Actually, never mind - I just realised that the problem is the loop that
I've got around each blockinfile task, which will overwrite each item in
the list until it reaches the last one.
On Fri, Jun 23, 2017 at 3:51 PM, Guy Knights <guy.knig...@gmail.com> wrote:
> I have a blockinfile task that sets some lines in /etc/ufw/before.rules,
> and which notifies handler to reload ufw if the task registers a change. I
> was running it on a host and noticed that I had the same prerouting rule
> from before.rules multiple times, so I took a closer look at the task as I
> was running it, and I noticed that it keeps triggering every time it runs.
>
> Here are mytasks the add pre and post routing rules to
> /etc/ufw/before.rules:
>
> - name: set nat and port forwarding start section
> blockinfile:
> dest: /etc/ufw/before.rules
> marker: "# {mark} bbg nat rules"
> insertbefore: "# Don't delete these required lines, otherwise there
> will be errors"
> block: |
> # NAT table rules
> *nat
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> when: firewall.nat is defined or firewall.pf is defined
> notify:
> - reload ufw
>
> - name: set individual port forwarding rules if specified
> blockinfile:
> dest: /etc/ufw/before.rules
> insertafter: "# END bbg nat rules"
> marker: "# {mark} {{ item.desc|default(omit) }}"
> block: |
> # Forward port for {{ item.desc }}
> -A PREROUTING -p tcp --dport {{ item.src_port }} -j REDIRECT
> --to-port {{ item.dst_port }}
> with_items: "{{ firewall.pf|default(omit) }}"
> when: firewall.pf is defined
> notify:
> - reload ufw
>
> - name: set individual nat rules if specified
> blockinfile:
> dest: /etc/ufw/before.rules
> insertbefore: "# BEGIN bbg nat rules commit"
> marker: "# {mark} {{ item.desc|default(omit) }}"
> block: |
> # Forward traffic through {{ item.out_in|default(eth0) }} - Change
> to match you out-interface for {{ item.desc|default(omit) }}
> -A POSTROUTING -s {{ item.source|default("0.0.0.0/0") }} -d {{
> item.dest|default("0.0.0.0/0") }} -o {{ item.out_in|default(eth0) }} -j
> MASQUERADE
> with_items: "{{ firewall.nat|default(omit) }}"
> when: firewall.nat is defined
> notify:
> - reload ufw
>
> - name: set nat rules commit if specified
> blockinfile:
> dest: /etc/ufw/before.rules
> marker: "# {mark} bbg nat rules commit"
> insertbefore: "# Don't delete these required lines, otherwise there
> will be errors"
> block: |
> # don't delete the 'COMMIT' line or these nat table rules won't
> # be processed
> COMMIT
> when: firewall.nat is defined or firewall.pf is defined
> notify:
> - reload ufw
>
> The rule that keeps triggering is the 2nd one, set individual port
> forwarding rules if specified.
>
> I can't see that it's changing anything in the file after it initially
> adds the lines, and in fact I did a test and ran a checksum against the
> file before and after running the playbook and the checksum value was the
> same, so it hasn't changed the file in any way.
>
> Can anyone explain why it keeps triggering and running the ufw reload?
>
> Thanks,
> Guy
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CANNH9mt_NBiDm8tcTE1hL118dsAyYGjzYMAPi4umNrkbm76VcA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
