Right! Ok, so I just filed an issue in the Ansible repo: https://github.com/ansible/ansible/issues/21467
Thanks for the feedback, Nehal! On Wednesday, February 15, 2017 at 10:02:55 AM UTC-3, Nehal J Wani wrote: > > Seems like a bug to me. > > Technically, the conntrack match supersedes - and so obsoletes - the > state match. But practically the state match is not obsoleted in any > way. > > The ansible iptables module is doing: > > /sbin/iptables -t filter -A INPUT -m conntrack -j ACCEPT -m state > --state ESTABLISHED,RELATED > > So, there is no argument passed to the conntrack match. Ideally, it > should have been: > > /sbin/iptables -t filter -A INPUT -m conntrack -j ACCEPT --ctstate > ESTABLISHED,RELATED > > For now it seems that you can get around this problem by > removing/commenting 'match: conntrack' and then the module will > produce: > > /sbin/iptables -t filter -A INPUT -j ACCEPT -m state --state > ESTABLISHED,RELATED > > On Wed, Feb 15, 2017 at 1:24 AM, Juan Pablo Genovese > <[email protected] <javascript:>> wrote: > > Hello everybody! > > > > I'm having problems with the iptables module trying to execute this > task: > > > > - iptables: > > chain: INPUT > > match: conntrack > > ctstate: ESTABLISHED,RELATED > > jump: ACCEPT > > > > This leads to this error: > > > > TASK [iptables] > > **************************************************************** > > fatal: [default]: FAILED! => {"changed": false, "cmd": "/sbin/iptables > -t > > filter -A INPUT -m conntrack -j ACCEPT -m state --state > > ESTABLISHED,RELATED", "failed": true, "msg": "iptables v1.4.21: > conntrack: > > At least one option is required\nTry `iptables -h' or 'iptables --help' > for > > more information.", "rc": 2, "stderr": "iptables v1.4.21: conntrack: At > > least one option is required\nTry `iptables -h' or 'iptables --help' for > > more information.\n", "stdout": "", "stdout_lines": []} > > > > Did anyone hit this issue and have a solution? If not I can submit a bug > > report. > > > > Thank you! > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "Ansible Project" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > To post to this group, send email to [email protected] > <javascript:>. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/ansible-project/27b43f37-f541-45c8-9f75-6a6b76e2fdb8%40googlegroups.com. > > > > For more options, visit https://groups.google.com/d/optout. > > > > -- > Nehal J Wani > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a83db290-2915-4b4a-8409-627d0a081d1f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
