community.general
community.general copied to clipboard
ansible-collections
ufw: changing policy ignores state
Summary
A policy change is executed even if the same policy is set causing delays and disconnects
Issue Type
Bug Report
Component Name
ufw
Ansible Version
ansible 2.10.5
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/florian/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/florian/py_venv/lib/python3.6/site-packages/ansible
executable location = /home/florian/py_venv/bin/ansible
python version = 3.6.9 (default, Oct 8 2020, 12:12:24) [GCC 8.4.0]
2.9.13 is also affected
Configuration
ANSIBLE_PIPELINING(/etc/ansible/ansible.cfg) = True
ANSIBLE_SSH_ARGS(/etc/ansible/ansible.cfg) = -o ControlMaster=auto -o ControlPersist=5m
DEFAULT_CALLBACK_WHITELIST(/etc/ansible/ansible.cfg) = ['timer', 'profile_tasks', 'profile_roles']
DEFAULT_FORKS(/etc/ansible/ansible.cfg) = 20
OS / Environment
Source Ubuntu 18.04 Target Debian 10.8, Ubuntu 18.04/20.04
Steps To Reproduce
---
- name: ufw test
hosts: all
remote_user: test
strategy: linear
tasks:
- name: Configure ufw defaults
ufw:
direction: "{{ item.direction }}"
policy: "{{ item.policy }}"
with_items:
- { direction: 'incoming', policy: 'deny' }
- { direction: 'outgoing', policy: 'allow' }
become: true
Expected Results
Nothing happens, since the state before is this:
ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
Actual Results
Here are the commands, that are used for a policy change.
"/usr/sbin/ufw status verbose",
"/usr/bin/grep -h '^### tuple' /lib/ufw/user.rules /lib/ufw/user6.rules /etc/ufw/user.rules /etc/ufw/user6.rules /var/lib/ufw/user.rules /var/lib/ufw/user6.rules",
"/usr/sbin/ufw default allow outgoing",
"/usr/sbin/ufw status verbose",
"/usr/bin/grep -h '^### tuple' /lib/ufw/user.rules /lib/ufw/user6.rules /etc/ufw/user.rules /etc/ufw/user6.rules /var/lib/ufw/user.rules /var/lib/ufw/user6.rules"
The "/usr/sbin/ufw default allow outgoing" causes ufw - I think - to drop all or some connections.
Changing the policy takes about 6 seconds, it takes Ansible a lot of time to reconnect. If I have a lot of hosts in my list some of them are failing this task with a disconnect.
Files identified in the description:
If these files are inaccurate, please update the component name section of the description or use the !component bot command.
From the code, it looks like the current state is only looked at for check mode, but for non-check mode, it simply calls ufw and compares output before and after to determine whether something changed.
Files identified in the description:
If these files are incorrect, please update the component name section of the description or use the !component bot command.