Strange iptables_raw + with_together behaviour

73 views
Skip to first unread message

andrew...@jirotech.com

unread,
Dec 15, 2016, 12:19:20 PM12/15/16
to Ansible Project
Hi all

Ive come across a quirk when using the 'iptables_raw' module along with the 'with_together' loop.
Logically, im inserting three new iptables input rules (for ftp) and giving them a name
I would expect that with_together would assign a name to a rule in the order that they appear in a list, 
e.g. [a, b, c]
       [1, 2, 3]
= a1, b2, c3

# Ansible task
- name: Create iptables rules for ftp access
  iptables_raw:
    name: 'ftp_{{ item.0 }}'
    rules: "{{ item.1 }}"
  with_together:
    - { connection,
        data,
        passive }
    - { '-A INPUT -p tcp --dport 21 -j ACCEPT',
        '-A INPUT -p tcp --dport 20 -j ACCEPT',
        '-A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT' }

# Result on target machine
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpts:1024:65535 ctstate ESTABLISHED /* ansible[ftp_data] */
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:21 /* ansible[ftp_connection] */
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:20 /* ansible[ftp_passive] */

The expected output is:
port 21                   - connection
port 20                   - data
spts:1024:65535 dpts:1024:65535 - passive

Peculiarly, it doesn't matter what order either list is in, the result is the same.

(Another quirk of the iptables_raw module is that the -A flag inserts at the top of the list 
instead of appending to the end, different to creating a rule from the command line,
where -I is used to insert at the top of the list and -A appends to the end.)

Ansible version 2.2.0.0
ansible host: centos 6.8
target: centos 7.2

Since I'm working with a centos7 box I've gone back to firewalld as a workaround. 

I understand the iptables_raw module isn't widely used and there exists an iptables module.

The contents of this email are confidential and may be subject to legal or professional privilege and copyright. No representation is made that this email is free of viruses or other defects. If you have received this communication in error, you may not copy or distribute any part of it or otherwise disclose its contents to anyone. Please advise the sender of your incorrect receipt of this correspondence.

Kai Stian Olstad

unread,
Dec 17, 2016, 3:50:32 AM12/17/16
to ansible...@googlegroups.com
On 14. des. 2016 06:12, andrew...@jirotech.com wrote:
> Hi all
>
> Ive come across a quirk when using the 'iptables_raw' module along with the
> 'with_together' loop.
> Logically, im inserting three new iptables input rules (for ftp) and giving
> them a name
> I would expect that with_together would assign a name to a rule in the
> order that they appear in a list,

It will when you use a list and not dictionary as you using bellow.
Dictionary is unordered in Python.
You say list but are using {} instead of [], I guess you will get
correct result when you change to use lists.


--
Kai Stian Olstad
Reply all
Reply to author
Forward
0 new messages