The module saves a complete state in /etc/ansible-iptables and we do locking, so it doesn't matter that much if someone fiddles around the active iptables rules or if they change /etc/sysconfig/iptables file, since the first time this module is called the whole state is recreated from the state file and all rules are restored (and if keep_unmanaged=no all unmanaged/foreign rules are dropped as well).
Of course if someone deletes the state file in /etc/ansible-iptables you would lose all your rules until you run all iptables_raw tasks, but you shouldn't need to touch that directory ever. On Thursday, July 7, 2016 at 6:20:57 PM UTC+2, Jason DeTiberus wrote: > > On Thu, Jul 7, 2016 at 6:44 AM, Strahinja Kustudić > <[email protected] <javascript:>> wrote: > > We wrote a new module called iptables_raw (docs) to make it easy to > manage > > iptables. The module has the following features: > > > > use iptables syntax to define rules > > keep iptables state > > order rules by weigh > > support different iptables tables (filter, nat, raw,...) > > management of unmanaged rules > > ip6tables > > safe flushing of table rules > > > > I wrote a blog post which explains how we use this module and how we > manage > > iptables with it. Give it a read, try the module and tell us what you > think, > > feedback would be much appreciated. > > Kudos on saving the state and providing locking around that state. As > long as you can ensure that this module is the only thing manipulating > iptables on the hosts you are managing, then there should be no > issues. In the project I work on, we don't have that guarantee, so we > work around it by adding a chain to minimize the possibility of > conflicts with other services managing iptables. It doesn't completely > solve the issue, but it has improved reliability in practice. > > -- > Jason DeTiberus > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9843450d-9a67-483c-a190-9aa1c8ecf089%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
