From 651ee7edf620b7a7eba914da4884b1a05a2ce1da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= <xavi@verdnatura.es>
Date: Fri, 28 Mar 2025 14:12:42 +0100
Subject: [PATCH 1/3] dns: refs #8552 - disable ipv6 and move delete ns file
---
roles/ns/defaults/main.yml | 2 +-
roles/ns/files/delete.ns | 14 --------------
roles/ns/tasks/ns.yml | 7 +++++++
roles/ns/templates/delete.ns | 4 ++++
roles/ns/templates/named.conf.master.j2 | 6 ++++++
roles/ns/templates/named.conf.slave.j2 | 11 ++++++++---
6 files changed, 26 insertions(+), 18 deletions(-)
delete mode 100644 roles/ns/files/delete.ns
create mode 100644 roles/ns/templates/delete.ns
diff --git a/roles/ns/defaults/main.yml b/roles/ns/defaults/main.yml
index daeccf4..4b1213f 100644
--- a/roles/ns/defaults/main.yml
+++ b/roles/ns/defaults/main.yml
@@ -18,12 +18,12 @@ bind_config_templates:
- { src: 'dhcp.key', dest: '/etc/bind/keys/dhcp.key', mode: 'u=rw,g=r,o=' }
- { src: 'isp1.ns', dest: '/root/scripts/switch-isp', mode: 'u=rw,g=rw,o=r' }
- { src: 'isp2.ns', dest: '/root/scripts/switch-isp', mode: 'u=rw,g=rw,o=r' }
+ - { src: 'delete.ns', dest: '/root/scripts/switch-isp', mode: 'u=rw,g=rw,o=r' }
directory:
- { path: '/root/scripts', owner: 'root', group: 'root', mode: 'u=rwx,g=rx,o=rx' }
- { path: '/etc/bind/keys', owner: 'root', group: 'bind', mode: 'u=rwx,g=rxs,o=rx' }
- { path: '/root/scripts/switch-isp', owner: 'root', group: 'bind', mode: 'u=rwx,g=rxs,o=rx' }
required_files:
- - { src: 'delete.ns', dest: '/root/scripts/switch-isp', owner: 'root', group: 'bind', mode: 'u=rw,g=rw,o=r' }
- { src: 'switch-isp.sh', dest: '/root/scripts', owner: 'root', group: 'root', mode: 'u=rwx,g=rx,o=rx' }
- { src: 'sync-conf', dest: '/root/scripts', owner: 'root', group: 'root', mode: 'u=rwx,g=rx,o=rx' }
- { src: 'gen-key.sh', dest: '/root/scripts', owner: 'root', group: 'bind', mode: 'u=rwx,g=rx,o=rx' }
diff --git a/roles/ns/files/delete.ns b/roles/ns/files/delete.ns
deleted file mode 100644
index cbb97ad..0000000
--- a/roles/ns/files/delete.ns
+++ /dev/null
@@ -1,14 +0,0 @@
-update delete verdnatura.es A
-update delete kube-proxy.verdnatura.es A
-update delete smtp.verdnatura.es A
-update delete imap.verdnatura.es A
-update delete autodiscover.verdnatura.es A
-update delete time1.verdnatura.es A
-update delete time2.verdnatura.es A
-update delete dc-ip01.verdnatura.es A
-update delete dc-ip02.verdnatura.es A
-update delete dc-ip03.verdnatura.es A
-update delete dc-ip04.verdnatura.es A
-update delete mailgw1.verdnatura.es A
-update delete mailgw2.verdnatura.es A
-send
diff --git a/roles/ns/tasks/ns.yml b/roles/ns/tasks/ns.yml
index 7943efa..beb5d3a 100644
--- a/roles/ns/tasks/ns.yml
+++ b/roles/ns/tasks/ns.yml
@@ -6,6 +6,13 @@
name: "{{ bind_packages }}"
state: present
install_recommends: no
+- name: Ensure BIND9 starts with IPv4 only (-4)
+ lineinfile:
+ path: /etc/default/named
+ regexp: '^OPTIONS='
+ line: 'OPTIONS="-u bind -4"'
+ backrefs: yes
+ notify: restart-dns
- name: Create directory
file:
path: "{{ item.path }}"
diff --git a/roles/ns/templates/delete.ns b/roles/ns/templates/delete.ns
new file mode 100644
index 0000000..899f5cc
--- /dev/null
+++ b/roles/ns/templates/delete.ns
@@ -0,0 +1,4 @@
+{% for record in dns_records_delete %}
+update delete {{ record.name.ljust(30) }} A
+{% endfor %}
+send
diff --git a/roles/ns/templates/named.conf.master.j2 b/roles/ns/templates/named.conf.master.j2
index dc63834..e923cc5 100644
--- a/roles/ns/templates/named.conf.master.j2
+++ b/roles/ns/templates/named.conf.master.j2
@@ -27,6 +27,12 @@ view "lan" {
{% endfor %}
};
+ plugin query "filter-aaaa.so" {
+ filter-aaaa-on-v4 yes;
+ filter-aaaa-on-v6 yes;
+ filter-aaaa { any; };
+ };
+
recursion yes;
allow-recursion { any; };
empty-zones-enable yes;
diff --git a/roles/ns/templates/named.conf.slave.j2 b/roles/ns/templates/named.conf.slave.j2
index c1142a1..cfe4ade 100644
--- a/roles/ns/templates/named.conf.slave.j2
