refactored kernel-module checking (fix #4)

ansibleguy · Nov 28, 2023 · 8cb8d59 · 8cb8d59
1 parent f0dd03e
commit 8cb8d59
Show file tree

Hide file tree

Showing 4 changed files with 105 additions and 11 deletions.
diff --git a/defaults/main/1_main.yml b/defaults/main/1_main.yml
@@ -5,8 +5,22 @@ nftables: {}
 # default config => is overwritten by provided config
 defaults_nftables:
   enable:
+    # will check if kernel modules are available
     sets: true
     nat: true
+    redir: true
+    reject: false
+    tproxy: false
+    synproxy: false
+    socket: false
+    quota: false
+    tunnel: false
+    connlimit: false
+    table_inet: true
+    table_ip4: true
+    table_ip6: false
+    table_netdev: false
+    table_bridge: false
     deb11_backport: false
     bash_completion: false
 

diff --git a/filter_plugins/utils.py b/filter_plugins/utils.py
@@ -9,6 +9,7 @@ def filters(self):
             "nftables_format_counter": self.nftables_format_counter,
             "nftables_format_limit": self.nftables_format_limit,
             "nftables_format_set": self.nftables_format_set,
+            "check_kernel_module": self.check_kernel_module,
         }
 
     @staticmethod
@@ -71,3 +72,11 @@ def nftables_format_limit(cls, config: dict, whitespace: int) -> str:
             lines.append(cls._format_comment(config['comment']))
 
         return cls._format_lines(whitespace=whitespace, lines=lines)
+
+    @staticmethod
+    def check_kernel_module(mod: str, kernel_mods: list) -> bool:
+        if not isinstance(kernel_mods, list):
+            return True  # container etc
+
+        return f'{mod}=y' in kernel_mods or f'{mod}=m' in kernel_mods
+
diff --git a/tasks/check_debian.yml b/tasks/check_debian.yml
@@ -15,6 +15,7 @@
 
 - name: NFTables | Check | Kernel config
   ansible.builtin.import_tasks: check_debian_kernel_config.yml
+  tags: always
   when: >
     ansible_virtualization_role is undefined or
     ansible_virtualization_role != 'guest' or

diff --git a/tasks/check_debian_kernel_config.yml b/tasks/check_debian_kernel_config.yml
@@ -4,7 +4,7 @@
   ansible.builtin.shell: 'cat "/boot/config-$(uname -r)" | grep -E "CONFIG_NFT|CONFIG_NF_TABLES"'
   args:
     executable: '/bin/bash'
-  register: nft_kernel_config
+  register: nft_kernel_cnf
   changed_when: false
   check_mode: false
   tags: skip_ansible_lint  # 'set -o pipefail' will lead to no output
@@ -17,21 +17,91 @@
 - name: NFTables | Check | Checking kernel config
   ansible.builtin.assert:
     that:
-      - "'CONFIG_NF_TABLES=m' in nft_kernel_config.stdout_lines"
-      - "'CONFIG_NF_TABLES_INET=y' in nft_kernel_config.stdout_lines"
-      - "'CONFIG_NF_TABLES_IPV4=y' in nft_kernel_config.stdout_lines"
-  tags: always
+      - "'CONFIG_NF_TABLES' | check_kernel_module(nft_kernel_cnf.stdout_lines)"
+      - "not NFT_CONFIG.enable.reject | bool or 'CONFIG_NFT_REJECT' | check_kernel_module(nft_kernel_cnf.stdout_lines)"
 
