I have the following tasks in a block, which I've modified to use the new 
'loop' structure:

- name: process ipv6 rules if they exist
  block:
    - name: create all ipv6 firewall log statements from 'firewall' variable
      iptables:
        ip_version: ipv6
        comment: "{{ item.0.comment|default(omit) }}"
        destination: "{{ item.0.destination|default(omit) }}"
        destination_port: "{{ item.0.destination_port|default(omit) }}"
        source: "{{ item.1 }}"
        source_port: "{{ item.0.source_port|default(omit) }}"
        protocol: "{{ item.0.protocol|default(omit) }}"
        jump: "LOG"
        chain: "{{ item.0.chain|default('INPUT') }}"
        ctstate: "{{ item.0.state|default('NEW') }}"
        in_interface: "{{ item.0.in_interface|default(omit) }}"
        out_interface: "{{ item.0.out_interface|default(omit) }}"
        limit: "3/minute"
        limit_burst: 10
        # log_prefix: "[ FIREWALL ] " # ( will be added in ansible 2.5 )
        state: present
      when: item.0.log is defined and item.0.log == 'yes'
      loop: "{{ firewall6.rules|subelements('source') }}"
      notify:
        - save ip6tables

    - name: apply ipv6 rules using 'firewall' variable defined in inventory 
vars
      iptables:
        ip_version: ipv6
        comment: "{{ item.0.comment|default(omit) }}"
        destination: "{{ item.0.destination|default(omit) }}"
        destination_port: "{{ item.0.destination_port|default(omit) }}"
        source: "{{ item.1 }}"
        source_port: "{{ item.0.source_port|default(omit) }}"
        protocol: "{{ item.0.protocol|default(omit) }}"
        jump: "{{ item.0.rule|default('ACCEPT') }}"
        chain: "{{ item.0.chain|default('INPUT') }}"
        ctstate: "{{ item.0.state|default(omit) }}"
        in_interface: "{{ item.0.in_interface|default(omit) }}"
        out_interface: "{{ item.0.out_interface|default(omit) }}"
        state: present
      loop: "{{ firewall6.rules|subelements('source') }}"
      notify:
        - save ip6tables

  when: firewall6 is defined and firewall6.rules is defined

When I run this I get the following error:

TASK [firewall : create all ipv6 firewall log statements from 'firewall' 
variable] *************************************
fatal: [172.20.0.88]: FAILED! => {"msg": "obj must be a list of dicts or a 
nested dict"}
fatal: [172.20.0.77]: FAILED! => {"msg": "obj must be a list of dicts or a 
nested dict"}
fatal: [172.20.0.55]: FAILED! => {"msg": "obj must be a list of dicts or a 
nested dict"}


I changed the first task to use 'with_subelements' as follows:

    - name: create all ipv6 firewall log statements from 'firewall' variable
      iptables:
        ip_version: ipv6
        comment: "{{ item.0.comment|default(omit) }}"
        destination: "{{ item.0.destination|default(omit) }}"
        destination_port: "{{ item.0.destination_port|default(omit) }}"
        source: "{{ item.1 }}"
        source_port: "{{ item.0.source_port|default(omit) }}"
        protocol: "{{ item.0.protocol|default(omit) }}"
        jump: "LOG"
        chain: "{{ item.0.chain|default('INPUT') }}"
        ctstate: "{{ item.0.state|default('NEW') }}"
        in_interface: "{{ item.0.in_interface|default(omit) }}"
        out_interface: "{{ item.0.out_interface|default(omit) }}"
        limit: "3/minute"
        limit_burst: 10
        # log_prefix: "[ FIREWALL ] " # ( will be added in ansible 2.5 )
        state: present
      when: item.0.log is defined and item.0.log == 'yes'
      with_subelements: 
        - "{{ firewall6.rules }}"
        - source
      notify:
        - save ip6tables

When I re-run the playbook it now skips the task, as intended:

TASK [firewall : create all ipv6 firewall log statements from 'firewall' 
variable] *************************************
skipping: [172.20.0.88]
skipping: [172.20.0.77]
skipping: [172.20.0.55]

Can anyone tell me why this is happening?

Thanks,
Guy


-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/4f9c055e-3711-467e-8379-b74b7d602ec5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to