clean debops.ferm rules for wildcard address

Signed-off-by: Sеrgiо Nеmirоwski <[email protected]>
nspcc-dev · Sep 25, 2024 · 8990cd6 · 8990cd6
1 parent 1032787
commit 8990cd6
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 13 deletions.
diff --git a/roles/ir/defaults/main.yml b/roles/ir/defaults/main.yml
@@ -214,47 +214,47 @@ neofs_ir__ferm__dependent_rules:
   - type: 'accept'
     name: 'neofs-ir{{ neofs_ir__instance }}_prometheus'
     dport: [ '{{ neofs_ir__prometheus_port }}' ]
-    daddr: [ "{{ ( neofs_ir__prometheus_address in ['0.0.0.0', '::0', '::'] )| ternary( '0/0', neofs_ir__prometheus_address ) }}" ]
+    daddr: "{{ ( neofs_ir__prometheus_address in ['0.0.0.0', '::0', '::'] )| ternary( [], [neofs_ir__prometheus_address] ) }}"
     saddr: '{{ neofs_ir__prometheus_allow + neofs_ir__prometheus_group_allow + neofs_ir__prometheus_host_allow }}'
     protocol: 'tcp'
     rule_state: "{{ 'present' if neofs_ir__prometheus_enabled and not ( neofs_ir__prometheus_address == 'localhost' or '127.0.0.0/8'|ansible.utils.network_in_usable( neofs_ir__prometheus_address ) or '::1/128'|ansible.utils.network_in_usable( neofs_ir__prometheus_address ) ) else 'absent' }}"
 
   - type: 'accept'
     name: 'neofs-ir{{ neofs_ir__instance }}_pprof'
     dport: [ '{{ neofs_ir__pprof_port }}' ]
-    daddr: [ "{{ ( neofs_ir__pprof_address in ['0.0.0.0', '::0', '::'] )| ternary( '0/0', neofs_ir__pprof_address ) }}" ]
+    daddr: "{{ ( neofs_ir__pprof_address in ['0.0.0.0', '::0', '::'] )| ternary( [], [neofs_ir__pprof_address] ) }}"
     saddr: '{{ neofs_ir__pprof_allow + neofs_ir__pprof_group_allow + neofs_ir__pprof_host_allow }}'
     protocol: 'tcp'
     rule_state: "{{ 'present' if neofs_ir__pprof_enabled and not ( neofs_ir__pprof_address == 'localhost' or '127.0.0.0/8'|ansible.utils.network_in_usable( neofs_ir__pprof_address ) or '::1/128'|ansible.utils.network_in_usable( neofs_ir__pprof_address ) ) else 'absent' }}"
 
   - type: 'accept'
     name: 'neofs-ir{{ neofs_ir__instance }}_control'
     dport: [ '{{ neofs_ir__control_port }}' ]
-    daddr: [ "{{ ( neofs_ir__control_address in ['0.0.0.0', '::0', '::'] )| ternary( '0/0', neofs_ir__control_address ) }}" ]
+    daddr: "{{ ( neofs_ir__control_address in ['0.0.0.0', '::0', '::'] )| ternary( [], [neofs_ir__control_address] ) }}"
     saddr: '{{ neofs_ir__control_allow + neofs_ir__control_group_allow + neofs_ir__control_host_allow }}'
     protocol: 'tcp'
     rule_state: "{{ 'present' if neofs_ir__control_enabled and not ( neofs_ir__control_address == 'localhost' or '127.0.0.0/8'|ansible.utils.network_in_usable( neofs_ir__control_address ) or '::1/128'|ansible.utils.network_in_usable( neofs_ir__control_address ) ) else 'absent' }}"
 
   - type: 'accept'
     name: 'neofs-ir{{ neofs_ir__instance }}_blockchain_rpc'
     dport: [ '{{ neofs_ir__blockchain_rpc_port }}' ]
-    daddr: [ "{{ ( neofs_ir__blockchain_rpc_address in ['0.0.0.0', '::0', '::'] )| ternary( '0/0', neofs_ir__blockchain_rpc_address ) }}" ]
+    daddr: "{{ ( neofs_ir__blockchain_rpc_address in ['0.0.0.0', '::0', '::'] )| ternary( [], [neofs_ir__blockchain_rpc_address] ) }}"
     saddr: '{{ neofs_ir__blockchain_rpc_allow + neofs_ir__blockchain_rpc_group_allow + neofs_ir__blockchain_rpc_host_allow }}'
     protocol: 'tcp'
     rule_state: "{{ 'present' if not neofs_ir__external_sidechain and not ( neofs_ir__blockchain_rpc_address == 'localhost' or '127.0.0.0/8'|ansible.utils.network_in_usable( neofs_ir__blockchain_rpc_address ) or '::1/128'|ansible.utils.network_in_usable( neofs_ir__blockchain_rpc_address ) ) else 'absent' }}"
 
