ansible.posix
ansible.posix copied to clipboard
Masquerade and Icmp-Block Inversion get enabled when string is set to no
SUMMARY
Icmp block inversion and masquerade are string types which means any string will enable them. If we update ICMP block inversion and masquerade schemas to boolean values this could break many playbooks.
ISSUE TYPE
- Bug Report
COMPONENT NAME
ANSIBLE VERSION
ansible [core 2.12.0.dev0] (devel 767b2f07b0) last updated 2021/07/27 19:55:15 (GMT -400)
COLLECTION VERSION
1ebacfb195b000ee7f0478a8a1ea040c995eb249
CONFIGURATION
n/a
OS / ENVIRONMENT
STEPS TO REPRODUCE
- ansible.posix.firewalld:
zone: drop
state: enabled
permanent: yes
icmp_block_inversion: no
EXPECTED RESULTS
Icmp block inversion should be set to no
ACTUAL RESULTS
Icmp block inversion is set to yes.
@vrindle Thanks for reporting this issue.
Is there any fix to this at all? I notice that when setting masquerade and ICMP block inversion, the value for each is completely ignored if set to 'no' and is set on whether or not "state" is equal to "enabled" or "disabled". This is definitely not expected and caused considerable head scratching when using the firewalld module.
This sets masquerade to yes:
- ansible.posix.firewalld:
zone: drop
masquerade: 'no'
state: enabled
permanent: yes
This sets masquerade to no (I can kind of understand this one as you are disabling the setting and setting it back to the default):
- ansible.posix.firewalld:
zone: drop
masquerade: 'yes'
state: disabled
permanent: yes
I can work around this, but it leaves a yucky taste where I have to try and anticipate the module version being used (or fix it to an old module version).