community.general
community.general copied to clipboard
ufw: changing policy ignores state
Summary
A policy change is executed even if the same policy is set causing delays and disconnects
Issue Type
Bug Report
Component Name
ufw
Ansible Version
ansible 2.10.5
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/florian/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/florian/py_venv/lib/python3.6/site-packages/ansible
executable location = /home/florian/py_venv/bin/ansible
python version = 3.6.9 (default, Oct 8 2020, 12:12:24) [GCC 8.4.0]
2.9.13 is also affected
Configuration
ANSIBLE_PIPELINING(/etc/ansible/ansible.cfg) = True
ANSIBLE_SSH_ARGS(/etc/ansible/ansible.cfg) = -o ControlMaster=auto -o ControlPersist=5m
DEFAULT_CALLBACK_WHITELIST(/etc/ansible/ansible.cfg) = ['timer', 'profile_tasks', 'profile_roles']
DEFAULT_FORKS(/etc/ansible/ansible.cfg) = 20
OS / Environment
Source Ubuntu 18.04 Target Debian 10.8, Ubuntu 18.04/20.04
Steps To Reproduce
---
- name: ufw test
hosts: all
remote_user: test
strategy: linear
tasks:
- name: Configure ufw defaults
ufw:
direction: "{{ item.direction }}"
policy: "{{ item.policy }}"
with_items:
- { direction: 'incoming', policy: 'deny' }
- { direction: 'outgoing', policy: 'allow' }
become: true
Expected Results
Nothing happens, since the state before is this:
ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
Actual Results
Here are the commands, that are used for a policy change.
"/usr/sbin/ufw status verbose",
"/usr/bin/grep -h '^### tuple' /lib/ufw/user.rules /lib/ufw/user6.rules /etc/ufw/user.rules /etc/ufw/user6.rules /var/lib/ufw/user.rules /var/lib/ufw/user6.rules",
"/usr/sbin/ufw default allow outgoing",
"/usr/sbin/ufw status verbose",
"/usr/bin/grep -h '^### tuple' /lib/ufw/user.rules /lib/ufw/user6.rules /etc/ufw/user.rules /etc/ufw/user6.rules /var/lib/ufw/user.rules /var/lib/ufw/user6.rules"
The "/usr/sbin/ufw default allow outgoing" causes ufw - I think - to drop all or some connections.
Changing the policy takes about 6 seconds, it takes Ansible a lot of time to reconnect. If I have a lot of hosts in my list some of them are failing this task with a disconnect.
Files identified in the description:
If these files are inaccurate, please update the component name
section of the description or use the !component
bot command.
cc @ahtik @ovcharenko @pyykkis click here for bot help
From the code, it looks like the current state is only looked at for check mode, but for non-check mode, it simply calls ufw
and compares output before and after to determine whether something changed.
Files identified in the description:
If these files are incorrect, please update the component name
section of the description or use the !component
bot command.