Possible bug in iptables module
39 views
Skip to first unread message
Juan Pablo Genovese
Feb 15, 2017, 7:19:07 AM2/15/17
to Ansible Project
Hello everybody!
I'm having problems with the iptables module trying to execute this task:
- iptables:
chain: INPUT
match: conntrack
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
This leads to this error:
TASK [iptables] ****************************************************************
fatal: [default]: FAILED! => {"changed": false, "cmd": "/sbin/iptables -t filter -A INPUT -m conntrack -j ACCEPT -m state --state ESTABLISHED,RELATED", "failed": true, "msg": "iptables v1.4.21: conntrack: At least one option is required\nTry `iptables -h' or 'iptables --help' for more information.", "rc": 2, "stderr": "iptables v1.4.21: conntrack: At least one option is required\nTry `iptables -h' or 'iptables --help' for more information.\n", "stdout": "", "stdout_lines": []}
Did anyone hit this issue and have a solution? If not I can submit a bug report.
Thank you!
Nehal J Wani
Feb 15, 2017, 8:02:55 AM2/15/17
to ansible...@googlegroups.com
Seems like a bug to me.
Technically, the conntrack match supersedes - and so obsoletes - the
state match. But practically the state match is not obsoleted in any
way.
The ansible iptables module is doing:
/sbin/iptables -t filter -A INPUT -m conntrack -j ACCEPT -m state
--state ESTABLISHED,RELATED
So, there is no argument passed to the conntrack match. Ideally, it
should have been:
/sbin/iptables -t filter -A INPUT -m conntrack -j ACCEPT --ctstate
ESTABLISHED,RELATED
For now it seems that you can get around this problem by
removing/commenting 'match: conntrack' and then the module will
produce:
/sbin/iptables -t filter -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/27b43f37-f541-45c8-9f75-6a6b76e2fdb8%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Nehal J Wani
Technically, the conntrack match supersedes - and so obsoletes - the
state match. But practically the state match is not obsoleted in any
way.
The ansible iptables module is doing:
/sbin/iptables -t filter -A INPUT -m conntrack -j ACCEPT -m state
--state ESTABLISHED,RELATED
should have been:
/sbin/iptables -t filter -A INPUT -m conntrack -j ACCEPT --ctstate
ESTABLISHED,RELATED
For now it seems that you can get around this problem by
removing/commenting 'match: conntrack' and then the module will
produce:
/sbin/iptables -t filter -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/27b43f37-f541-45c8-9f75-6a6b76e2fdb8%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Nehal J Wani
Juan Pablo Genovese
Feb 15, 2017, 9:53:19 AM2/15/17
to Ansible Project
Right!
Ok, so I just filed an issue in the Ansible repo: https://github.com/ansible/ansible/issues/21467
Thanks for the feedback, Nehal!
Reply all
Reply to author
Forward
0 new messages