community.general
community.general copied to clipboard
Published
20 hours ago •
ansible-collections
ansible-collections
iptables_state restore not working when restoring rules
Summary
If i have an existing iptables
e.g.
# Generated by iptables-save v1.8.7 on Tue Oct 31 03:58:35 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Oct 31 03:58:35 2023
# Generated by iptables-save v1.8.7 on Tue Oct 31 03:58:35 2023
*nat
:PREROUTING ACCEPT [1:60]
:INPUT ACCEPT [1:60]
:OUTPUT ACCEPT [151:17304]
:POSTROUTING ACCEPT [151:17304]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
then if i made modifications to the following and tried restore :
# Generated by iptables-save v1.8.7 on Tue Oct 31 03:58:35 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Oct 31 03:58:35 2023
# Generated by iptables-save v1.8.7 on Tue Oct 31 03:58:35 2023
iptables_state will detect there is change
- name: restore firewall state from a file
community.general.iptables_state:
state: restored
path: /etc/test/rules
noflush: no
async: "{{ ansible_check_mode | ternary(0,ansible_timeout) }}" # https://www.linder.org/?p=283 async & check
poll: 0
# check_mode: yes
tags:
- firewall
when run with --checked mode
"initial_state": [
"# Generated by iptables-save v1.8.7",
"*filter",
":INPUT ACCEPT [0:0]",
":FORWARD DROP [0:0]",
":OUTPUT ACCEPT [0:0]",
"-A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT",
"-A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT",
"COMMIT",
"# Completed",
"# Generated by iptables-save v1.8.7",
"*nat",
":PREROUTING ACCEPT [0:0]",
":INPUT ACCEPT [0:0]",
":OUTPUT ACCEPT [0:0]",
":POSTROUTING ACCEPT [0:0]",
"-A POSTROUTING -o eth0 -j MASQUERADE",
"COMMIT",
"# Completed"
],
"restored": [
"# Generated by iptables-save v1.8.7",
"*filter",
":INPUT ACCEPT [0:0]",
":FORWARD DROP [0:0]",
":OUTPUT ACCEPT [0:0]",
"-A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT",
"-A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT",
"COMMIT",
"# Completed"
],
"tables": {
"filter": [
":INPUT ACCEPT",
":FORWARD DROP",
":OUTPUT ACCEPT",
"-A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT",
"-A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT"
],
"nat": [
":PREROUTING ACCEPT",
":INPUT ACCEPT",
":OUTPUT ACCEPT",
":POSTROUTING ACCEPT",
"-A POSTROUTING -o eth0 -j MASQUERADE"
]
}
}
however when run without check mode there is no changes made , and the NAT rules are still existing when i run iptables-save.
Issue Type
Bug Report
Component Name
community.general iptables_state
Ansible Version
$ ansible --version
ansible [core 2.15.5]
config file = /home/test/ansible/ansible.cfg
configured module search path = ['/home/test/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
ansible collection location = /etc/ansible/collections
executable location = /usr/bin/ansible
python version = 3.10.12 (main, Jun 11 2023, 05:26:28) [GCC 11.4.0] (/usr/bin/python3)
jinja version = 3.0.3
libyaml = True
Community.general Version
$ ansible-galaxy collection list community.general
# /etc/ansible/collections/ansible_collections
Collection Version
----------------- -------
community.general 8.0.0
Configuration
$ ansible-config dump --only-changed
OS / Environment
No response
Steps to Reproduce
- name: restore firewall state from a file
community.general.iptables_state:
state: restored
path: /etc/test/rules
noflush: no
async: "{{ ansible_check_mode | ternary(0,ansible_timeout) }}" # https://www.linder.org/?p=283 async & check
poll: 0
# check_mode: yes
tags:
- firewall
Expected Results
iptables nat table removed
Actual Results
Code of Conduct
- [X] I agree to follow the Ansible Code of Conduct