   - type: 'accept'
     name: 'neofs-ir{{ neofs_ir__instance }}_blockchain_tls_rpc'
     dport: [ '{{ neofs_ir__blockchain_tls_rpc_port }}' ]
-    daddr: [ "{{ ( neofs_ir__blockchain_tls_rpc_address in ['0.0.0.0', '::0', '::'] )| ternary( '0/0', neofs_ir__blockchain_tls_rpc_address ) }}" ]
+    daddr: "{{ ( neofs_ir__blockchain_tls_rpc_address in ['0.0.0.0', '::0', '::'] )| ternary( [], [neofs_ir__blockchain_tls_rpc_address] ) }}"
     saddr: '{{ neofs_ir__blockchain_tls_rpc_allow + neofs_ir__blockchain_tls_rpc_group_allow + neofs_ir__blockchain_tls_rpc_host_allow }}'
     protocol: 'tcp'
     rule_state: "{{ 'present' if neofs_ir__blockchain_tls_rpc_enabled and not ( neofs_ir__blockchain_tls_rpc_address == 'localhost' or '127.0.0.0/8'|ansible.utils.network_in_usable( neofs_ir__blockchain_tls_rpc_address ) or '::1/128'|ansible.utils.network_in_usable( neofs_ir__blockchain_tls_rpc_address ) ) else 'absent' }}"
 
   - type: 'accept'
     name: 'neofs-ir{{ neofs_ir__instance }}_blockchain_p2p'
     dport: [ '{{ neofs_ir__blockchain_p2p_port }}' ]
-    daddr: [ "{{ ( neofs_ir__blockchain_p2p_address in ['0.0.0.0', '::0', '::'] )| ternary( '0/0', neofs_ir__blockchain_p2p_address ) }}" ]
+    daddr: "{{ ( neofs_ir__blockchain_p2p_address in ['0.0.0.0', '::0', '::'] )| ternary( [], [neofs_ir__blockchain_p2p_address] ) }}"
     saddr: '{{ neofs_ir__blockchain_p2p_allow + neofs_ir__blockchain_p2p_group_allow + neofs_ir__blockchain_p2p_host_allow }}'
     protocol: 'tcp'
     rule_state: "{{ 'present' if not neofs_ir__external_sidechain and not ( neofs_ir__blockchain_p2p_address == 'localhost' or '127.0.0.0/8'|ansible.utils.network_in_usable( neofs_ir__blockchain_p2p_address ) or '::1/128'|ansible.utils.network_in_usable( neofs_ir__blockchain_p2p_address ) ) else 'absent' }}"
diff --git a/roles/rest_gw/defaults/main.yml b/roles/rest_gw/defaults/main.yml
@@ -111,23 +111,23 @@ neofs_rest__ferm__dependent_rules:
   - type: 'accept'
     name: 'neofs-rest{{ neofs_rest__instance }}_rest'
     dport: [ '{{ neofs_rest__rest_port }}' ]
-    daddr: [ "{{ ( neofs_rest__rest_address in ['0.0.0.0', '::0', '::'] )| ternary( '0/0', neofs_rest__rest_address ) }}" ]
+    daddr: "{{ ( neofs_rest__rest_address in ['0.0.0.0', '::0', '::'] )| ternary( [], [neofs_rest__rest_address] ) }}"
     saddr: '{{ neofs_rest__rest_allow + neofs_rest__rest_group_allow + neofs_rest__rest_host_allow }}'
     protocol: 'tcp'
     rule_state: 'present'
 
   - type: 'accept'
     name: 'neofs-rest{{ neofs_rest__instance }}_prometheus'
     dport: [ '{{ neofs_rest__prometheus_port }}' ]
-    daddr: [ "{{ ( neofs_rest__prometheus_address in ['0.0.0.0', '::0', '::'] )| ternary( '0/0', neofs_rest__prometheus_address ) }}" ]
+    daddr: "{{ ( neofs_rest__prometheus_address in ['0.0.0.0', '::0', '::'] )| ternary( [], [neofs_rest__prometheus_address] ) }}"
     saddr: '{{ neofs_rest__prometheus_allow + neofs_rest__prometheus_group_allow + neofs_rest__prometheus_host_allow }}'
     protocol: 'tcp'
     rule_state: "{{ 'present' if neofs_rest__prometheus_enabled and not ( neofs_rest__prometheus_address == 'localhost' or '127.0.0.0/8'|ansible.utils.network_in_usable( neofs_rest__prometheus_address ) or '::1/128'|ansible.utils.network_in_usable( neofs_rest__prometheus_address ) ) else 'absent' }}"
 
