iptables module invokes match with singe quotes

[dev00]

ISSUE TYPE

• Feature Idea

COMPONENT NAME

iptables

ANSIBLE VERSION

ansible 2.2.2.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = Default w/o overrides

CONFIGURATION

none

OS / ENVIRONMENT

Ubuntu 16.04

SUMMARY

Using the iptables module with the match parameter will put the match entry in single quotes which will result in fails when using it with tools like ipset.

STEPS TO REPRODUCE

name: this fails
become: true
hosts: localhost
tasks:
  - name: Install needed tools to make iptables rules permanent
    apt:
      name: "ipset"
      state: latest
      cache_valid_time: 3600

  - name: download list of chinese IP
    get_url:
      url: http://www.ipdeny.com/ipblocks/data/countries/cn.zone
      dest: /tmp/cn.zone

  - name: destroy all sets for ipset
    shell: ipset destroy

  - name: create net ipset for china
    shell: ipset -N china hash:net

  - name: Add each IP address from the downloaded list into the ipset 'china'
    shell: for i in $(cat /etc/cn.zone ); do ipset -A china $i; done

  - name: block china via iptables
    iptables:
       table: filter
       chain: INPUT
       protocol: tcp
       match: set --match-set china src
       jump: DROP

EXPECTED RESULTS

It should be invoked like:

iptables -t filter -A INPUT -p tcp -m set --match-set china src -j DROP

ACTUAL RESULTS

It fails because Ansible invokes it in a manner which results in fails:

iptables -t filter -A INPUT -p tcp -m 'set --match-set china src' -j DROP

Output

TASK [jumphost : block china via iptables] *************************************
fatal: [jumphost]: FAILED! => {"changed": false, "cmd": "/sbin/iptables -t filter -A INPUT -p tcp -m 'set --match-set china src' -j DROP", "failed": true, "msg": "iptables v1.6.0: Couldn't load match `set --match-set china src':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information.", "rc": 2, "stderr": "iptables v1.6.0: Couldn't load match `set --match-set china src':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information.\n", "stdout": "", "stdout_lines": []}

[ansibot]

cc @LinusU
click here for bot help

[LinusU]

I think that the quoting is the right thing to do here. How about adding a matchSet option?

[ansibot]

cc @sebastiendarocha
click here for bot help

[sebastiendarocha]

Hello @dev00

Could you replace the "ISSUE TYPE" in the initial comment by "Feature Idea" instead of "Bug Report"

Thank you

[dev00]

@sebastiendarocha Done. Maybe we should add some information to the docs regarding working with ipset?

[BarbzYHOOL]

Could we instead have an "extra_args" parameter to deal with these special cases? I also have another special case that is not the same. There was already another case solved previously. Seems like it will be endless

Like this:

  - name: block china via iptables
    iptables:
       table: filter
       chain: INPUT
       protocol: tcp
       match: set
       jump: DROP
       extra_args:
           zone: 1
           match-set: china src

it would add "--zone 1" and "--match-set china src" to the command

[kladiv]

+1

[BarbzYHOOL]

Still need to run the commands manually

[Akasurde]

@LinusU What do you think about extra_args as suggested by @BarbzYHOOL ?

cc @amolkahat

[kyz3]

Same issue but different Error on my side. When using the match option iptables is throwing an error because the match name is too long:

failed: [ansible-host5] (item=9090) => {"changed": false, "cmd": "/sbin/iptables -t filter -I DOCKER-USER -m 'conntrack --ctstate NEW --ctorigdstport 9090' -j DROP -m comment --comment 'Discard packets on unwanted port'", "item": "9090", "msg": "iptables v1.6.2: Invalid match name \"conntrack --ctstate NEW --ctorigdstport 9090\" (28 chars max)\nTry 'iptables -h' or 'iptables --help' for more information.", "rc": 2, "stderr": "iptables v1.6.2: Invalid match name \"conntrack --ctstate NEW --ctorigdstport 9090\" (28 chars max)\nTry 'iptables -h' or 'iptables --help' for more information.\n", "stderr_lines": ["iptables v1.6.2: Invalid match name \"conntrack --ctstate NEW --ctorigdstport 9090\" (28 chars max)", "Try iptables -h' or 'iptables --help' for more information."], "stdout": "", "stdout_lines": []}

This error can be recreated on the machine by just typing the command invoked by ansible and is instantly working as expected as soon as the single quotes are removed from the command.

[zestysoft]

iptables table="nat" chain="POSTROUTING" protocol="udp" destination_port="123" match="mark --mark 0x1" jump="MASQUERADE" comment="Test"

"cmd": "/sbin/iptables -t nat -A POSTROUTING -p udp -m 'mark --mark 0x1' -j MASQUERADE --destination-port 123 -m comment --comment Test", 
"msg": "iptables v1.6.1: Couldn't load match `mark --mark 0x1':No such file or directory\n\nTry `iptables -h' or 'iptables --help' for more information.", 

The single quotes causes iptables to consume the entire string as the name of a module, and thus fails to dynamically load the module when executed. Also note that one can have multiple -m parameters since there are multiple modules, so I'm not sure how extra_args would work in this case.

[scomoletti]

I think that the quoting is the right thing to do here. How about adding a matchSet option?

Quotes are invalid syntax for the iptables command.

Is there any progress on a fix for this?

[LinusU]

I think that the extra_args is a good idea 👍

[scomoletti]

why extra args? just treat match as a list and get rid of the quotes. iptables allows multiple match arguments. Additionally by getting rid of quotes you benefit other options like jump which will break if you try things like tproxy with it right now. Just eliminating quotes alone would fix a lot.

[paulramsey]

+1

[smiller171]

@paulramsey it's generally better to add a 👍 to the first comment and hit the subscribe button in the sidebar so you can vote for an issue and subscribe to future notifications on that issue without spamming everyone who's already subscribed.

[jfdona23]

Is there any news about this issue?
Did anyone find a workaround to remove the quotes? In the meantime I'm trying to figure out inside the module code when the quotes are being written. 🤔

[ghost]

I am waiting for the this feature to be done too. need to load multiple match and respective args.

[bcoca]

extra_args causes all sorts of issues, a matchset solution seems much better but neither is something that the core team is going to address in the near future, but we will review any contributions that add it.

waiting_on_contributor

[bendem]

Just would like to point, in case this gets added, that we already have two names for this: pip module uses extra_args as a string, unarchive uses extra_opts as a list.

[ansibot]

Thank you very much for your submission to Ansible. It means a lot to us that you've taken time to contribute.

Unfortunately, this issue has been open for some time while waiting for a contributor to take it up but there does not seem to have been anyone that did so. So we are going to close this issue to clear up the queues and make it easier for contributors to browse possible implementation targets.

However, we're absolutely always up for discussion. Because this project is very active, we're unlikely to see comments made on closed tickets and we lock them after some time. If you or anyone else has any further questions, please let us know by using any of the communication methods listed in the page below:

• https://docs.ansible.com/ansible/latest/community/communication.html

In the future, sometimes starting a discussion on the development list prior to proposing or implementing a feature can make getting things included a little easier, but it's not always necessary.

Thank you once again for this and your interest in Ansible!

click here for bot help