+++ b/roles/ns/templates/named.conf.slave.j2
@@ -20,17 +20,22 @@ masters master-ips {
view "lan" {
match-clients {
- {% for item in key_match_clients_lan_master if item.startswith("!key") %}
+ {%- for item in key_match_clients_lan_master if item.startswith("!key") -%}
{{ item }};
{% endfor %}
-{% for item in acl_match_clients %}
+{%- for item in acl_match_clients -%}
{{ item }};
{% endfor %}
-{% for item in key_match_clients_lan_slave if not item.startswith("!key") %}
+{%- for item in key_match_clients_lan_slave if not item.startswith("!key") -%}
{{ item }};
{% endfor %}
};
+ plugin query "filter-aaaa.so" {
+ filter-aaaa-on-v4 yes;
+ filter-aaaa-on-v6 yes;
+ filter-aaaa { any; };
+ };
recursion yes;
allow-recursion { any; };
empty-zones-enable yes;
From 7ee760f5068da7a1acbae9ea6a0537ddb917e53d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= <xavi@verdnatura.es>
Date: Fri, 28 Mar 2025 15:49:06 +0100
Subject: [PATCH 2/3] dns: refs #8552 - indentation jinga master.conf
---
roles/ns/templates/named.conf.master.j2 | 37 +++++++++++++------------
1 file changed, 19 insertions(+), 18 deletions(-)
diff --git a/roles/ns/templates/named.conf.master.j2 b/roles/ns/templates/named.conf.master.j2
index e923cc5..3d0a2e0 100644
--- a/roles/ns/templates/named.conf.master.j2
+++ b/roles/ns/templates/named.conf.master.j2
@@ -15,17 +15,17 @@ options {
};
view "lan" {
- match-clients {
- {% for item in key_match_clients_lan_master if item.startswith("!key") %}
- {{ item }};
- {% endfor %}
+ match-clients {
+{% for item in key_match_clients_lan_master if item.startswith("!key") %}
+ {{ item }};
+{% endfor %}
{% for item in acl_match_clients %}
{{ item }};
- {% endfor %}
+{% endfor %}
{% for item in key_match_clients_lan_master if not item.startswith("!key") %}
{{ item }};
- {% endfor %}
-};
+{% endfor %}
+ };
plugin query "filter-aaaa.so" {
filter-aaaa-on-v4 yes;
@@ -40,14 +40,14 @@ view "lan" {
include "/etc/bind/named.conf.default-zones";
- {% for zone in bind_zones.lan %}
+{% for zone in bind_zones.lan %}
zone "{{ zone.name }}" {
type master;
forwarders {};
allow-update { key {{ zone.key }}; };
file "{{ zone.file }}";
};
- {% endfor %}
+{% endfor %}
};
view "wan" {
@@ -60,25 +60,26 @@ view "wan" {
notify explicit;
also-notify {
- {% for entry in bind_also_notify %}
+{% for entry in bind_also_notify %}
{{ entry.ip }} key {{ entry.key }};
- {% endfor %}
+{% endfor %}
};
- {% for zone in bind_zones.wan %}
- {% if zone.in_view is defined %}
- {% for z in zone.in_view %}
+{% for zone in bind_zones.wan %}
+{% if zone.in_view is defined %}
+{% for z in zone.in_view %}
zone "{{ z }}" {
in-view "lan";
};
- {% endfor %}
- {% else %}
+{% endfor %}
+{% else %}
zone "{{ zone.name }}" {
type master;
forwarders {};
allow-update { key {{ zone.key }}; };
file "{{ zone.file }}";
};
- {% endif %}
- {% endfor %}
+{% endif %}
+{% endfor %}
};
+
From 0e073c7ba12b7e650cd1ff14f7f66341bf892f9a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= <xavi@verdnatura.es>
Date: Wed, 2 Apr 2025 11:34:17 +0200
Subject: [PATCH 3/3] vpn: refs #8748 - add conntrack iptables default block
---
roles/ipsec/defaults/main.yml | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/roles/ipsec/defaults/main.yml b/roles/ipsec/defaults/main.yml
index c8b1cd0..a7d3b9d 100644
--- a/roles/ipsec/defaults/main.yml
+++ b/roles/ipsec/defaults/main.yml
@@ -24,6 +24,13 @@ mangle_block: |
-A PREROUTING -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
-A POSTROUTING -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
+ *filter
+ :INPUT ACCEPT [0:0]
+ :FORWARD ACCEPT [0:0]
+ :OUTPUT ACCEPT [0:0]
+ -A FORWARD -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
+ -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix "CT INVALID: "
+ COMMIT
config_and_logrotate:
- { src: vn.conf, dest: '/etc/strongswan.d/vn.conf' }
- { src: charon, dest: '/etc/logrotate.d/charon' }