   - type: 'accept'
     name: 'neofs-rest{{ neofs_rest__instance }}_pprof'
     dport: [ '{{ neofs_rest__pprof_port }}' ]
-    daddr: [ "{{ ( neofs_rest__pprof_address in ['0.0.0.0', '::0', '::'] )| ternary( '0/0', neofs_rest__pprof_address ) }}" ]
+    daddr: "{{ ( neofs_rest__pprof_address in ['0.0.0.0', '::0', '::'] )| ternary( [], [neofs_rest__pprof_address] ) }}"
     saddr: '{{ neofs_rest__pprof_allow + neofs_rest__pprof_group_allow + neofs_rest__pprof_host_allow }}'
     protocol: 'tcp'
     rule_state: "{{ 'present' if neofs_rest__pprof_enabled and not ( neofs_rest__pprof_address == 'localhost' or '127.0.0.0/8'|ansible.utils.network_in_usable( neofs_rest__pprof_address ) or '::1/128'|ansible.utils.network_in_usable( neofs_rest__pprof_address ) ) else 'absent' }}"
diff --git a/roles/storage/defaults/main.yml b/roles/storage/defaults/main.yml
@@ -116,7 +116,7 @@ neofs_storage__grpc_ferm_rules: |
   {% for endpoint in neofs_storage__grpc_endpoints %}
   {% if 'enabled' not in endpoint or endpoint.enabled %}
   - dport: [ '{{ endpoint.port }}' ]
-    daddr: [ "{{ ( endpoint.address in ['0.0.0.0', '::0', '::'] )| ternary( '0/0', endpoint.address ) }}" ]
+    daddr: "{{ ( endpoint.address in ['0.0.0.0', '::0', '::'] )| ternary( [], [endpoint.address] ) }}"
     saddr: {{ endpoint.allow }}
     protocol: 'tcp'
   {% endif %}
@@ -224,23 +224,23 @@ neofs_storage__ferm__dependent_rules:
   - type: 'accept'
     name: 'neofs-storage{{ neofs_storage__instance }}_prometheus'
     dport: [ '{{ neofs_storage__prometheus_port }}' ]
-    daddr: [ "{{ ( neofs_storage__prometheus_address in ['0.0.0.0', '::0', '::'] )| ternary( '0/0', neofs_storage__prometheus_address ) }}" ]
+    daddr: "{{ ( neofs_storage__prometheus_address in ['0.0.0.0', '::0', '::'] )| ternary( [], [neofs_storage__prometheus_address] ) }}"
     saddr: '{{ neofs_storage__prometheus_allow + neofs_storage__prometheus_group_allow + neofs_storage__prometheus_host_allow }}'
     protocol: 'tcp'
     rule_state: "{{ 'present' if neofs_storage__prometheus_enabled and not ( neofs_storage__prometheus_address == 'localhost' or '127.0.0.0/8'|ansible.utils.network_in_usable( neofs_storage__prometheus_address ) or '::1/128'|ansible.utils.network_in_usable( neofs_storage__prometheus_address ) ) else 'absent' }}"
 
   - type: 'accept'
     name: 'neofs-storage{{ neofs_storage__instance }}_pprof'
     dport: [ '{{ neofs_storage__pprof_port }}' ]
-    daddr: [ "{{ ( neofs_storage__pprof_address in ['0.0.0.0', '::0', '::'] )| ternary( '0/0', neofs_storage__pprof_address ) }}" ]
+    daddr: "{{ ( neofs_storage__pprof_address in ['0.0.0.0', '::0', '::'] )| ternary( [], [neofs_storage__pprof_address] ) }}"
     saddr: '{{ neofs_storage__pprof_allow + neofs_storage__pprof_group_allow + neofs_storage__pprof_host_allow }}'
     protocol: 'tcp'
     rule_state: "{{ 'present' if neofs_storage__pprof_enabled and not ( neofs_storage__pprof_address == 'localhost' or '127.0.0.0/8'|ansible.utils.network_in_usable( neofs_storage__pprof_address ) or '::1/128'|ansible.utils.network_in_usable( neofs_storage__pprof_address ) ) else 'absent' }}"
 
   - type: 'accept'
     name: 'neofs-storage{{ neofs_storage__instance }}_control'
     dport: [ '{{ neofs_storage__control_port }}' ]
-    daddr: [ "{{ ( neofs_storage__control_address in ['0.0.0.0', '::0', '::'] )| ternary( '0/0', neofs_storage__control_address ) }}" ]
+    daddr: "{{ ( neofs_storage__control_address in ['0.0.0.0', '::0', '::'] )| ternary( [], [neofs_storage__control_address] ) }}"
     saddr: '{{ neofs_storage__control_allow + neofs_storage__control_group_allow + neofs_storage__control_host_allow }}'
     protocol: 'tcp'
     rule_state: "{{ 'present' if neofs_storage__control_enabled and not ( neofs_storage__control_address == 'localhost' or '127.0.0.0/8'|ansible.utils.network_in_usable( neofs_storage__control_address ) or '::1/128'|ansible.utils.network_in_usable( neofs_storage__control_address ) ) else 'absent' }}"