But in iptables module?
106 views
Skip to first unread message
Joshua J. Kugler
Mar 18, 2016, 5:07:49 PM3/18/16
to Ansible Project
I'm trying to use the iptables module, and I *think* I'm hitting a bug. Wanted
a sanity check before I open a bug report. This is Ansible 2.0.0.2. The action
looks like this:
- name: Update IPtables rules
iptables:
chain: INPUT
match: state
ctstate: NEW,RELATED,ESTABLISHED
destination_port: 6556
protocol: tcp
jump: ACCEPT
It's failing with this:
fatal: [ubuntu:]: FAILED! => {
"changed": false,
"cmd": "\/sbin\/iptables -t filter -A INPUT -p tcp -m state -j ACCEPT --
destination-port 6556 -m state --state NEW,RELATED,ESTABLISHED",
"failed": true,
"msg": "iptables v1.4.21: state: option \"--state\" must be specified\n\nTry
`iptables -h' or 'iptables --help' for more information.",
"rc": 2,
"stderr": "iptables v1.4.21: state: option \"--state\" must be
specified\n\nTry `iptables -h' or 'iptables --help' for more information.\n",
"stdout": "",
"stdout_lines": [
]
}
The command it's trying to run is this:
-t filter -A INPUT -p tcp -m state -j ACCEPT --destination-port 6556 -m state
--state NEW,RELATED,ESTABLISHED
Notice how it puts an '-m state' before the '-j ACCEPT' and then it does the
'-m state --state ..." properly later.
Bug? Or something I'm missing?
j
--
Joshua J. Kugler - Fairbanks, Alaska
Azariah Enterprises - Programming and Website Design
jos...@azariah.com - Jabber: peda...@gmail.com
PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A
a sanity check before I open a bug report. This is Ansible 2.0.0.2. The action
looks like this:
- name: Update IPtables rules
iptables:
chain: INPUT
match: state
ctstate: NEW,RELATED,ESTABLISHED
destination_port: 6556
protocol: tcp
jump: ACCEPT
It's failing with this:
fatal: [ubuntu:]: FAILED! => {
"changed": false,
"cmd": "\/sbin\/iptables -t filter -A INPUT -p tcp -m state -j ACCEPT --
destination-port 6556 -m state --state NEW,RELATED,ESTABLISHED",
"failed": true,
"msg": "iptables v1.4.21: state: option \"--state\" must be specified\n\nTry
`iptables -h' or 'iptables --help' for more information.",
"rc": 2,
"stderr": "iptables v1.4.21: state: option \"--state\" must be
specified\n\nTry `iptables -h' or 'iptables --help' for more information.\n",
"stdout": "",
"stdout_lines": [
]
}
The command it's trying to run is this:
-t filter -A INPUT -p tcp -m state -j ACCEPT --destination-port 6556 -m state
--state NEW,RELATED,ESTABLISHED
Notice how it puts an '-m state' before the '-j ACCEPT' and then it does the
'-m state --state ..." properly later.
Bug? Or something I'm missing?
j
--
Joshua J. Kugler - Fairbanks, Alaska
Azariah Enterprises - Programming and Website Design
jos...@azariah.com - Jabber: peda...@gmail.com
PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A
Dejay Clayton
Mar 20, 2016, 1:41:39 AM3/20/16
to Ansible Project
Looks like a bug to me.
Martin Terp Jensen
Mar 20, 2016, 3:49:47 PM3/20/16
to ansible...@googlegroups.com
I belive you need to use "match: conntrack" instead of "match: state" when using ctstate
On Sun, Mar 20, 2016 at 6:41 AM, Dejay Clayton <dejay....@gmail.com> wrote:
Looks like a bug to me.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/39b833ee-bed0-434d-87ff-e3bd3429a6ff%40googlegroups.com.
Martin Terp Jensen
Mar 20, 2016, 3:49:48 PM3/20/16
to Ansible Project
I belive you need to use "match: conntrack" instead of "match: state" when using ctstate
Reply all
Reply to author
Forward
0 new messages