding="utf-8"
+    )
+    assert "firewall_runtime_ipset_sets:" in defaults
+    assert "- blocklist" in defaults
+    assert "firewall_runtime_restore_iptables: true" in defaults
+
+    pb = (out / "playbook.yml").read_text(encoding="utf-8")
+    assert "role: firewall_runtime" in pb
+    assert (
+        out / "roles" / "firewall_runtime" / "files" / "firewall" / "ipset.save"
+    ).exists()