[ansible-project] Strange iptables_raw + with_together behaviour

[andrew . hudson]

Hi all

Ive come across a quirk when using the 'iptables_raw' module along with the 
'with_together' loop.
Logically, im inserting three new iptables input rules (for ftp) and giving 
them a name
I would expect that with_together would assign a name to a rule in the 
order that they appear in a list, 
e.g. [a, b, c]
       [1, 2, 3]
= a1, b2, c3

# Ansible task
- name: Create iptables rules for ftp access
  iptables_raw:
    name: 'ftp_{{ item.0 }}'
    rules: "{{ item.1 }}"
  with_together:
    - { connection,
        data,
        passive }
    - { '-A INPUT -p tcp --dport 21 -j ACCEPT',
        '-A INPUT -p tcp --dport 20 -j ACCEPT',
        '-A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack 
--ctstate ESTABLISHED -j ACCEPT' }

# Result on target machine
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp 
spts:1024:65535 dpts:1024:65535 ctstate ESTABLISHED /* ansible[ftp_data] */
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp 
dpt:21 /* ansible[ftp_connection] */
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp 
dpt:20 /* ansible[ftp_passive] */

The expected output is:
port 21                   - connection
port 20                   - data
spts:1024:65535 dpts:1024:65535 - passive

Peculiarly, it doesn't matter what order either list is in, the result is 
the same.

(Another quirk of the iptables_raw module is that the -A flag inserts at 
the top of the list 
instead of appending to the end, different to creating a rule from the 
command line,
where -I is used to insert at the top of the list and -A appends to the 
end.)

Ansible version 2.2.0.0
ansible host: centos 6.8
target: centos 7.2

Since I'm working with a centos7 box I've gone back to firewalld as a 
workaround. 

I understand the iptables_raw module isn't widely used and there exists an 
iptables module.

-- 

------------------------------
The contents of this email are confidential and may be subject to legal or 
professional privilege and copyright. No representation is made that this 
email is free of viruses or other defects. If you have received this 
communication in error, you may not copy or distribute any part of it or 
otherwise disclose its contents to anyone. Please advise the sender of your 
incorrect receipt of this correspondence.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/1a029066-c7cd-4b73-b25c-ae6fbd0cf30a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.