-- name: NFTables | Checking kernel config for sets
+- name: NFTables | Check | Checking kernel config for TABLE-INET
   ansible.builtin.assert:
     that:
-      - "'CONFIG_NF_TABLES_SET=m' in nft_kernel_config.stdout_lines"
+      - "'CONFIG_NF_TABLES_INET' | check_kernel_module(nft_kernel_cnf.stdout_lines)"
+      - "not NFT_CONFIG.enable.reject | bool or 'CONFIG_NFT_REJECT_INET' | check_kernel_module(nft_kernel_cnf.stdout_lines)"
+
+- name: NFTables | Check | Checking kernel config for TABLE-IP(4)
+  ansible.builtin.assert:
+    that:
+      - "'CONFIG_NF_TABLES_IPV4' | check_kernel_module(nft_kernel_cnf.stdout_lines)"
+      - "not NFT_CONFIG.enable.reject | bool or 'CONFIG_NFT_REJECT_IPV4' | check_kernel_module(nft_kernel_cnf.stdout_lines)"
+
+- name: NFTables | Check | Checking kernel config for TABLE-IP6
+  ansible.builtin.assert:
+    that:
+      - "'CONFIG_NF_TABLES_IPV6' | check_kernel_module(nft_kernel_cnf.stdout_lines)"
+      - "not NFT_CONFIG.enable.reject | bool or 'CONFIG_NFT_REJECT_IPV6' | check_kernel_module(nft_kernel_cnf.stdout_lines)"
+
+- name: NFTables | Checking kernel config for TABLE-NETDEV
+  ansible.builtin.assert:
+    that:
+      - "'CONFIG_NF_TABLES_NETDEV' | check_kernel_module(nft_kernel_cnf.stdout_lines)"
+      - "not NFT_CONFIG.enable.reject | bool or 'CONFIG_NFT_REJECT_NETDEV' | check_kernel_module(nft_kernel_cnf.stdout_lines)"
+  when: NFT_CONFIG.enable.table_netdev | bool
+
+- name: NFTables | Checking kernel config for TABLE-BRIDGE
+  ansible.builtin.assert:
+    that:
+      - "'CONFIG_NF_TABLES_BRIDGE=' | check_kernel_module(nft_kernel_cnf.stdout_lines)"
+      - "not NFT_CONFIG.enable.reject | bool or 'CONFIG_NFT_BRIDGE_REJECT' | check_kernel_module(nft_kernel_cnf.stdout_lines)"
+  when: NFT_CONFIG.enable.table_bridge | bool
+
+- name: NFTables | Checking kernel config for SETS
+  ansible.builtin.assert:
+    that:
+      - "'CONFIG_NF_TABLES_SET' | check_kernel_module(nft_kernel_cnf.stdout_lines)"
   when: NFT_CONFIG.enable.sets | bool
-  tags: always
 
-- name: NFTables | Checking kernel config for nat
+- name: NFTables | Checking kernel config for NAT
   ansible.builtin.assert:
     that:
-      - "'CONFIG_NFT_NAT=m' in nft_kernel_config.stdout_lines"
+      - "'CONFIG_NFT_NAT' | check_kernel_module(nft_kernel_cnf.stdout_lines)"
   when: NFT_CONFIG.enable.nat | bool
-  tags: always
+
+- name: NFTables | Checking kernel config for REDIR
+  ansible.builtin.assert:
+    that:
+      - "'CONFIG_NFT_REDIR' | check_kernel_module(nft_kernel_cnf.stdout_lines)"
+  when: NFT_CONFIG.enable.redir | bool
+
+- name: NFTables | Checking kernel config for TPROXY
+  ansible.builtin.assert:
+    that:
+      - "'CONFIG_NFT_TPROXY' | check_kernel_module(nft_kernel_cnf.stdout_lines)"
+  when: NFT_CONFIG.enable.tproxy | bool
+
+- name: NFTables | Checking kernel config for SYNPROXY
+  ansible.builtin.assert:
+    that:
+      - "'CONFIG_NFT_SYNPROXY' | check_kernel_module(nft_kernel_cnf.stdout_lines)"
+  when: NFT_CONFIG.enable.synproxy | bool
+
+- name: NFTables | Checking kernel config for SOCKET
+  ansible.builtin.assert:
+    that:
+      - "'CONFIG_NFT_SOCKET' | check_kernel_module(nft_kernel_cnf.stdout_lines)"
+  when: NFT_CONFIG.enable.socket | bool
+
+- name: NFTables | Checking kernel config for TUNNEL
+  ansible.builtin.assert:
+    that:
+      - "'CONFIG_NFT_TUNNEL' | check_kernel_module(nft_kernel_cnf.stdout_lines)"
+  when: NFT_CONFIG.enable.tunnel | bool
+
+- name: NFTables | Checking kernel config for QUOTA
+  ansible.builtin.assert:
+    that:
+      - "'CONFIG_NFT_QUOTA' | check_kernel_module(nft_kernel_cnf.stdout_lines)"
+  when: NFT_CONFIG.enable.quota | bool
+
+- name: NFTables | Checking kernel config for CONNLIMIT
+  ansible.builtin.assert:
+    that:
+      - "'CONFIG_NFT_CONNLIMIT' | check_kernel_module(nft_kernel_cnf.stdout_lines)"
+  when: NFT_CONFIG.enable.connlimit | bool