community.general
community.general copied to clipboard
ansible-collections
iptables_state: let the user declare the rules directly without a file
Summary
I would like to be able to directly declare the rules in the module usage instead of using a file.
Issue Type
Feature Idea
Component Name
iptables_state
Additional Information
This could be done with something along the lines (we declared the rules in the new rules property):
- name: Set the iptables rules
community.general.iptables_state:
state: restored_and_saved
rules: "{{ lookup('template', 'iptables-rules.v4.j2') }}"
path: /etc/iptables/rules.v4
async: "{{ ansible_timeout }}"
poll: 0
Maybe this could also open the door for saving the rules file as-is they were passed to the rules property? I mean, currently, the saved state will use iptables-save which, understandably, looses all of our rules comments. But maybe this is starting to be too much responsibilities for a single module, would complicate the future diff mode, would introduce too many changes, and just having a restored_and_saved and rules property would be enough.
PS: This was originally discussed in https://github.com/ansible-collections/community.general/issues/2523.
Code of Conduct
- [X] I agree to follow the Ansible Code of Conduct
Files identified in the description:
If these files are inaccurate, please update the component name section of the description or use the !component bot command.
Files identified in the description:
If these files are inaccurate, please update the component name section of the description or use the !component bot command.
hi @rgl , thanks for suggesting this !
I read two proposals in your report:
- pass the ruleset to iptables-restore from stdin rather than a file (that probably means from a file on the controller rather than a file on the target)
- restore a ruleset and (once validated) save it in a file, all at once
About passing ruleset to iptables-restore without the need to store it on the target, I think this would not be so much work, and would not add breaking changes, just a new option (maybe rules, as you suggest, or stdin or content to use the same semantic of existing modules).
About a full restored_and_saved state... for short:
- the
restoredstate needs a source, currently hold by thepathoption - the
savedstate needs a destination, currently hold by thepathoption
Implementing a restored_and_saved state will not be done without some revamp and possibly (but not sure) breaking changes - or a deprecation period for the replacement of path by either src (restored), dest (saved), or both (restored and saved).
What follows is mostly a vague opinion of the day, and may be submitted to changes at any time:
restored_and_savedis definitely too long.- I can't find a good short name for this
state. - We don't need a
stateoption, but only source and destination to restore from and/or backup to ! src(orrules) implies a restored state, as well asdestimplies asavedstate- so
rulesanddestaltogether imply restored and saved states
That could be:
- name: apply and save iptables ruleset
community.general.iptables_state:
#src: /etc/iptables/rules.v4.in
rules: "{{ lookup('template', 'iptables-rules.v4.j2') }}"
dest: /etc/iptables/rules.v4
async: 10
poll: 0
what could be the path to go there (src+dest) from here (state+path, required) ?
Using src+dest really simplifies the interface! Its now much more alike the copy module, which from the outside viewpoint, iptables_state is. I like it! :-)
If content is the normal/expected ansible property name to define the file content, by all means, lets use that :-)
About the path to implement this, I think that the user should not be able to mix state+path with src+dest+content, and under the covers, somehow translate state/path to the new property names.