Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
iptables: setting chain policy is not idempotent #25153
OS / ENVIRONMENT
Running ansible on MacOS Sierra 12.12.3 (probably irrelevant), and managing Ubuntu 16.04 (kernel: 4.4.0-62-generic)
STEPS TO REPRODUCE
Run the following playbook twice on any host with iptables, substituting the hostname appropriately.
--- - hosts: myhost.local tasks: - name: set output policy to accept iptables: chain: OUTPUT policy: ACCEPT become: yes
Should report OK at least on the second run.
Trying to fix this, I see in the code that the existence of a rule is checked using
which let's one check if a rule exists in a given table and chain.
As far as I can tell, there is no such option for checking the policy of a given chain.
One way I see is using something like
which returns a list of all rules, including
which could be grepped and cut. All in all, something along the lines of
or perhaps implementing the last step in python.
I'm not sure how brittle this is, and how accepted such bash hacking is in an ansible module though. Would appreciate some feedback on that.