Seems like a bug to me. Technically, the conntrack match supersedes - and so obsoletes - the state match. But practically the state match is not obsoleted in any way.
The ansible iptables module is doing: /sbin/iptables -t filter -A INPUT -m conntrack -j ACCEPT -m state --state ESTABLISHED,RELATED So, there is no argument passed to the conntrack match. Ideally, it should have been: /sbin/iptables -t filter -A INPUT -m conntrack -j ACCEPT --ctstate ESTABLISHED,RELATED For now it seems that you can get around this problem by removing/commenting 'match: conntrack' and then the module will produce: /sbin/iptables -t filter -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED On Wed, Feb 15, 2017 at 1:24 AM, Juan Pablo Genovese <[email protected]> wrote: > Hello everybody! > > I'm having problems with the iptables module trying to execute this task: > > - iptables: > chain: INPUT > match: conntrack > ctstate: ESTABLISHED,RELATED > jump: ACCEPT > > This leads to this error: > > TASK [iptables] > **************************************************************** > fatal: [default]: FAILED! => {"changed": false, "cmd": "/sbin/iptables -t > filter -A INPUT -m conntrack -j ACCEPT -m state --state > ESTABLISHED,RELATED", "failed": true, "msg": "iptables v1.4.21: conntrack: > At least one option is required\nTry `iptables -h' or 'iptables --help' for > more information.", "rc": 2, "stderr": "iptables v1.4.21: conntrack: At > least one option is required\nTry `iptables -h' or 'iptables --help' for > more information.\n", "stdout": "", "stdout_lines": []} > > Did anyone hit this issue and have a solution? If not I can submit a bug > report. > > Thank you! > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/27b43f37-f541-45c8-9f75-6a6b76e2fdb8%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Nehal J Wani -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAG6NSrksM2WHn3zuPeZ9hXv54HiYL06io3oWRW0MO61BTQ%3DUgg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
