Blockinfile triggers every run

[Guy Knights]

I have a blockinfile task that sets some lines in /etc/ufw/before.rules, and which notifies handler to reload ufw if the task registers a change. I was running it on a host and noticed that I had the same prerouting rule from before.rules multiple times, so I took a closer look at the task as I was running it, and I noticed that it keeps triggering every time it runs.

Here are mytasks the add pre and post routing rules to /etc/ufw/before.rules:

- name: set nat and port forwarding start section

  blockinfile:

    dest: /etc/ufw/before.rules

    marker: "# {mark} bbg nat rules"

    insertbefore: "# Don't delete these required lines, otherwise there will be errors"

    block: |

      # NAT table rules

      *nat

      :PREROUTING ACCEPT [0:0]

      :POSTROUTING ACCEPT [0:0]

  when: firewall.nat is defined or firewall.pf is defined

  notify:

    - reload ufw

- name: set individual port forwarding rules if specified

  blockinfile:

    dest: /etc/ufw/before.rules

    insertafter: "# END bbg nat rules"

    marker: "# {mark} {{ item.desc|default(omit) }}"

    block: |

      # Forward port for {{ item.desc }}

      -A PREROUTING -p tcp --dport {{ item.src_port }} -j REDIRECT --to-port {{ item.dst_port }}

  with_items: "{{ firewall.pf|default(omit) }}"

  when: firewall.pf is defined

  notify:

    - reload ufw

- name: set individual nat rules if specified

  blockinfile:

    dest: /etc/ufw/before.rules

    insertbefore: "# BEGIN bbg nat rules commit"

    marker: "# {mark} {{ item.desc|default(omit) }}"

    block: |

      # Forward traffic through {{ item.out_in|default(eth0) }} - Change to match you out-interface for {{ item.desc|default(omit) }}

      -A POSTROUTING -s {{ item.source|default("0.0.0.0/0") }} -d {{ item.dest|default("0.0.0.0/0") }} -o {{ item.out_in|default(eth0) }} -j MASQUERADE

  with_items: "{{ firewall.nat|default(omit) }}"

  when: firewall.nat is defined

  notify:

    - reload ufw

- name: set nat rules commit if specified

  blockinfile:

    dest: /etc/ufw/before.rules

    marker: "# {mark} bbg nat rules commit"

    insertbefore: "# Don't delete these required lines, otherwise there will be errors"

    block: |

      # don't delete the 'COMMIT' line or these nat table rules won't

      # be processed

      COMMIT

  when: firewall.nat is defined or firewall.pf is defined

  notify:

    - reload ufw

The rule that keeps triggering is the 2nd one, set individual port forwarding rules if specified.

I can't see that it's changing anything in the file after it initially adds the lines, and in fact I did a test and ran a checksum against the file before and after running the playbook and the checksum value was the same, so it hasn't changed the file in any way.

Can anyone explain why it keeps triggering and running the ufw reload?

Thanks,

Guy

[Guy Knights]

Actually, never mind - I just realised that the problem is the loop that I've got around each blockinfile task, which will overwrite each item in the list until it reaches the last one.