diff --git a/defaults/main.yml b/defaults/main.yml index cf1dc43..95f7ea1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -180,7 +180,7 @@ neogo__ferm__dependent_rules: saddr: '{{ neogo__rpc_allow + neogo__rpc_group_allow + neogo__rpc_host_allow }}' protocol: 'tcp' role: 'neogo-legacy' - rule_state: "{{ 'present' if neogo__rpc_enabled and neogo__rpc_address not in ['localhost', '127.0.0.1', '::1'] else 'absent' }}" + rule_state: "{{ 'present' if neogo__rpc_enabled and not ( neogo__rpc_address == 'localhost' or '127.0.0.0/8'|ansible.utils.network_in_usable( neogo__rpc_address ) or '::1/128'|ansible.utils.network_in_usable( neogo__rpc_address ) ) else 'absent' }}" - type: 'accept' name: 'neogo{{ neogo__instance }}_tls' @@ -189,7 +189,7 @@ neogo__ferm__dependent_rules: saddr: '{{ neogo__rpc_allow + neogo__rpc_group_allow + neogo__rpc_host_allow }}' protocol: 'tcp' role: 'neogo-legacy' - rule_state: "{{ 'present' if neogo__tls_enabled and neogo__tls_address not in ['localhost', '127.0.0.1', '::1'] else 'absent' }}" + rule_state: "{{ 'present' if neogo__tls_enabled and not ( neogo__tls_address == 'localhost' or '127.0.0.0/8'|ansible.utils.network_in_usable( neogo__tls_address ) or '::1/128'|ansible.utils.network_in_usable( neogo__tls_address ) ) else 'absent' }}" - type: 'accept' name: 'neogo{{ neogo__instance }}_metrics' @@ -198,7 +198,7 @@ neogo__ferm__dependent_rules: saddr: '{{ neogo__metrics_allow + neogo__metrics_group_allow + neogo__metrics_host_allow }}' protocol: 'tcp' role: 'neogo-legacy' - rule_state: "{{ 'present' if neogo__metrics_enabled and neogo__metrics_address not in ['localhost', '127.0.0.1', '::1'] else 'absent' }}" + rule_state: "{{ 'present' if neogo__metrics_enabled and not ( neogo__metrics_address == 'localhost' or '127.0.0.0/8'|ansible.utils.network_in_usable( neogo__metrics_address ) or '::1/128'|ansible.utils.network_in_usable( neogo__metrics_address ) ) else 'absent' }}" - type: 'accept' name: 'neogo{{ neogo__instance }}_pprof' @@ -207,4 +207,4 @@ neogo__ferm__dependent_rules: saddr: '{{ neogo__pprof_allow + neogo__pprof_group_allow + neogo__pprof_host_allow }}' protocol: 'tcp' role: 'neogo-legacy' - rule_state: "{{ 'present' if neogo__pprof_enabled and neogo__pprof_address not in ['localhost', '127.0.0.1', '::1'] else 'absent' }}" + rule_state: "{{ 'present' if neogo__pprof_enabled and not ( neogo__pprof_address == 'localhost' or '127.0.0.0/8'|ansible.utils.network_in_usable( neogo__pprof_address ) or '::1/128'|ansible.utils.network_in_usable( neogo__pprof_address ) ) else 'absent' }}"