Also of note: firewall6.rules doesn't exist on any of the hosts I'm running
this playbook against, so it should be skipping the entire block, but it's
not.
On Thursday, 11 October 2018 14:14:15 UTC-7, Guy Knights wrote:
>
> I have the following tasks in a block, which I've modified to use the new
> 'loop' structure:
>
> - name: process ipv6 rules if they exist
> block:
> - name: create all ipv6 firewall log statements from 'firewall'
> variable
> iptables:
> ip_version: ipv6
> comment: "{{ item.0.comment|default(omit) }}"
> destination: "{{ item.0.destination|default(omit) }}"
> destination_port: "{{ item.0.destination_port|default(omit) }}"
> source: "{{ item.1 }}"
> source_port: "{{ item.0.source_port|default(omit) }}"
> protocol: "{{ item.0.protocol|default(omit) }}"
> jump: "LOG"
> chain: "{{ item.0.chain|default('INPUT') }}"
> ctstate: "{{ item.0.state|default('NEW') }}"
> in_interface: "{{ item.0.in_interface|default(omit) }}"
> out_interface: "{{ item.0.out_interface|default(omit) }}"
> limit: "3/minute"
> limit_burst: 10
> # log_prefix: "[ FIREWALL ] " # ( will be added in ansible 2.5 )
> state: present
> when: item.0.log is defined and item.0.log == 'yes'
> loop: "{{ firewall6.rules|subelements('source') }}"
> notify:
> - save ip6tables
>
> - name: apply ipv6 rules using 'firewall' variable defined in
> inventory vars
> iptables:
> ip_version: ipv6
> comment: "{{ item.0.comment|default(omit) }}"
> destination: "{{ item.0.destination|default(omit) }}"
> destination_port: "{{ item.0.destination_port|default(omit) }}"
> source: "{{ item.1 }}"
> source_port: "{{ item.0.source_port|default(omit) }}"
> protocol: "{{ item.0.protocol|default(omit) }}"
> jump: "{{ item.0.rule|default('ACCEPT') }}"
> chain: "{{ item.0.chain|default('INPUT') }}"
> ctstate: "{{ item.0.state|default(omit) }}"
> in_interface: "{{ item.0.in_interface|default(omit) }}"
> out_interface: "{{ item.0.out_interface|default(omit) }}"
> state: present
> loop: "{{ firewall6.rules|subelements('source') }}"
> notify:
> - save ip6tables
>
> when: firewall6 is defined and firewall6.rules is defined
>
> When I run this I get the following error:
>
> TASK [firewall : create all ipv6 firewall log statements from 'firewall'
> variable] *************************************
> fatal: [172.20.0.88]: FAILED! => {"msg": "obj must be a list of dicts or
> a nested dict"}
> fatal: [172.20.0.77]: FAILED! => {"msg": "obj must be a list of dicts or
> a nested dict"}
> fatal: [172.20.0.55]: FAILED! => {"msg": "obj must be a list of dicts or
> a nested dict"}
>
>
> I changed the first task to use 'with_subelements' as follows:
>
> - name: create all ipv6 firewall log statements from 'firewall'
> variable
> iptables:
> ip_version: ipv6
> comment: "{{ item.0.comment|default(omit) }}"
> destination: "{{ item.0.destination|default(omit) }}"
> destination_port: "{{ item.0.destination_port|default(omit) }}"
> source: "{{ item.1 }}"
> source_port: "{{ item.0.source_port|default(omit) }}"
> protocol: "{{ item.0.protocol|default(omit) }}"
> jump: "LOG"
> chain: "{{ item.0.chain|default('INPUT') }}"
> ctstate: "{{ item.0.state|default('NEW') }}"
> in_interface: "{{ item.0.in_interface|default(omit) }}"
> out_interface: "{{ item.0.out_interface|default(omit) }}"
> limit: "3/minute"
> limit_burst: 10
> # log_prefix: "[ FIREWALL ] " # ( will be added in ansible 2.5 )
> state: present
> when: item.0.log is defined and item.0.log == 'yes'
> with_subelements:
> - "{{ firewall6.rules }}"
> - source
> notify:
> - save ip6tables
>
> When I re-run the playbook it now skips the task, as intended:
>
> TASK [firewall : create all ipv6 firewall log statements from 'firewall'
> variable] *************************************
> skipping: [172.20.0.88]
> skipping: [172.20.0.77]
> skipping: [172.20.0.55]
>
> Can anyone tell me why this is happening?
>
> Thanks,
> Guy
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/5c12525b-c603-4068-8b7e-39a22b647244%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
